In a nutshell: After disrupting LockBit's main operation, US authorities are reaching out to victims of the ransomware gang. The FBI can now help thousands of companies and organizations recover their encrypted data.
From its "ongoing disruption" of LockBit, the FBI has recovered more than 7,000 decryption keys for victims of the notorious ransomware cybergang. According to FBI Cyber Assistant Director Bryan Vorndran, who spoke at the 2024 Boston Conference on Cyber Security, LockBit remains a threat, and the bureau continues to gather information about the ransomware.
The 7,000 keys recovered so far can help LockBit victims reclaim their data and potentially restore their compromised IT infrastructure, Vorndran said. The FBI is reaching out to known organizations affected by the LockBit ransomware and encourages any potential victims to visit the bureau's Internet Crime Complaint Center website to file a complaint.
LockBit's infrastructure was targeted in February 2024 by an international law enforcement effort dubbed Operation Cronos. Investigators seized 34 servers containing over 2,500 decryption keys and used the data gathered from those servers to develop a free file decryption tool for the LockBit 3.0 Black Ransomware.
Operation Cronos was successful, and the seized data provided valuable insights into the LockBit operation. According to US and UK authorities, the cybercriminals collected at least $1 billion in ransoms from 7,000 attacks on companies and organizations worldwide between June 2022 and February 2024.
US authorities have identified one of the presumed masterminds behind the LockBit ransomware: a 31-year-old Russian named Dmitry Khoroshev, known as "LockBitSupp" in the cybercrime underground. Khoroshev remains at large, likely hiding somewhere in Russia, and the FBI is offering $10 million for any information leading to his arrest. His assets have been seized, and he cannot travel freely without risking arrest by Europol or other major law enforcement agencies.
Despite Operation Cronos' success, the LockBit ransomware continues its operations. After switching to new servers and domains on the Dark Web, the Ransomware-as-a-Service operation is actively seeking new targets.In retaliation for Operation Cronos, the cybercriminals have started leaking large amounts of data from both old and new attacks.