The Federal Bureau of Investigation (FBI) announced it has over 7,000 LockBit decryption keys, which the agency recovered in its ongoing disruption of LockBit, an international operation known as “Operation Cronos.”
Speaking during a keynote at the 2024 Boston Conference on Cyber Security on Wednesday, Bryan Vorndran, FBI Cyber Division Assistant Director, said that victims of LockBit ransomware attacks can use the decryption keys to recover their encrypted data for free. The federal agency is urging potential victims to contact the Bureau’s Internet Crime Complaint Center (IC3).
“From our ongoing disruption of LockBit, we now have over 7,000 decryption keys and can help victims reclaim their data and get back online,” the FBI Cyber Lead said in a keynote.
“We are reaching out to known LockBit victims and encouraging anyone who suspects they were a victim to visit our Internet Crime Complaint Center at ic3.gov.”
The impact of LockBit’s criminality was unknown prior to Operation Chronos, which first came to light in February 2024. Data recovered during the operation between June 2022 and February 2024 revealed that over 7,000 attacks have been carried out using LockBit’s services.
Operation Chronos, which was carried out by an international task force of law-enforcement agencies across 10 countries, including the UK’s National Crime Agency (NCA) and the FBI, seized the group’s dark web leak site.
Normally, LockBit’s main site threatens to publish stolen data following its takeover, the law enforcement decided to carry out daily posts exposing LockBit’s capability and operations while releasing decryption keys to help the victims of previous cyberattacks.
The key outcomes of the operation were the seizure of LockBit’s data leak sites, 34 servers operated by LockBit, and Stealbit – LockBit’s data exfiltration tool that was used to steal data. Further, it led to the closure of 14,000 “rogue accounts” involved in the group’s infrastructure or with data exfiltration, the freezing of 200 cryptocurrency accounts, and the finding of 1,000 decryption keys to help recover victim’s data.
“This site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’,” the sites now say.
“We can confirm that LockBit’s services have been disrupted as a result of international law enforcement action – this is an ongoing and developing operation.”
Despite this, the notorious LockBit ransomware gang re-emerged in April 2024, claiming responsibility for the cyberattack against Canadian pharmacy chain London Drugs, as well as Oracle CMS, an Australian call center operator.
Since its inception in 2019, the LockBit ransomware variant has been used in over 1,800 cyberattacks in the U.S. and more than 2,400 around the world, causing billions of dollars in damages.
In its keynote, Vorndran blamed the growth of Lockbit on its creator, Dimitri Khoroshev.
“LockBit was set up by a Russian coder named Dmitry Khoroshev. He maintains the image of a shadowy hacker, using online aliases like ‘Putinkrab,’ ‘Nerowolfe,’ and ‘LockBitsupp.’ But, really, he is a criminal, more caught up in the bureaucracy of managing his company than in any covert activities,” he said.
According to Vorndran, Khoroshev started turning in his competitors in the hopes that the FBI could go easy on him.
“Khoroshev then tried to get us to go easy on him by turning on his competitors, naming other ransomware-as-a-service operators. So, it really is like dealing with organised crime gangs, where the boss rolls over and asks for leniency. We will not go easy on him,” added Vorndran.
The U.S. State Department is offering a $10 Million reward to anyone who can provide information that will lead to Khoroshev’s arrest and/ or conviction, plus an additional $5 million reward for tips that can lead to the arrest of LockBit ransomware affiliates.
