The notorious LockBit ransomware group had a bad day Tuesday, as the U.S. government, its allies and cybersecurity providers are hailing the disruption to one of the world’s most pervasive cybercrime organizations.
The U.S. Justice Department announced that the U.K. National Crime Agency’s (NCA) Cyber Division, working in cooperation with the Federal Bureau of Investigation (FBI) and other international law enforcement partners, seized numerous public-facing websites and servers used by LockBit administrators. The effort dealt a major blow to LockBit threat actors’ ability to attack and encrypt networks and extort victims by threatening to publish stolen data.
Commenting on the operation, U.S. Attorney General Merrick B. Garland said, “For years, LockBit associates have deployed these kinds of attacks again and again across the United States and around the world. Today, U.S. and U.K. law enforcement are taking away the keys to their criminal operation.”
Encryption Keys Seized
Garland announced that federal authorities have obtained keys from the seized LockBit infrastructure to help victims decrypt their captured systems and regain access to their data. He said the decryption capabilities may help hundreds of victims around the world to restore systems encrypted using the LockBit ransomware variant.
LockBit victims are encouraged to contact the FBI at https://lockbitvictims.ic3.gov/ to enable law enforcement to determine whether affected systems can be successfully decrypted.
Commenting on the cooperation among the U.S. and international law enforcement, FBI Director Christopher A. Wray said, “Through years of innovative investigative work, the FBI and our partners have significantly degraded the capabilities of those hackers responsible for launching crippling ransomware attacks against critical infrastructure and other public and private organizations around the world. This operation demonstrates both our capability and commitment to defend our nation's cybersecurity and national security from any malicious actor who seeks to impact our way of life.”
Cybersecurity Providers Urge Caution
Chester Wisniewski, field chief technology officer at Sophos, an MSSP Alert MDR Top 40 company, which has issued more than 30 pieces of threat intelligence on Lockbit’s tactics, hailed the announcement as a “huge win for law enforcement.” His assessment came with guarded optimism.
“We shouldn't celebrate too soon, though,” Wisniewski said. “Much of their infrastructure is still online, which likely means it is outside the grasp of the police and the criminals have not been reported to have been apprehended. Even if we don't always get a complete victory, like has happened with Qakbot, imposing disruption, fueling their fear of getting caught and increasing the friction of operating their criminal syndicate is still a win. We must continue to band together to raise their costs ever higher until we can put all of them where they belong — in jail.”
Daniel Hofmann, CEO of Hornetsecurity, a cybersecurity company that partners with a number of MSSPs and MSPs, urged cybersecurity best practices, namely the latest tools and awareness training, to defend against new threats that he believes are sure to come.
“These global efforts are a win to curbing cyber hacks, as the organization (LockBit) has ramped up high-profile attacks in the past year, but new and growing threats continue to loom,” Hofmann said. “The rise of generative AI allows for easier, faster and personalized cyber hacks, leaving businesses and companies of all sizes in all industries at risk.”
LockBit Strikes Georgia County Government
About a week ago, LockBit struck the government IT network of Fulton County, Georgia, threatening to publish confidential documents if ransom was not paid.
Commenting on the cyberattack, Sean Deuby, principal technologist at Semperis, an active directory (AD) cybersecurity specialist, said it appears that “LockBit’s extortion tactics aren’t working” because county officials will look to restore its network using insurance money, making it highly unlikely LockBit will get paid.
“What only county officials and LockBit know today is that type of sensitive data is being ransomed at this point,” Deuby said. “The bottom line is that municipalities can’t pay their way out of ransomware. Unless an organization is in a life and death situation, it simply doesn’t pay to pay a ransom because you are only emboldening the hackers. However, there is still hope that defenders can get the upper hand on threat actors, reduce business risk and leave the bad guys scrambling to find new victims. “
Deuby believes it is essential for organizations to know that they will all likely be targeted by ransomware gangs at some point in the next 6-12 months.
“It is a harsh reality today for all organizations and government agencies,” he said.
LockBit’s “Record Number of Attacks”
The LockBit ransomware variant first appeared around January 2020 and had grown into one of the most active and destructive variants in the world, the Justice Department said. Moreover, LockBit members have executed attacks against more than 2,000 victims in the U.S. and around the world, making at least hundreds of millions of U.S. dollars in ransom demands and receiving over $120 million in ransom payments.
Cybersecurity provider ZeroFox recently produced insights on LockBit. In its 2023 year-end flash report on the group, ZeroFox found:
- LockBit conducted at least 233 attacks during the fourth quarter (Q$) of 2023, more than in any other quarter, despite their activity accounting for a significantly reduced proportion of the wider threat landscape’s activity.
- It is almost certain that LockBit is benefiting from the December disruption of other R&DE collectives — particularly through procuring affiliates from ALPHV and NoEscape.
- A greater proportion of LockBit’s attacks were leveraged against the manufacturing and retail industries in Q4, both of which are above the threat landscape average.
LockBit Threat Actors Indicted
The Justice Department has unsealed an indictment obtained in the District of New Jersey charging Russian nationals Artur Sungatov and Ivan Kondratyev, also known as “Bassterlord,” with deploying LockBit against numerous victims throughout the United States. The victims include businesses in the manufacturing and the semiconductor industries, the Justice Department said. Additional criminal charges against Kondratyev were unsealed in the Northern District of California related to his deployment in 2020 of ransomware against a victim located in California.
According to the indictment, from at least as early as January 2021, Sungatov allegedly deployed LockBit ransomware against victim corporations and took steps to fund additional LockBit attacks against other victims, the Justice Department said. Sungatov allegedly deployed LockBit ransomware against manufacturing, logistics, insurance and other companies located in Minnesota, Indiana, Puerto Rico, Wisconsin, Florida and New Mexico.
Both Sungatov and Kondratyev allegedly joined in the global LockBit conspiracy, also alleged to have included Russian nationals Mikhail Pavlovich Matveev and Mikhail Vasiliev, as well as other LockBit members, to develop and deploy LockBit ransomware and to extort payments from victim corporations, the Justice Department said.
A total of five LockBit members have now been charged for their participation in the LockBit conspiracy. In May 2023, two indictments were unsealed in Washington, D.C., and the District of New Jersey charged Matveev with using different ransomware variants, including LockBit, to attack numerous victims throughout the U.S., including the Washington, D.C. Metropolitan Police Department.
Up to $10 Million Reward Offered
The U.S. Department of State’s Transnational Organized Crime Rewards Program has issued a reward of up to $10 million for information leading to Matveev’s capture. Information is accepted through the FBI tip website at https://tips.fbi.gov.
