The U.S. Federal Bureau of Investigation (FBI) has revealed that it possesses over 7,000 decryption keys related to the LockBit ransomware operation to assist victims in recovering their data at no charge.
“We are contacting known LockBit victims and urging anyone who suspects they were affected to visit our Internet Crime Complaint Center at ic3.gov,” stated FBI Cyber Division Assistant Director Bryan Vorndran in a keynote address at the 2024 Boston Conference on Cyber Security (BCCS).
LockBit, formerly a prominent ransomware group, has been connected to more than 2,400 attacks worldwide, with at least 1,800 impacting organizations in the U.S. Earlier this February, an international law enforcement operation known as Cronos, led by the U.K. National Crime Agency (NCA), dismantled its online infrastructure.
In the past month, authorities identified a 31-year-old Russian individual named Dmitry Yuryevich Khoroshev as the group’s leader and developer, a claim disputed by LockBitSupp.
“Despite his portrayal as a mysterious hacker with online aliases like ‘Putinkrab,’ ‘Nerowolfe,’ and ‘LockBitsupp,’ he is essentially a criminal more focused on managing his organization than engaging in covert operations,” Vorndran explained.
Despite these revelations, LockBit continues to operate under a new infrastructure but not at the same scale as before.
Data from Malwarebytes indicates that the ransomware family was involved in 28 confirmed attacks in April 2024, ranking behind Play, Hunters International, and Black Basta.
Vordan also warned that paying to prevent data leaks does not guarantee the complete deletion of stolen information by the attackers, emphasizing the risk of data being exposed in the future or facing extortion attempts again.
According to the Veeam Ransomware Trends Report 2024, based on a survey of 1,200 security professionals, organizations affected by ransomware attacks can only recover an average of 57% of compromised data, leaving them vulnerable to significant data loss and negative business consequences.
Meanwhile, new ransomware groups like SenSayQ and CashRansomware have emerged, while established families such as TargetCompany continue to enhance their tactics by leveraging a new Linux variant to target VMWare ESXi systems.
TargetCompany utilizes vulnerable Microsoft SQL servers for initial access and checks if the targeted system runs on a VMWare ESXi environment with administrative privileges before proceeding with the attack.
“This variant employs a shell script for delivering and executing payloads,” explained Trend Micro researchers Darrel Tristan Virtusio, Nathaniel Morales, and Cj Arsley Mateo. “The script also sends victim data to two different servers for backup.”
Trend Micro attributed the attacks using the new Linux variant of TargetCompany ransomware to an affiliate named Vampire, who was identified by Sekoia last month.