FBI Recovers Over 7,000 Decryption Keys From Ransomware Service LockBit: Urges Victims To Reclaim Data

The US Federal Bureau of Investigation (FBI) disrupted LockBit and retrieved over 7,000 decryption keys—bits of information to recover encrypted data—that could help victims get stolen information back.

FBI Cyber Assistant Director Bryan Vorndran made the announcement at the 2024 Boston Conference on Cyber Security on June 5. During his speech, Vondran shared more details on the operation, the criminal charges against alleged administrator Dimitri Khoroshev and six other co-conspirators, and the conclusions of the investigation. The agent also urged victims or people who suspect themselves to be victims of this cyber threat to visit the FBI’s Internet Crime Complaint Center at ic3.gov.

Vorndran explained that Khoroshev, also known under aliases like “LockBitsupp”, “Nerowolfe”, and “Putinkrab” allows cybercriminals to use his LockBit ransomware-as-a-service software to steal private information from businesses and individuals in exchange for 20% of any ransom acquired.

Vorndarn also said that Khoroshev helped LockBit affiliates store and host the stolen data and provided advice on ransom demands and cryptocurrency laundering. According to the release, discounts were also offered for high-volume affiliates.

According to Vorndran’s announcement, Khoroshev launched LockBit in 2019. Three years later, in 2022, it became “the most-deployed ransomware variant in the world,” responsible for over 2,400 attacks worldwide and more than 1,800 in the United States alone, inflicting billions of dollars in losses on victims.

The operation to dismantle LockBit started years ago and required international collaboration. “Disrupting LockBit and its affiliates became a global effort, involving FBI work with agencies from 10 other countries, particularly the British National Crime Agency, over more than three years,” said Vorndran.

The FBI agent also said that LockBit continued to store private data even after promising to delete it after the ransom was paid.

Vorndran affirmed that when a victim pays to prevent a leak they are just preventing the immediate release, not a future exposure. “Even if you get the data back from the criminals, you should assume it may one day be released, or you may one day be extorted again for the same data,” he said.

Just like the cloud company Snowflake recently did after learning about massive data breaches related to its clients, the FBI recommended including multi-factor authentication (MFA) as a security measure as well as other basic practices like keeping safe and encrypted backups, applying effective logging management, as well as taking time to plan ahead for different scenarios and create protocols along with teams and relevant members of the organization.