The US State Department has announced cash rewards of up to $15 million for information that could lead to the identification of key leaders within the LockBit ransomware group and the arrest of anyone who participated in the operation.
“Since January 2020, LockBit perpetrators have executed more than 2,000 attacks against victims in the United States and around the world, resulting in costly disruptions to operations and the destruction or exfiltration of sensitive information,” the State Department said.
“More than $144 million in ransoms have been paid to recover from the LockBit ransomware events.”
The development comes as a large law enforcement operation led by the UK’s National Crime Agency (NCA) smashed LockBit, a Russia-linked ransomware gang active for more than four years, wreaking havoc on corporate entities and critical infrastructure in Worldwide.
Ransomware-as-a-service (RaaS) operations like LockBit and others work by extorting companies, stealing their sensitive data and encrypting it, making it a profitable business model for Russian electronic crime groups who act with impunity by taking advantage of the fact that they are outside the jurisdiction of Western law enforcement.
Lead developers tend to tap into a network of recruited affiliates to carry out attacks using LockBit’s malicious software and infrastructure. Affiliates are known to, in turn, purchase access to targets of interest using Initial Access Brokers (IABs).
“LockBit has become the most prolific ransomware group since Conti left the scene in mid-2022,” said Chester Wisniewski, global CTO at Sophos.
“The frequency of their attacks, combined with no limits on the type of infrastructure to cripple, have also made them the most destructive in recent years. Anything that disrupts their operations and sows distrust among their affiliates and vendors is a ‘huge victory for law enforcement.’
LockBit is also notable for being the first ransomware group to announce a bug bounty program in 2022, offering rewards of up to $1 million for finding security issues in website and locker software.
“LockBit’s business grew in scale by constantly delivering new product features, providing good customer support, and at times marketing stunts that included paying people to get tattoos of the group’s logo,” Intel 471 said .
“LockBit flipped the script, letting its affiliates collect the ransom and trusting them to pay a portion of it. This made affiliates confident that they would not miss a payment, thus attracting more affiliates.”
SecureWorks Counter Threat Unit (CTU), which tracks the group under the name Gold Mystic, said it investigated 22 breaches of the LockBit ransomware from July 2020 to January 2024, some of which relied solely on data theft to extort victims.
The cybersecurity firm also pointed out that LockBit’s practice of ceding control to its affiliates to handle negotiation and ransom payments has allowed the syndicate to expand and attract several affiliates over the years.
The removal of LockBit follows a months-long investigation that began in April 2022 and led to the arrest of three affiliates in Poland and Ukraine, the indictment in the United States of two other alleged members, as well as the seizure of 34 server and 1,000 decryption keys which can help victims to recover their data without making any payment.
These arrests include a 38-year-old man in Warsaw and a “father and son” pair from Ukraine. LockBit is estimated to have employed approximately 194 affiliates between January 31, 2022 and February 5, 2024, using a bespoke data exfiltration tool known as StealBit.
“StealBit is an example of LockBit’s attempt to offer a comprehensive ‘one stop shop’ service to its affiliates,” the NCA said, adding that the executable is used to export data through the affiliate’s infrastructure prior to that by StealBit, in a likely attempt to evade detection.
That said, the fluid structure of these RaaS brands means that their closure may not have a decisive impact on the criminal enterprise, allowing them to reorganize and reemerge under a different name. If the recent history of similar purges is any indication, it won’t be long before they rebrand and continue where they left off.
“Complete degradation of LockBit’s infrastructure will likely result in a brief cessation of business by LockBit operators before they resume operations, either under the LockBit name or under an alternative banner,” ZeroFox said.
“Even if we don’t always achieve a complete victory, as happened with QakBot, imposing disruption, stoking fear of exposure, and increasing difficulty in running their crime syndicate is still a victory,” Wisniewski added. “We must continue to band together to drive the costs higher and higher until we can put them all where they belong: in prison.”