On February 20, the cybersecurity community, along with numerous victims of ransomware attacks who lost their data due to encryption by LockBit, celebrated a significant victory. According to Graeme Biggar, Director General of the UK National Crime Agency (NCA), LockBit, the notorious ransomware gang that has been menacing individuals and organizations since 2019, was "locked out," while the Agency "has damaged the capability and, most notably, the credibility of a group that relied on secrecy and anonymity."
"The NCA has gained control of LockBit’s primary administration environment, which enabled affiliates to develop and execute attacks, as well as the group’s public-facing leak site on the dark web, where they previously hosted and threatened to publish data stolen from victims," the official website of the NCA stated.
Read also: FBI dismantles Hive ransomware group, provides decryption keys to victims
The Agency has successfully acquired the LockBit platform’s source code, along with a trove of intelligence gleaned from their systems, providing details on the group’s operations and partnerships. Additionally, members of the designated Op Cronos taskforce seized the group’s infrastructure in three countries, dismantling twenty-eight servers owned by affiliates of the criminal organization.
Moreover, more than two hundred cryptocurrency accounts linked to LockBit members were frozen, and the Agency obtained over 1,000 decryption keys, allowing ransomware victims to retrieve their lost data.
In response to these events, the Web3 security team SlowMist investigated LockBit's current state and encountered a mystery surrounding the arrests of individuals associated with the group.
According to the NCA, two actors linked to LockBit were arrested in Poland and Ukraine on February 20. Additionally, the US Department of Justice announced charges against two defendants responsible for carrying out ransomware attacks using LockBit, who are in custody and will face trial in the US. The US law enforcement agency also unsealed indictments against two other individuals, Russian nationals, for conspiring to commit LockBit attacks.
Despite the announcement, LockBit's management confirmed to the press that their websites had been overtaken by law enforcement agencies. However, SlowMist suspects that core LockBit members were not affected. This assumption arises from a post published by LockBit’s representatives on the decentralized messaging platform Tox. "The FBI f*cked up servers using PHP, backup servers without PHP are not touched," the message stated.
Furthermore, LockBit's leadership disclosed that they had been in contact with the management of the ransomware organization. Despite law enforcement's plan to unveil the identities of LockBit leadership, LockBit appears unconcerned. "Let them reveal it; I'm sure they don't know who I am," claimed LockBit. Meanwhile, the criminal group adopted a new name, "FBI Supp," in a derisive act directed at law enforcement agencies.
Yet, at press time, the names of the LockBit group were still unknown.
"We stayed up until 2 am for the FBI / NCA UK / EUROPOL "Who is LockbitSupp?" reveal. They extended the deadline," Vx-underground, an X account sharing information about malware posted on the social media platform today.
Read also: Australia considers ban on ransomware payments after a major cyberattack
Vx-underground also shared with the X community a summary of its discussion with LockBit’s administrators, focusing on the recent arrests of their affiliates.
The ransomware group's administrative staff claimed that the recent arrests involved "wrong" and "innocent" individuals. They further criticized the law enforcement agencies, stating that "the FBI, NCA UK, EUROPOL are not skilled pentesters, and their success was only due to their administrations' laziness."
Of particular interest were LockBit’s management group's claims regarding the law enforcement agencies’ lack of knowledge about the identities of the individuals behind LockBit.
"They state they will place a $20,000,000 bounty on their own head if anyone can dox them," Vx-underground wrote in its post.
Meanwhile, SlowMist confirmed that at least twenty-two Tor websites linked to LockBit had been dismantled or seized by law enforcement agencies. At press time, some of the ransomware websites associated with LockBit displayed information about the seizure, while others were offline.
Law enforcement agencies left a message for criminals visiting LockBit’s websites, stating, "Law Enforcement has taken control of LockBit’s platform and obtained all the information held there. This information relates to the LockBit group and you, their affiliate. You can thank LockBitSupp and their flawed infrastructure for this situation… We may be in touch with you very soon."
Frozen cryptocurrency addresses
The Bitcoin and Ethereum addresses linked to individuals associated with LockBit were disclosed by the US Treasury. SlowMist took a closer look at these addresses.
Upon detailed examination of the sanctioned Bitcoin addresses, the on-chain security firm has determined that the earliest recorded transaction associated with these addresses occurred in October 2019, while the most recent transaction can be traced back to March 2023.
One of the addresses which leads to Artur Sungatov, a LockBit-affiliated firm, reportedly received the largest amount of money, totaling 91.462 BTC.
"Additionally, the address 32pTjxTNi7snk8sodrgfmdKao3DEn1nVJM received 52.7892 BTC and is associated with LockBit’s Ivan Kondratyev," SlowMist reports, adding that the address was labeled as a Kucoin Deposit address by MistTrack.
How powerful is LockBit?
There is much speculation about the true criminal and technical potential of LockBit.
"Before May 2022, LockBit was unrivaled, breaching the defenses of over 850 businesses and institutions worldwide, accounting for 46% of all ransomware-related attacks during the same period," SlowMist stated in its report, adding that "In just three years, the number of victims of the LockBit ransomware gang has surpassed a thousand, double that of the veteran ransomware organization Conti, and more than five times that of Revil."
Read also: Wallet Drainer Promising to Bypass Any Transaction Simulation Now Available for Sale
An Irish IT consulting firm, Accenture, US cybersecurity firm Entrust, French telecom operator La Poste Mobile, Banco do Brasil, the California Department of Finance, the UK Royal Mail, the Canadian Montreal Power Services Commission, and aircraft giant Boeing are among the victims of LockBit attacks.
SlowMist also highlighted particularly high demands for ransoms in LockBit attacks, which surpassed the payments demanded by other ransomware gangs. "In 2022, out of the $100 million in ransom demands it issued, the success rate of its extortion exceeded half, leaving countless businesses in fear," SlowMist emphasized.
The popularity of LockBit ransomware has attracted significant attention from law enforcement agencies globally, subjecting the criminal group to intense scrutiny.
In a series of legal actions spanning months, individuals associated with the group have been targeted by the U.S. Department of Justice. Mikhail Vasiliev, holding both Russian and Canadian citizenship, faces charges related to LockBit's activities and awaits extradition from Canada to the United States.
SlowMist also reports that another Russian national, Mikhail Pavlovich Matveev, known by various aliases, has been indicted for his role in multiple ransomware attacks, including assaults on law enforcement agencies and healthcare organizations across the United States, with particularly notorious cases such as attacks on a law enforcement agency in New Jersey, the Metropolitan Police Department of Washington D.C., and a behavioral healthcare organization in New Jersey.
Meanwhile, rumors began circulating about a decline in the efficiency of LockBit operations.
Earlier in 2023, the chief security strategist of the Analyst1 group, Jon DiMaggio, claimed in an interview with Recorded Future News that “Affiliates are leaving LockBit’s program for its competitors,” adding that ”They know that LockBit is unable to publish large amounts of victim data, despite its claims.”
According to DiMaggio, this was the result of LockBit's limited bandwidth resources and operational framework. DiMaggio believed that LockBit's true capabilities were not as impressive in 2023, and often the syndicate leveraged its reputation as a criminal leader to coerce victims into paying ransoms.
Vx-underground sought the opinion of LockBit's long-time competitor, ALPHV, on the recent events. According to Vx-underground, ALPHV "offered words of encouragement for their competitor. They said and I quote: 'Lockbit is a pussy.'"
Amidst the anti-LockBit campaign, law enforcement agencies identified at least 193 branches of the criminal organization.
Scammers impersonate LockBit
Interestingly, the chaos surrounding LockBit created new opportunities for scammers to profit. According to a post shared by Vx-underground, one such actor is now impersonating LockBit on Telegram, attempting to steal $150 from its victims.
"Due to requests to join from around the world, we have announced these rules based on which acceptance will be made," an announcement says, listing numerous requirements, including background information on LockBit’s work and "the complete horoscope of the agent who gives you orders."
People with a criminal background, particularly those arrested for hacking, are preferred. However, the most important requirement is paying a $150 fee "to ensure you are a serious person." The scammer promises that it will be refunded within a month.