The person or people behind the LockBit ransomware service persona on cybercrime sites like XSS and Exploit, known as LockBitSupp, “has engaged with law enforcement,” according to officials.This development follows the successful takedown of the widespread ransomware-as-a-service (RaaS) operation as a component of the global coordinated operation known as Cronos. The perpetrators’ usage of over 14,000 rogue accounts on third-party platforms like Mega, Protonmail, and Tutanota has been terminated.
“We are aware of his identity. Where he resides is known. We are aware of his value. A note on the now-seized (and inactive) dark web data leak website stated that LockbitSupp had cooperated with police enforcement.
Longtime observers of LockBit have read the action as a tactic to sow doubt and mistrust among affiliates, which will eventually erode trust in the group inside the cybercrime ecosystem.
The “LockBit” and “LockBitSupp” accounts appear to have been managed by at least three distinct individuals, one of whom is the gang’s boss, according to research published by Analyst1 in August 2023.
As per LockBit’s statement to VX-Underground virus research group, “they did not believe law enforcement knows his/her/their identities.” Additionally, they increased the $20 million bounty that was offered to anyone who could mail them with their true names. It’s important to note that late last month, the incentive was raised from $1 million USD to $10 million.
Since its launch in September 2019, LockBit—also known as Gold Mystic and Water Selkie—has undergone multiple iterations, including LockBit Red, LockBit Black, and LockBit Green. The cybercrime syndicate has also been covertly working on a new version of the program known as LockBit-NG-Dev before its infrastructure is taken down.
According to Trend Micro, “LockBit-NG-Dev is now written in.NET and compiled using CoreRT.” “Deploying this alongside the.NET environment makes the code more platform-neutral. It eliminated the capacity to spread itself and print ransom letters using the user’s printers.”
The inclusion of a validity period, which only keeps running if the current date falls inside a predetermined range, is one of the noteworthy modifications. This suggests that the developers were attempting to both resist automated analysis and stop the virus from being reused.
Many logistical, technical, and reputational issues are reported to have prompted work on the next generation variant. These issues include concerns that one of the ransomware builder’s administrators may have been replaced by government agents, as well as the September 2022 release of the builder by an irate developer.
The fact that the LockBit-managed accounts were prohibited from using XSS and Exploit at the end of January 2024 due to nonpayment to the first access broker who granted them access did not assist either.
“The actor came across as someone who was ‘too big to fail’ and even showed disdain to the arbitrator who would make the decision on the outcome of the claim,” Trend Micro stated. “This discourse demonstrated that LockBitSupp is likely using their reputation to carry more weight when negotiating payment for access or the share of ransom payouts with affiliates.”
In its own study of the LockBit operation, PRODAFT claimed to have found over 28 affiliates, some of whom have connections to other Russian e-crime organizations such as FIN7, Evil Corp, and Wizard Spider (also known as TrickBot).
The gang’s three-layered “nesting doll” operation, which gave the impression of an established ransomware scheme that compromised dozens of affiliates while covertly obtaining highly skilled pen testers from other ransomware groups through personal alliances, is another indication of these connections.
According to RedSense researchers Yelisey Bohuslavskiy and Marley Smith, the smokescreen appeared as a Ghost Group model, with LockBitSupp acting “as a mere distraction for actual operations.”
“A Ghost Group is a group that has very high capabilities but transfers them to another brand by allowing the other group to outsource operations to them,” they explained. “The clearest version of this is Zeon, who has been outsourcing their skills to LockBit and Akira.”
Over the course of several years, the organization is thought to have amassed over $120 million in illegal earnings, making it the most active ransomware attacker in history.
“Given that confirmed attacks by LockBit over their four years in operation total well over 2,000, this suggests that their impact globally is in the region of multi-billions of dollars,” the National Crime Agency (NCA) of the United Kingdom stated.
It goes without saying that Operation Cronos has probably irreversibly harmed the criminal group’s capacity to carry out ransomware operations, at least under its present name.
“The rebuilding of the infrastructure is very unlikely; LockBit’s leadership is very technically incapable,” RedSense stated. “People to whom they delegated their infrastructural development have long left LockBit, as seen by the primitivism of their infra.”
“[Initial access brokers], which were the main source of LockBit’s venture, will not trust their access to a group after a takedown, as they want their access to be turned into cash.”