Following the dynamic development of the anti-LockBit campaign, which resulted in a significant setback for the notorious ransomware group on February 20, the community has been eagerly awaiting the reveal of the gang's leadership names. Instead, the UK National Crime Agency (NCA), which is now controlling the website used by LockBit for publishing stolen data, shared a rather mysterious message.
"LockBitSupp has claimed to live in the United States… he doesn’t. LockBitSupp has claimed to live in the Netherlands… he doesn’t. LockBitSupp has claimed to have a Lamborghini… he drives a Mercedes (though parts may be hard to source)," the law enforcement agency's post said on February 23.
Read also: LockBit Leaders Offer $20 Million Reward for Doxxing Them
At the end of the message, the team fighting against LockBit added a picture of "Tox Cat," a favorite emoji of LockBit’s administrative staff as per the malware researcher team Vx-underground.
"We know who he is. We know where he lives. We know how much he is worth," the message continued, adding "LockBitSupp has engaged with Law Enforcement."
This controversial post led to different theories in the X community. Some users speculate that LockBit’s leadership may live in Russia, making it difficult for Western governments to prosecute the criminals. The supporters of this opinion assume that only LockBit’s affiliates located outside Russia can be reached out by law enforcement agencies.
Other X users believe that "being engaged with Law Enforcement" is the main reason why the names of LockBit administrative staff cannot be revealed now. Meanwhile, some X users doubt that law enforcement knows the identities of LockBit’s administrators in the first place.
"Great, any non-US non-Dutch citizen that drives a Mercedes is a target," X user Ismael Deus Marques voiced a popular opinion. Indeed, earlier LockBit's management group challenged law enforcement agencies, claiming that they would place a $20,000,000 bounty on their own heads if anyone could identify them. It is still unclear whether the leaders of the popular organization were just bluffing, or if there is any other reason why law enforcement is refraining from revealing the names of the criminals.
Based on the article from the security news outlet KrebsonSecurity, there are five names of individuals associated with LockBit that are known to the public.
One of them, Artur Sungatov, is accused of actively using LockBit ransomware against companies operating in the United States. At the same time, Ivan Gennadievich Kondratyev aka Bassterlord allegedly deployed LockBit as well as the Sodinokibi ransomware against victims not only in the United States but also in Singapore, Taiwan, and Lebanon. Ruslan Magomedovich Astamirov was also charged with utilizing LockBit against targets in different countries.
Mikhail Matveev aka Wazawaka, remaining at large, as well as Mikhail Vasiliev, currently in custody in Canada awaiting extradition to the United States, are alleged LockBit affiliates.
On February 24, Vx-underground shared with its X followers an update on the LockBit website, which showed only the FBI logo and the timer to the moment when certain materials would be available for downloading. The website did not specify what these files would contain and did not provide any information about LockBitSupp.
In the meantime, Vx-underground reported that LockBit had already managed to restore its servers and launch new Tor domains. As per Vx-underground, LockBit also released "a lengthy response to the FBI and bystanders." This message also included a long list of LockBit’s backup blog domains inaccessible to the FBI as the servers do not have PHP.
In its post on the ongoing situation, LockBit claims that others who used vulnerable versions of PHP may have also been compromised, including the competitors of the ransomware group.
The LockBit members speculate that their systems may have been compromised by CVE-2023-3824 or possibly a zero-day exploit, which has happened not due to the insufficient skills of the ransomware group but their "laziness" and complacency. These supposedly created a vulnerability in the systems which have not been updated.
"I didn't pay much attention to it, because for five years of swimming in money, I became very lazy," the LockBit’s representative stated in the message referring to the error revealed during the penetration testing on one of the servers, that took place on February 19.
LockBit suggested that the aggressive action taken by the FBI happened due to a recent ransomware attack conducted by one of their affiliates that involved sensitive information on former President Donald J. Trump. They assume this attack may have prompted the FBI to act swiftly. LockBit believes that its affiliates should target government entities more frequently to expose the vulnerabilities and flaws of systems used by governments.
LockBit claims the group is now taking steps to enhance security, including updating PHP to the latest version and implementing manual trial decrypts to prevent future breaches. Meanwhile, the criminals downplay the significance of the FBI’s seizure of data, claiming that only a small portion of decryptors was obtained.
Read also: The NCA Takes Control of LockBit RaaS Group's Enterprise
"Even after the FBI hack, the stolen data will be published on the blog, there is no chance of destroying the stolen data without payment," LockBit promises, adding that "after introducing maximum protection on every build of locker, there will be no chance of free decryption even for 2.5% of attacked companies."
"New affiliates can work in my affiliate program if they have a reputation on the forums, can prove that they are pentesters with post-payment, or by making a deposit of two Bitcoins, the deposit increase is due to proof and beautiful advertising from the FBI, which is that my affiliates and I earn together hundreds of millions of dollars and that no FBI with their assistants can scare me and stop me, the stability of the service is guaranteed by years of continuous work," LockBit finished its message adding that it took four days to recover the infrastructure as the group had to address the incompatibility in the source code for the latest version of PHP.