FBI Issues 7,000 LockBit Ransomware Decryption Codes to Aid Victims
The Federal Bureau of Investigation (FBI) in the United States has revealed its possession of more than 7,000 decryption codes connected to the LockBit ransomware scheme, aiming to assist victims in recovering their data without any charges.
“We are contacting recognized LockBit victims and urging anyone who suspects they have fallen victim to visit our Internet Crime Complaint Center at ic3.gov,” highlighted FBI Cyber Division Assistant Director Bryan Vorndran during a keynote speech at the 2024 Boston Conference on Cyber Security (BCCS).
LockBit, once a highly active ransomware group, has been associated with over 2,400 attacks worldwide, affecting at least 1,800 organizations in the U.S. In February, an international law enforcement operation named Cronos, led by the U.K. National Crime Agency (NCA), dismantled the gang’s online structure.
Just recently, authorities identified a 31-year-old Russian individual named Dmitry Yuryevich Khoroshev as the administrator and developer of the group, although LockBitSupp has denied this allegation.
“He upholds the persona of a mysterious hacker, utilizing online aliases such as ‘Putinkrab,’ ‘Nerowolfe,’ and ‘LockBitsupp,'” quoted Vorndran. “However, in reality, he functions as a criminal, engrossed more in the administration of his organization than in any covert operations.”
Khoroshev is also accused of identifying other ransomware operators so that law enforcement authorities could treat him leniently. Nevertheless, despite these allegations, LockBit has persisted in its operations using a new structure, albeit not as actively as before.
Information from Malwarebytes indicates that the ransomware group was involved in 28 confirmed attacks in April 2024, placing it behind Play, Hunters International, and Black Basta in terms of activity.
Vordan also stressed that organizations that choose to pay to prevent data leaks have no assurance that the data will be completely removed by the attackers, and added, “even if you manage to retrieve your data from the criminals, you should assume it might be disclosed at some point, or you could be extorted again for the same information.”
As per the Veeam Ransomware Trends Report of 2024, based on a survey of 1,200 cybersecurity professionals, entities hit by ransomware attacks can recover an average of only 57% of the compromised data, leaving them exposed to significant data loss and adverse business consequences.
These developments coincide with the rise of new threat actors like SenSayQ and CashRansomware (also known as CashCrypt), while existing ransomware groups like TargetCompany (referred to as Mallox and Water Gatpanapun) sharpen their techniques by leveraging a new Linux variant to target VMWare ESXi systems.
These attacks exploit vulnerable Microsoft SQL servers for initial access, a practice that the group has adopted since its emergence in June 2021. It also checks if the targeted system runs in a VMWare ESXi environment and possesses administrative privileges before proceeding with the malicious operations.
“This variant employs a shell script for delivering and executing the payload,” stated Trend Micro researchers Darrel Tristan Virtusio, Nathaniel Morales, and Cj Arsley Mateo. “The shell script also sends the victim’s data to two different servers so the ransomware operators have a backup of the information.”
The cybersecurity firm has attributed the attacks utilizing the new Linux version of the TargetCompany ransomware to an affiliate known as Vampire, who was exposed by Sekoia last month.
About Author
