The United States has taken a decisive step in its fight against cybercrime by offering substantial rewards for information leading to the arrest or conviction of individuals associated with the LockBit ransomware operation. This announcement follows significant disruptions to LockBit’s infrastructure by international law enforcement agencies.
Disruption of LockBit’s Operations
The UK’s National Crime Agency (NCA) and other law enforcement agencies have effectively seized LockBit domains and servers. Initially, these domains displayed messages about the law enforcement actions, but they now redirect visitors to a site resembling the known LockBit leak website, filled with law enforcement messages and cybersecurity firm reports on LockBit’s activities.
The NCA has even taunted LockBit affiliates through these messages, indicating that law enforcement might soon contact them. The agency has published a list of nearly 200 usernames associated with LockBit affiliates and taken down servers related to the LockBit data exfiltration tool, Stealbit.
Access to Key Infrastructure
Law enforcement claims to have gained access to crucial LockBit infrastructure, recovering 1,000 decryption keys. The NCA urges victims to get in touch for assistance. Furthermore, over 14,000 accounts on services like Mega, ProtonMail, and Tutanota, used for data exfiltration and ransomware operations, have been shut down.
Law Enforcement Actions and Rewards
The U.S. Department of State has announced rewards totaling up to $15 million for information on LockBit operatives, with up to $10 million for information on leaders and $5 million for affiliates. This initiative aims to bring justice to more than 2,000 LockBit ransomware victims who have paid over $120 million in ransoms, with total losses estimated in the billions.
Sanctions and Charges
The Treasury Department has sanctioned two Russian nationals, Ivan Gennadievich Kondratiev and Artur Sungatov, for their roles in LockBit operations. Kondratiev, also known as Bassterlord and Fisheye, is linked to multiple ransomware groups, including REvil, RansomEXX, and Avaddon. Sungatov has been actively involved in LockBit attacks. The Justice Department has charged these individuals, bringing the total number of people charged over LockBit attacks to five.
One individual is in custody in Canada awaiting extradition, while another is in custody in the U.S. awaiting trial. The Treasury highlighted the significant impact of a LockBit attack on the U.S. broker-dealer arm of China’s Industrial and Commercial Bank of China (ICBC), which disrupted trades worth over $9 billion.
Skepticism and Ongoing Threat
Despite these efforts, some experts remain skeptical about the long-term impact of these disruptions on LockBit’s operations. Jon Marler, cyber evangelist at Viking Cloud, suggests that without arrests of the core team behind LockBit, the malware, now in its third major revision, may continue to pose a threat under a different name.
Conclusion
The U.S. and its allies are making significant strides in combating ransomware, but the resilience and adaptability of cybercriminal groups like LockBit mean that the fight is far from over. Continued vigilance and international cooperation are essential to mitigate the ongoing threats posed by ransomware and other cybercriminal activities.
