LockBit: The Rise, The Fall, and Law Enforcement’s Take Down of The LockBit Empire
Today, I’m going to tell you the story of the rise and fall of the world’s most notorious ransomware cybercrime group, also known as RaaS (Ransomware as a Service) program ‘LockBit’. In this story line, we will learn how a cybercrime group emerges and how they fall, the extent of damage it causes in society, and who the people behind these crimes are. Definitely, they are not aliens, mafia members, or underworld dons.
What is Ransomware?
Ransomware is a type of cyberattack where the attacker gains access to the victim’s internal network/servers through a bug and social engineering attack like phishing, vishing. They then begin to steal the company’s internal data and move it to a separate location, mainly attacker-controlled servers. Afterward, they execute their ransomware payload to encrypt all of the victim’s data and server. When the ransomware payload is executed, the files and systems are encrypted and extension was changed, and the victim cannot access their files or data because all of it is encrypted with the ransomware payload. Following this, the attacker demands a ransom payment. If the victim pays the ransom, the attackers provide the decryptor to decrypt the files. However, if the ransom payment is not made, the attacker leaks all of the internal data on their Data Leak Site (DLS) for everyone on the internet to see. This method is called “Double Extortion”, and in some cases, attackers initiate a Denial-of-Service (DoS) attack on the victim’s infrastructure, this method known as “Triple Extortion”.
Who is LockBit?
LockBit is one of the most prolific ransomware groups globally, linked to thousands of attacks on hospital systems, major corporations, cities, and critical infrastructure. According to the Department of Justice (DoJ), LockBit has targeted over ‘2,500’ victims worldwide and has received more than $500 million in ransom payments.
LockBit plays a crucial role in the field of ransomware. It operated on a model called RaaS (Ransomware as a Service). In this model, the core members (Admins) of the group create and manage the core components of the program, such as encryptors, panels, chat support, dashboards, servers, and everything else. They then provide these components to the ‘Affiliates’ to carry out attacks on victims' networks, with a percentage of the ransom payment allocated to the affiliates. The affiliates initiate the attacks using the tools and software provided by the core members and demand ransom. If the ransom is paid, a portion of it goes to the core members, while the rest goes to the affiliate.
History of LockBit
LockBit started its operation on September 3, 2019, according to their DLS (Data Leak Site).
There is limited information available about the LockBit gang before September 3, 2019. The rule in any business or work dictates that proficiency requires prior experience, knowledge, and practice. Similarly, researchers believe that the criminals behind LockBit began their careers working with other ransomware programs like ‘LockerGoga’ and ‘MegaCortext’ based on their tactics and techniques.
LockBit, formerly known as ‘ABCD’ ransomware, began advertising its affiliate program in underground forums for recruiting more affiliates to their ransomware program, in January 2020. The program experienced exponential growth starting mid-year 2021. In Just 2021, LockBit operators announced the launch of ‘LockBit 2.0’ along with a recruitment affiliate program for new affiliates.
LockBit Variants:
- Variant 1: “.abcd” extension
In the original version of LockBit, files are renamed with the ‘.abcd’ extension. Additionally, it includes a ransom note titled “Restore-My-Files.txt” containing a ransom note, which is dropped in every folder.
- Variant 2: “.LockBit” extension
This version (LockBit 1.0) closely resembles the previous one. It appends the ‘.LockBit’ extension to encrypted files and instructs victims to download the Tor browser for communication. This variant is packed with digital signatures and utilizes dynamic mutex instead of static ones.
- Variant 3:
This version (LockBit 2.0) Doesn't utilize the Tor browser for ransom instruction. Instead, it directs victims to an alternate website using traditional internet access. This version includes several enhancements, including faster encryption, UAC (User Account Control) bypass capabilities, and updated desktop wallpaper.
- Variant 4: (Latest version of Lockbit timeline)
LockBit (LockBit 3.0) the newest version of LockBit timeline. This version offers customizable behavior options and requires a password for execution. Employing hardcoded credentials or compromised accounts, it drops a ransom note, alters the host’s wallpaper. Affiliates use tools like StealBit and rclone for data exfiltration and employ ProDump and SoftPerfect network scanner for information collection. LockBit 3.0 deletes log files and volume shadow copies post-encryption and utilizes a hybrid encryption approach.
The Summer Contest
In the early days of LockBit, when it was relatively unknown, the group was one of many ransomware gangs attempting to gain prominence in the organized criminal community. The leader of LockBit sought to market the LockBit brand but faced the challenge of not being able to advertise on social media platforms. To address this, they created accounts on underground forums under the name “LockBitSupp”, short for LockBit Support, and began interacting and posting on these forums, engaging in conversations with other criminals. However, LockBit remained relatively unknown, with only a few people aware of its existence.
To boost their visibility, LockBit sponsored a ‘Hacking Article Contest’
Participants started writing blogs and sending them in, while members of the forums read and voted for articles they liked. The authors of the top 5 papers receive monetary rewards ranging from $1000 to $5000. Then, LockBit selected the best paper for an additional prize. This initiative helped LockBit stand out from other ransomware programs and kick-started their program.
Story of StealBit
In ransomware attacks, stealing and threatening to release sensitive data is often more damaging than encrypting systems. This tactics is lucrative but demands additional resources. For instance, criminals must identify critical data or steal large volumes to ensure they possess valuable information. However, transferring substantial data can raise detection risks. LockBit Affiliates initially relied on public tools like Rclone for data theft, which was slow and cumbersome. To streamline operations, LockBit developed its own tool, “StealBit” offering affiliates a faster, self-deleting data exfiltration solution. This tool, accessible through the ransomware’s admin panel, simplifies attacks via a centralized console, reducing complexity. Later, screenshots revealed the ease with which attackers could manage data theft, highlighting LockBit’s advancements in simplifying and enhancing ransomware attacks.
These minor updates greatly benefit the LockBit program, accelerating its growth and reputation within the underground criminal community, thereby attracting more affiliates.
LockBit’s Bug Bounty Program
Yes, you heard correctly. LockBit also operated a bug bounty program, offering rewards for those who report bugs in their products and also expose the real person behind the pseudonym ‘LockBitSupp’. The story behind LockBits bug bounty program is intriguing. Microsoft’s DART team discovered a flaw in LockBit ransomware, dubbed ‘Buggy Code’, which enabled Microsoft to recover encrypted data linked to MSSQL database files.
LockBit’s bug bounty program:
LockBit’s bug bounty program offers rewards ranging from $1,000 to $1,000,000, making it more enticing than many legal Vulnerability Disclosure Programs (VDPs). LockBit demonstrated its commitment to enforcing rules (But not following any rules), maintaining reputation, and garnering reviews from affiliates and other criminals in underground forums. They use reviews to continually improve their product. Interestingly, in the past, LockBit offered a $1,000,000 bounty for anyone who could provide information leading to the disclosure of their identity. Here’s a look at their doxing price:
In January 2024, LockBit increased the bounty price for doxing LockBitSUpp's leader to $10,000,000.
Break the Rules and Lie
LockBit claims to strictly adhere to rules, such as refraining from attacking not-profit organizations, hospitals, critical medical institutions, and similar entities.However, in December 2022, one of LockBit’s affiliates targeted “The Hospital for Sick Children (SickKids)”. Although the attack only encrypted a few systems, SickKids reported that it caused delays in receiving lab and imaging results, resulting in longer patient wait times.
As first noted by threat intelligence researcher Dominic ALvieri, on December 31, 2022, the LockBit ransomware gang issued an apology for the attack on the hospital and released a decryptor for free.
Apology note:
Did you notice something in this so-called apology note?
“The partner who attacked this hospital violated our rules, is blocked, and is no longer our affiliate program.”
This sounds very reassuring, and it may seem like there’s a bit of humanity behind LockBitSupp because they release the free decryptor for the hospital, right? But it’s not. After OpCronos, which stands for Operation Cronos, we now know that this LockBit statement is a lie, completely based on deception.
See the below statement of the OpCronos teams:
The law enforcement agencies have officially stated that the attackers who targeted SickKids in December 2022 remained active even after LockBit's statement until our operation in February 2024. Additionally, officials have indicated that the same affiliate was responsible for 127 unique attacks. This clearly contradicts LockBit's statement, demonstrating that they did not block the affiliate responsible for the attack on SickKids.
Also the interesting part is, after the SickKids incident in December 2022, LockBit updated its rules, permitting affiliates to target critical infrastructures such as hospitals and pharmaceutical facilities, and non-profit organizations.
- It is allowed to attack no-profile organizations. If an organization has computers, it must take care of the security of the corporate network.
- It is allowed to attack any educational institutions as long as they are private and have revenue.
- And there are more…
This underscores the untrustworthiness of cybercriminals. Their motivations lie solely in financial gain, devoid of any concern for humanity or even their own families. They’re indifferent to who lives or dies.
OpCronos - The Beginning
In February 19 2024, the National Crime Agency (NCS), the United Kingdom's law enforcement body, collaborated with the FBI, Europol, and nine other countries for “Operation Cronos”. This operation aimed to disrupt the operations of the LockBit ransomware gang. In the initial phase, they successfully took down LockBit’s Data Leak Site, which the gang used for shaming, extortion, and leaking data from its victims. On the first site were met with a seizure banner from NCA, marking the beginning of stage on.
While the initial seizure message marked the beginning of the takedown, the NCA's actions went far beyond surface appearances. They achieved complete control over LockBit’s infrastructure and resources, effectively dismantling the criminal operation. What’s more, the NCA had infiltrated LockBit’s infrastructure long before the disruption on February 19th, gathering crucial intelligence along the way.
Moreover, they successfully obtained victim decryption keys, empowering recent victims to decrypt their data without succumbing to LockBit’s extortion tactics. The NCA also compromised and acquired LockBit’s new ransomware payload, intended for release as part of LockBit 4.0 upgrade. The NCA’s actions severely damaged LockBit’s operations and offered crucial relief to its victims.
In stage two of Operation Cronos, starting on February 20th, the NCA redirects visitors to a new website resembling LockBit’s. But here’s the twist: instead of showing victims of ransomware, it showed the criminals as ones in trouble. For five days, the NCS posted announcements and indictments against LockBit’s members, framing them as “Victim” posts to their site. One example named two LockBit affiliates and linked to a press release about criminal charges laid out by the NCS.
Also in stage two, the NCA sends individual messages to LockBit ransomware affiliates. When these affiliates logged into the LockBit panel, they received a direct message from the NCA. The message revealed that law enforcement had gathered their panel username, cryptocurrency wallet addresses, chat logs for victim negotiations, IP Address used to access the panel, and transcript of conversation with LockBit’s leader, LockBitSupp.
The NCA silently observed every move of the criminals, sending a strong message by greeting affiliates upon login. This unexpected action likely shook the criminals and raised doubts about LockBit’s security and anonymity. Stage two features a psychological operation aimed at undermining trust within LockBit’s ranges. Before shutting down the seized site, law enforcement anonymized LockBitSupp, further exposing the operation’s vulnerability.
In the section titled “Who is LockBitSupp?” The NCA reveals intriguing facts about LockBitSupp. Contrary to their claim, they do not reside in the United State, drive Mercedes instead of Lamborghini, and drop hints suggesting that intelligence agencies know the mastermind behind LockBit, one of the world’s most notorious ransomware groups. Notably, LockBitSupp’s profile photo is a cat meme.
The LockBit Part
Despite Facing challenges, LockBit, a significant player in the ransomware sphere, refuses to yield. Money isn’t his sole motivation; he’s deeply passionate about his criminal activities. Following Operation Cronos, Lockbit wasted no time in rebuilding his infrastructure. LockBit strategically posted about the FBI, not as a real victim, but to gain publicity and assert his resurgence after the disruption. This action served as a message to reaffirm his presence and resilience in the criminal world. See LockBit’s explanation below for more insight.
They start bluffing and present their side of the story, but I just don’t want to bore you with their bluff. Here's the main thing:
- The agencies erased LockBit’s server disks.
- LockBit’s server runs on a vulnerable version of PHP (8.1.2) susceptible to CVE-2023-3824.
- FBI obtained a database, web panel sources, locker stubs, 1000 Decryptors, nicknames of the affiliates, wallets used in ransom payments, chat logs, and other valuable data.
Agencies mostly exploit this vulnerability to target them, or maybe it’s a 0Day? Who knows? But what we learn here is: Hackers also Hacked. So, learn from others’ mistakes and make sure to update your softwares and address security issues promptly.
OpCronos - The End
Now, it’s time for the most interesting part of our story: “Who is LockBitSupp?” Who is behind LockBit, who’s the mastermind? After stage one and two of OpCronos in February 2024, the onion link belonging to LockBit’s old infrastructure, taken over by law enforcement agencies, went offline for month. However, three month later, on May 5th, the onion site went back online, indicating the third stage and presumably the final part of OpCronos. The onion site is live with this banner:
The post titled “Who is LockBitSupp?” marked a significant turning point in Operation Cronos, hinting at the imminent public identification of LockBit’s mastermind. The countdown clock reset for May 7th indicated law enforcement’s intent to reveal crucial information and press charges. This development suggested a strain causing anxiety for the elusive figure behind LockBitSupp. Despite LockBit’s past taunts, law enforcement seemed poised to unveil their identity, signaling a potential victory in the ongoing battle against cybercrime.
Operation Cronos's final stage, initiated on May 7th 2024, aims to publicly identify the mastermind behind LockBit’s criminal activities. The Department of Justice’s indictments serve broader strategic purposes, including exposing criminals to scrutiny and hindering their operations. By shedding light on the real identity behind LockBitSupp, the Operation disrupts ransomware activities and adds layers of difficulty for convicted criminals, impeding their ability to evade detection and continue their illicit activities.
Unmasked
Dmitry Yuryevich Khoroshed, aka LockBitSupp, aka LockBit, aka putinkrab aka sitedev5.
It’s time to meet the mastermind behind the LockBit ransomware operation, the one and only Dmitry Yuryevich Khoroshev.
Dmitry Yuryevich Khoroshev, born on April 17 1993, in Russia, currently resided in the Voronezh region. Besides his involvement in criminal activities, Dmitry owns a legitimate business in Voronezh and leads a lavish lifestyle, driving a Mercedes. He has successfully kept his criminal activities separate from his public persona, making it challenging to identify him. Despite his criminal activities, Dmitry is also a skilled businessman, having registered and developed multiple companies and websites in Russit.
KHOROSHEV, Dmitry Yuryevich (a.k.a. KHOROSHEV, Dmitrii Yuryevich; a.k.a. KHOROSHEV, Dmitriy Yurevich; a.k.a. YURIEVICH, Dmitry; a.k.a. "LOCKBITSUPP"), Russia; DOB 17 Apr 1993; POB Russian Federation; nationality Russia; citizen Russia; Email Address khoroshev1@icloud.com; alt. Email Address sitedev5@yandex.ru; Gender Male; Digital Currency Address - XBT bc1qvhnfknw852ephxyc5hm4q520zmvf9maphetc9z; Secondary sanctions risk: Ukraine-/Russia-Related Sanctions Regulations, 31 CFR 589.201; Passport 2018278055 (Russia); alt. Passport 2006801524 (Russia); Tax ID No. 366110340670 (Russia) (individual) [CYBER2].
As of now, LockBitSupp, also known as Dmitry Yurevich Khoroshev, continues to operate the LockBit operation. We’ll see how long they can keep going after being successfully unmasked. ;D
Summary
In this narrative of LockBit, we delve into the emergence and downfall of cybercrime groups, exploring the tactics they employ to thrive in the realm of cybercrime. While there are numerous incidents and information to share, it’s impractical to force everything into one place. Therefore, I focus on the most intriguing aspects here, drawing on the insights of the esteemed security researcher, JonDimaggio, known for his work in the ransomware diaries.
Thank you everyone for reading. It’s time to bring this chapter to a close, but I hope to reconvene soon.