FBI obtains 7,000 LockBit decryption keys
Offers victims hope of free data decryption
The FBI has obtained over 7,000 decryption keys for the LockBit ransomware, potentially allowing victims to unlock their data for free.
The news follows a February 2024 sting operation dubbed "Operation Cronos," which significantly disrupted LockBit's operations.
"We now have over 7,000 decryption keys and can help victims reclaim their data and get back online," Bryan Vorndran, FBI Cyber Division assistant director, said on Wednesday.
He was speaking at the 2024 Boston Conference on Cyber Security.
Vorndran urged American victims to reach out to the FBI's Internet Crime Complaint Center (IC3) to begin the process of regaining access to their files. Those in other countries should contact their national cyber authorities.
However, he warned that regaining access to encrypted data doesn't guarantee complete security.
LockBit, like many ransomware groups, employs a double-extortion or "breachstortion" model, meaning they demand not only a ransom for the decryption key but also a separate payment to prevent the stolen data from being leaked online or sold to third parties.
Recovering data with the FBI's keys wouldn't necessarily prevent LockBit from carrying out these threats.
LockBit is a particularly troublesome ransomware group, operating a "ransomware-as-a-service" model that allows less technical attackers to purchase tools for their own cyberattacks. Because of this the LockBit ransomware itself is incredibly widely used: the Cybersecurity and Infrastructure Security Agency (CISA) says it was the most deployed ransomware variant globally in 2022.
LockBit has targeted a range of critical infrastructure sectors since 2020, including finance, healthcare and transportation.
Law enforcement fights back
As part of Feburary's operation, law enforcement hijacked LockBit's dark web marketplace, and used it to leak internal LockBit information.
While LockBit has attempted to rebuild its infrastructure since then, its capacity has significantly diminished.
Last month, a joint operation by law enforcement agencies in the UK, USA and Australia unmasked and sanctioned the leader of LockBit ransomware gang.
Dmitry Khoroshev, who previously operated under the online alias LockBitSupp, faces asset freezes and travel bans after authorities exposed his role leading the ransomware group.
Khoroshev was so confident in his anonymity that he had offered a $10 million reward to anyone who could identify him. A wanted poster displayed on LockBit's hijacked site now offers a $10 million reward for information leading to Khoroshev's arrest.
Vorndran said Khoroshev tries to project an image of a mysterious hacker online, using usernames like "Putinkrab," "Nerowolfe" and "LockBitsupp."
"But, really, he is a criminal, more caught up in the bureaucracy of managing his company than in any covert activities. In exchange for the use of his software, he gets a 20% cut of whatever ransoms they collect from innocent people and companies around the world."
During his speech, Vorndran stressed that the vast majority of criminals developing advanced ransomware malware hail from Russian-speaking nations and operate with the structure and tactics of established organised crime syndicates.
"They're entrepreneurial and have successfully lowered barriers to entry through ransomware-as-a-service."
Preventing ransomware attacks should be the primary goal for all organisations, Vorndran said, adding that "prevention efforts should be commensurate with acceptable downtime."
"If acceptable downtime is one day, increasing prevention effort should be a high priority. Without effective steps taken in advance of the breach, an organisation can find themselves wholly reliant on the honesty and integrity of bad actors to give them their data back."