More than 7,000 LockBit decryption keys are now available for victims of the notorious ransomware gang, FBI Cyber Division Assistant Director Bryan Vorndran said in a Wednesday keynote address at the 2024 Boston Conference on Cyber Security.
Vorndran said the recovery of the 7,000-plus keys was part of the FBI’s “ongoing disruption” of the gang, which originally had much of its infrastructure disabled by the agency and its international partners in February. The FBI’s original announcement of the takedown operation noted the seizure of decryption keys but did not list an exact number – the UK’s National Crime Agency (NCA) which participated in the takedown, previously stated that it obtained 1,000 decryption keys.
“We are reaching out to known LockBit victims and encouraging anyone who suspects they were a victim to visit our Internet Crime Complaint Center at ic3.gov,” Vorndran stated during the keynote.
The prospect of newly available LockBit decryption tools is significant, especially after a recent Veeam report found attackers successfully breach backups in 76% of cases, and even backed up data is not always fully recoverable.
“This is an example of why it is important to hold on to data that was encrypted by ransomware. More than once the infrastructure has been disrupted and decryption keys have been made available. Even organizations that restore from backups often find themselves missing some of the data, and instances like this where decryption keys are being provided can help them recover this information,” Erich Kron, security awareness advocate at KnowBe4, commented to SC Media.
LockBit is estimated to be responsible for more than 2,400 attacks globally, and more than 1,800 in the United States alone, according to Vorndran. The group made a comeback shortly after its disruption but Trellix reported in April that the previous leader in ransomware infections was operating with limited infrastructure and capabilities.
On May 7, the U.S. Department of Justice identified and revealed charges against the suspected administration of LockBit, Dimitry Yuryevich Khoroshev. Nevertheless, the ransomware-as-a-service (RaaS) gang continues to claim victims, including Canadian pharmacy and retailer London Drugs last month.
Still, the ongoing action by the FBI and release of more decryption keys threatens LockBit’s ability to use file recovery as a bargaining chip in its extortion efforts, Raj Samani, SVP and chief scientist at Rapid7, told SC Media.
“Ever since law enforcement took down LockBit’s infrastructure in February 2024, they’ve engaged in PR and damage control in order to show strength and maintain the confidence of affiliates. However, such announcements by the FBI damages this confidence, and hopefully we’ll soon see the end of the LockBit ransomware group,” Samani said.
FBI urges cooperation and unity to fight cybercrime
Vorndran’s remarked touted several other recent accomplishments by the FBI’s Cyber Division, including last week’s announcement of “Operation Endgame,” which took down more than 100 servers tied to dropper malware operations, and January’s “Operation Dying Ember,” which took down more than 1,000 hijacked routers serving as a botnet for Russian intelligence services.
“The FBI had its most prolific year ever in terms of disruptions of cyber adversaries in 2023, something we’re exceptionally proud of,” Vorndran stated. “But we should all remember we face extremely capable adversaries in China, Russia, Iran, North Korea, and with Russian-based cybercriminals who have safe-haven status in Russia.”
The assistant director also said that “85-90% of the most powerful cyber-threat intelligence” comes from outside the U.S. government, and urged private companies, nonprofits and academia to partner with one another and with authorities to continue to combat cybercrime.
Additionally, the FBI’s calls for victims to come forward and receive assistance in decrypting their files points to a continuing effort by the agency to proactively mitigate victims’ losses. The agency previously faced criticism for its handling of the 2021 Kaseya ransomware attack, after which it obtained the REvil malware decryptor but did not share it with victims for several weeks.
At the time, the FBI cited the need to leverage the decryptor in its investigation, and to determine if the code was safe to distribute, as reasons for the delay. However, the agency seemed to take a lesson from the backlash, as shown by its speedy release of decryption keys during its takedown of the Hive ransomware group.
Vorndran’s remarks also emphasized further work the FBI is doing to be “a force multiplier benefiting victims,” noting the agency is working with cyber insurance providers to make options and decision-making clearer and more efficient before, during and after an attack.
Finally, Vorndran encouraged organizations to work together among one another for the common good of cybersecurity and to prevent the “outsized impact” of supply chain attacks.
“Within sectors and industries, we must use the term ‘peer’ instead of ‘competitor.’ In cyber, if you’re being targeted, so are your sector and industry peers. Information sharing with your peers is absolutely critical for entire sectors and industries to be more resilient to cyber threats,” Vorndran stated.
