LockBitSupp, the individual(s) behind the persona representing the LockBit ransomware service on cybercrime forums such as Exploit and XSS, “has engaged with law enforcement,” authorities said.
The development comes following the takedown of the prolific ransomware-as-a-service (RaaS) operation as part of a coordinated international operation codenamed Cronos. Over 14,000 unauthorized accounts on third-party services such as Mega, Protonmail and Tutanota used by criminals have been shut down.
“We know who he is. We know where he lives. We know what he’s worth. LockbitSupp has engaged with law enforcement,” according to a message posted on the now seized (and offline) dark web data leak site.
The move was interpreted by long-term observers of LockBit as an attempt to create suspicion and sow distrust among affiliates, ultimately undermining trust in the group within the cybercrime ecosystem.
According to research published by Analyst1 in August 2023, there is evidence to suggest that at least three different people operated the “LockBit” and “LockBitSupp” accounts, one of which is the gang leader himself.
However, speaking to malware research group VX-Underground, LockBit declared “They didn’t believe law enforcement knew his identity.” They also increased the bounty offered to anyone who could send them their real names to $20 million. It’s worth noting that the reward was increased from $1 million to $10 million late last month.
LockBit – also called Gold Mystic and Water Selkie – has had several iterations since its inception in September 2019, namely LockBit Red, LockBit Black and LockBit Green, with the cybercrime syndicate also secretly developing a new version called LockBit -NG-Dev before its infrastructure is dismantled.
“LockBit-NG-Dev is now written in .NET and compiled using CoreRT,” Trend Micro said. “When deployed alongside the .NET environment, this allows the code to be more platform independent. It removed self-propagation capabilities and the ability to print ransom notes via user printers.”
One of the notable additions is the inclusion of a validity period, which continues to work only if the current date falls within a specific date range, suggesting attempts by developers to prevent malware reuse and resist automated analysis.
Work on the next-generation variant is said to have been spurred by a series of logistical, technical and reputational issues, primarily driven by the leak of the ransomware builder by a disgruntled developer in September 2022 and also by doubts that one of its directors may have been replaced by government agents.
It also didn’t help that LockBit-managed accounts were banned from Exploit and XSS in late January 2024 for failing to pay an initial access broker who provided them with access.
“The plaintiff presented himself as someone who was ‘too big to fail’ and even showed contempt towards the arbitrator who would make the decision on the outcome of the complaint,” Trend Micro said. “This speech demonstrated that LockBitSupp likely uses its reputation to gain more leverage in negotiating payment for access or sharing the ransom payment with affiliates.”
PRODAFT, in its analysis of Operation LockBit, said it had identified over 28 affiliates, some of which share ties with other Russian electronic crime groups such as Evil Corp, FIN7 and Wizard Spider (aka TrickBot).
These connections are also highlighted by the fact that the gang operated as a “nest doll” with three distinct tiers, giving the outward perception of an established RaaS scheme compromising dozens of affiliates while covertly borrowing highly trained pen testers from other groups of ransomware spoofing personal alliances.
The smokescreen materialized in the form of what’s called the Ghost Group pattern, according to RedSense researchers Yelisey Bohuslavskiy and Marley Smith, with LockBitSupp serving “as a mere distraction to actual operations.”
“A Ghost Group is a group that has very high capabilities but transfers them to another brand allowing the other group to outsource operations,” they said. “The clearest version of this is Zeon, who outsourced their skills to LockBit and Akira.”
The group is estimated to have made more than $120 million in illicit profits over the course of its multi-year activity, emerging as the most active ransomware actor in history.
“Given that confirmed LockBit attacks over their four years of operation amount to well over 2,000, this suggests their impact globally is in the order of several billion dollars,” said the National Crime Agency (NCA ) of the United Kingdom.
It goes without saying that Operation Cronos has likely caused irreparable damage to the criminal group’s ability to continue with ransomware activities, at least under its current brand.
“Rebuilding the infrastructure is very unlikely; LockBit’s leadership is technically incapable,” RedSense said. “The people they delegated infrastructure development to have long since abandoned LockBit, as seen in the primitivism of their infrastructure.”
“[Initial access brokers]who was the main source of LockBit’s enterprise, will not trust their access to a group after a takedown, as they want their access to be turned into money.”