The Federal Bureau of Investigation (FBI) advises LockBit ransomware attack victims to contact the Internet Crime Complaint Center (IC3). The FBI has secured over 7,000 decryption keys that past victims can use to retrieve their data files at no cost.
During the 2024 Boston Conference on Cyber Security, it was confirmed by FBI Cyber Assistant Director Bryan Vorndran that the FBI has a substantial number of decryption keys in its possession due to its continuing initiatives to break up the LockBit ransomware activities. The FBI was busy with a worldwide law enforcement campaign called Operation Cronos. The UK National Crime Agency leads Operation Cronos, which seized 34 servers and retrieved over 2,500 decryption keys. The FBI had created a free decryptor to help victims recover their files at no cost. With its ongoing operations, more decryption keys will be obtained.
The FBI has additionally confirmed that a Russian coder called Dimitri Khoroshev, otherwise known as LockBitsupp, set up the LockBit ransomware-as-a-service (RaaS) operation. Dimitri Khoroshev is now indicted and sanctioned together with six co-conspirators. They are charged with extortion, fraud, and other crimes. However, Khoroshev is unlikely to face justice since he is in Russia where no extradition treaty is enforced, and Khoroshev will probably not leave the country.
Khoroshev operated the ransomware-as-a-service operation and partnered with many affiliates and criminal groups to perform attacks. LockBit keeps 20% of the ransom payments from the affiliate’s operations while the affiliates retain 80%. Besides handling the operation, Khoroshev assists affiliates set optimal ransom demands, launders cryptocurrency, and offers the system to manage the attacks, which includes storage and hosting of the stolen information.
LockBit has been a high-profile ransomware group that also targets organizations covered by HIPAA laws since 2022. The group is believed to have gotten over $1 billion in ransom income and has done over 7,000 attacks from June 2022 to February 2024. The FBI also confirmed that the group keeps the stolen data even after the victims have paid. The group only removes the data from its leak site after payment. Operation Cronos seemed to be successful although the shutdown of LockBit operations was temporary. Khoroshev rebuilt its infrastructure and kept the group active.
According to Vorndran, Khoroshev turned against his rivals and gave the FBI the names of other ransomware group operators so that the FBI would stop going after him. Nevertheless, Vorndran said that the FBI would not go easy on him.
