In a significant breakthrough, the FBI has successfully retrieved more than 7,000 decryption keys from the notorious LockBit ransomware group. This development follows a multi-year investigation that culminated in the takedown of LockBit’s website, several arrests, and numerous criminal charges. The FBI is now actively reaching out to victims, encouraging them to seek assistance in recovering their encrypted data.
LockBit, responsible for over 2,400 attacks worldwide, with at least 1,800 affecting U.S. entities, had previously claimed to delete victim data upon receiving ransom payments. However, FBI Cyber Division Assistant Director Bryan Vorndran revealed that the group often retained data even after ransoms were paid. This revelation was part of Vorndran’s keynote address at the 2024 Boston Conference on Cyber Security.
The investigation into LockBit gained momentum in February when the FBI, in collaboration with the UK’s National Crime Agency and other international authorities, dismantled the group’s online infrastructure and charged two Russian nationals involved in the attacks. Initially, authorities retrieved over 1,000 decryption keys. However, LockBit soon claimed to have resumed operations using backup servers, dismissing the authorities’ efforts as having only a minimal impact.
Despite LockBit’s attempts to continue its operations, the FBI’s persistence paid off. By mid-March, LockBit posted details of new ransomware attacks, but by May, authorities had reactivated LockBit’s site to reveal the identity of the group’s alleged administrator, Russian national Dmitry Yuryevich Khoroshev. Khoroshev, also known by aliases such as “Putinkrab” and “LockBitsupp,” is now the sixth person charged in connection with LockBit. He faces 26 charges and a potential 185-year prison sentence if extradited to the U.S.
Vorndran emphasized the FBI’s commitment to holding Khoroshev accountable, stating, “We will not go easy on him.” Khoroshev is accused of attempting to name other ransomware operators to mitigate his own charges, a claim LockBit has denied. Despite these allegations, LockBit’s activities have significantly diminished under new infrastructure, although the group remains active.
LockBit’s tactics involved leveraging vulnerable Microsoft SQL servers to gain initial access, particularly targeting systems running in VMWare ESXi environments. The ransomware used sophisticated techniques, including shell scripts for payload delivery and data exfiltration to multiple servers. This method ensured that the attackers retained backup copies of the victim’s information.
The FBI’s retrieval of decryption keys provides a crucial lifeline for LockBit’s victims, offering a chance to recover their data without paying ransoms. Vorndran urged anyone who suspects they were targeted by LockBit to visit the FBI’s Internet Crime Complaint Center at ic3.gov.
The case against LockBit also highlights broader concerns about the efficacy of paying ransoms. Vorndran warned that even if data is returned, there is no guarantee it will not be leaked or used for future extortion. According to the Veeam Ransomware Trends Report 2024, organizations hit by ransomware can typically recover only 57% of their compromised data, underscoring the risk of substantial data loss and long-term business impacts.
As new ransomware groups like SenSayQ and CashRansomware emerge, and existing ones like TargetCompany refine their techniques, the battle against ransomware continues. However, the FBI’s success against LockBit marks a significant step forward in protecting organizations and individuals from cyber extortion.