November 15, 2024
FBI Distributes 7,000 LockBit Ransomware Decryption Keys to Help Victims
The U.S. Federal Bureau of Investigation (FBI) has disclosed that it's in possession of more than 7,000 decryption keys associated with the LockBit ransomware operation to help victims get their data back at no cost. "We are reaching out to known LockBit victims and encouraging anyone who suspects they were a victim to visit our Internet Crime Complaint Center at ic3.gov," FBI Cyber Division

Jun 07, 2024NewsroomRansomware / Endpoint Security

The U.S. Federal Bureau of Investigation (FBI) has disclosed that it’s in possession of more than 7,000 decryption keys associated with the LockBit ransomware operation to help victims get their data back at no cost.

“We are reaching out to known LockBit victims and encouraging anyone who suspects they were a victim to visit our Internet Crime Complaint Center at ic3.gov,” FBI Cyber Division Assistant Director Bryan Vorndran said in a keynote address at the 2024 Boston Conference on Cyber Security (BCCS).

LockBit, which was once a prolific ransomware gang, has been linked to over 2,400 attacks globally, with no less than 1,800 impacting entities in the U.S. Earlier this February, an international law enforcement operation dubbed Cronos led by the U.K. National Crime Agency (NCA) dismantled its online infrastructure.

Last month, a 31-year-old Russian national named Dmitry Yuryevich Khoroshev was outed by authorities as the group’s administrator and developer, a claim LockBitSupp has since denied.

“He maintains the image of a shadowy hacker, using online aliases like ‘Putinkrab,’ ‘Nerowolfe,’ and ‘LockBitsupp,'” Vorndran said. “But, really, he is a criminal, more caught up in the bureaucracy of managing his company than in any covert activities.”

Khoroshev is also alleged to have named other ransomware operators so that law enforcement could “go easy on him.” Despite these actions, LockBit has continued to remain active under a new infrastructure, albeit operating nowhere at its previous levels.

Statistics shared by Malwarebytes show that the ransomware family has been linked to 28 confirmed attacks in the month of April 2024, putting it behind Play, Hunters International, and Black Basta.

Vordan also emphasized that companies opting to pay to prevent the leak of data have no guarantee that the information is actually deleted by the attackers, adding “even if you get the data back from the criminals, you should assume it may one day be released, or you may one day be extorted again for the same data.”

According to the Veeam Ransomware Trends Report 2024, which is based on a survey of 1,200 security professionals, organizations experiencing a ransomware attack can recover, on average, only 57% of the compromised data, leaving them vulnerable to “substantial data loss and negative business impact.”

The development coincides with the emergence of new players such as SenSayQ and CashRansomware (aka CashCrypt), as existing ransomware families like TargetCompany (aka Mallox and Water Gatpanapun) are consistently refining their tradecraft by leveraging a new Linux variant to target VMWare ESXi systems.

The attacks take advantage of vulnerable Microsoft SQL servers to gain initial access, a technique adopted by the group since its arrival in June 2021. It also determines if a targeted system is running in a VMWare ESXi environment and has administrative rights before proceeding further with the malicious routine.

“This variant uses a shell script for payload delivery and execution,” Trend Micro researchers Darrel Tristan Virtusio, Nathaniel Morales, and Cj Arsley Mateo said. “The shell script also exfiltrates the victim’s information to two different servers so the ransomware actors have a backup of the information.”

The cybersecurity company has attributed the attacks deploying the new Linux variant of TargetCompany ransomware to an affiliate named Vampire, who was also revealed by Sekoia last month.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.