The person or people known as LockBitSupp, who represent the LockBit ransomware service on cybercrime forums like Exploit and XSS, have had contact with law enforcement, according to authorities.
This development follows the dismantling of the ransomware-as-a-service (RaaS) operation called Cronos in a coordinated international effort. More than 14,000 rogue accounts on services such as Mega, Protonmail, and Tutanota, used by criminals, have been shut down.
“We have identified LockBitSupp. We know where LockBitSupp lives. We know LockBitSupp’s net worth. LockbitSupp has interacted with law enforcement,” stated a message on the now-seized dark web data leak site.
Long-time observers of LockBit see this as an attempt to create suspicion and distrust among affiliates, which could weaken trust in the group within the cybercrime world.
A report from Analyst1 in August 2023 suggests that at least three different individuals have managed the “LockBit” and “LockBitSupp” accounts, one of them possibly being the gang’s leader.
However, in a conversation with malware research group VX-Underground, LockBit claimed that law enforcement did not know the identities of LockBit’s operators. They also raised the reward for anyone who could provide their real names to $20 million. This reward was increased from $1 million USD to $10 million late last month.
LockBit, also known as Gold Mystic and Water Selkie, has gone through several versions since it started in September 2019, including LockBit Red, LockBit Black, and LockBit Green. The cybercrime syndicate was also secretly working on a new version called LockBit-NG-Dev before its infrastructure was taken down.
“LockBit-NG-Dev is now written in .NET and compiled using CoreRT,” according to Trend Micro. “This allows the code to be more platform-agnostic when deployed with the .NET environment. It has removed the self-propagating capabilities and the ability to print ransom notes via the user’s printers.”
One significant addition to the new version is a validity period, which allows it to operate only within a specific date range, indicating efforts by developers to prevent the malware’s reuse and resist automated analysis.
Work on the next generation variant was reportedly driven by logistical, technical, and reputational problems. These issues were highlighted by the leak of the ransomware builder by a disgruntled developer in September 2022 and suspicions that one of its administrators may have been replaced by government agents.
The ban of LockBit-managed accounts from Exploit and XSS at the end of January 2024, due to failure to pay an initial access broker, further complicated matters.
“The actor appeared to believe they were ‘too big to fail’ and even showed disrespect to the arbitrator who would decide the outcome of the claim,” Trend Micro noted. “This interaction suggested that LockBitSupp is likely leveraging their reputation to negotiate payment for access or a share of ransom payouts with affiliates.”
PRODAFT, in its analysis of LockBit, identified over 28 affiliates, some of whom are linked to other Russian e-crime groups like Evil Corp, FIN7, and Wizard Spider (aka TrickBot).
These connections are also evident in the gang’s structure, which operates as a “nesting doll” with three layers, giving the appearance of an established RaaS scheme with dozens of affiliates while secretly borrowing skilled pen testers from other ransomware groups through personal alliances.
This strategy is known as a Ghost Group model, as explained by RedSense researchers Yelisey Bohuslavskiy and Marley Smith, with LockBitSupp serving “as a mere distraction for actual operations.”
LockBit is estimated to have made over $120 million in illicit profits during its run, making it the most active ransomware actor in history.
“Considering LockBit’s confirmed attacks totaling well over 2,000 during their four years in operation, their global impact is likely in the multi-billions of dollars,” stated the U.K. National Crime Agency (NCA).
Operation Cronos has likely dealt a significant blow to LockBit’s ability to continue ransomware activities under its current brand.
“The rebuilding of the infrastructure is highly unlikely; LockBit’s leadership lacks technical capability,” according to RedSense. “People who were responsible for their infrastructural development have long left LockBit, evident in the simplicity of their infrastructure.”
“Initial access brokers, who were crucial for LockBit’s operations, will not trust their access to a group after a takedown, as they want their access to be converted into cash.”
