FBI finds 7,000 LockBit decryption keys in blow to criminal gang

The United States’ Federal Bureau of Investigation (FBI) has revealed it is in possession of thousands of LockBit ransomware decryption keys, and wants victims of the prolific cyber criminal gang – laid low in February 2024 in a UK-led sting – to make themselves known if they want help.

Speaking on Wednesday 5 June at a cyber security conference in Boston, Massachusetts, FBI Cyber Division assistant director Bryan Vorndran said the agency was keen to put its trove of keys to good use, and called on American victims to contact the FBI. Victims elsewhere should contact their own national cyber authorities, including the National Cyber Security Centre (NCSC) in the UK.

“We now have over 7,000 decryption keys and can help victims reclaim their data and get back online,” said Vorndran. “We are reaching out to known LockBit victims and encouraging anyone who suspects they were a victim to visit our Internet Crime Complaint Center at ic3.gov.”

Developed by a Russian national named Dimitri Khoroshev, who went by online handles including LockBitsupp, Nerowolfe and Putinkrab, LockBit was deployed by various ransomeware-as-a-service (RaaS) actors in more than 2,400 cyber attacks over the years, extorting billions of dollars from victims.

Since the operation was infiltrated and disrupted in February, the authorities have been turning Kohoroshev and his minions’ tactics against them, naming and shaming them, and even trolling them online.

“[Khoroshev] maintains the image of a shadowy hacker…But really he is a criminal, more caught up in the bureaucracy of managing his company than in any covert activities,” taunted Vorndran.

“Khoroshev…tried to get us to go easy on him by turning on his competitors, naming other ransomware-as-a-service operators. So, it really is like dealing with organised crime gangs, where the boss rolls over and asks for leniency. We will not go easy on him.”

Raj Samani, senior vice-president and chief scientist at Rapid7, commented: “The discovery and release of over 7,000 LockBit decryption keys is another kick in the teeth for the ransomware group and a great win for law enforcement. The likes of LockBit survive and thrive on victims paying ransom demands, therefore, it’s great to see the US government be proactive and prevent this by releasing the decryption keys for free.

“Ever since law enforcement took down LockBit’s infrastructure in February 2024, they’ve engaged in PR and damage control to show strength and maintain the confidence of affiliates. However, such announcements by the FBI damages this confidence, and hopefully we’ll soon see the end of the LockBit ransomware group,” he added.

Khoroshev’s criminal dealings exposed

Khoroshev, who once teased his pursuers by offering a $10m reward to anybody who could successfully doxx him and reveal his true identity, was first officially named as the mastermind behind LockBit, and his persona exposed, in May.

At the same time, US authorities announced he was being sanctioned and subjected to a series of asset freezes and travel bans, and charged with 26 offences relating to fraud, damage to protected computers and extortion.

The Americans are offering a multimillion-dollar reward for information that results in his arrest and extradition.

While some core members of the LockBit crew are in custody, unfortunately, due to the breakdown in relations with Russia – where the Putin regime ‘allows’ cyber criminals such as Khoroshev to operate with impunity – it is unlikely he will be convicted any time soon unless he leaves Russia.

LockBit attacks continue

Although the law enforcement operation against LockBit is widely regarded as a success and has had a visible impact on the ransomware ecosystem, the disruption caused does not mean that the threat of LockBit attacks has receded. Indeed, at-large affiliates of the operation continue to conduct sporadic and occasionally high-profile cyber attacks.

Some of the victims to have been hit since the February takedown include the Simone Veil Hospital in Cannes, France, the University of Siena in Italy, and Canadian pharmacy chain London Drugs.

At the end of April, threat hunters at Proofpoint found evidence that the LockBit 3.0 locker was being widely distributed as a malicious attachment to phishing emails orchestrated through the Phorpiex botnet.

These emails, which originated from a persona named ‘Jenny Green’, targeted organisations in multiple industries and appeared to be largely opportunistic in their targeting.

The Proofpoint team said that the attack chain was not especially complex in comparison to what it more usually observes, but the high volume nature of the phishing emails, and the use of ransomware as the first-stage payload, was somewhat unusual – suggesting that the campaign was likely a result of the leak of LockBit’s builder in 2022.