Before the takedown earlier this year, LockBit had risen to become one of the most prolific ransomware groups ever, launching hundreds of attacks per month and ruthlessly publishing stolen data from companies if they refused to pay. Boeing, the UK’s Royal Mail postal service, a children’s hospital in Canada, and the Industrial and Commercial Bank of China were all included in LockBit’s or its affiliates’ recent roster of victims. In one instance, the DOJ indictment says, LockBit demanded $200 million from one aeronautical and defense corporation based in Virginia.
Investigators are also starting to unpick more details about the scale and scope of LockBit’s operations. The NCA’s senior investigating officer, who is not being publicly named due to their continued involvement in the operation, says LockBit listed 2,350 victims publicly on its leak site up to the end of December 2023, but that this is just a small fraction of its hacking activity.
Within its system, there were 7,000 “attack builds” for unique victims, the investigator says. The US, UK, France, Germany, and China were the most targeted companies. More than 100 hospitals were listed, despite LockBit having internal rules not to target medical facilities. “When they said we will fire the individual publicly for doing that, they didn't fire the individual,” the investigator says.
“If you are a cyber criminal, and you are operating in these marketplaces, or forums or platforms, you cannot be certain that law enforcement are not in there observing you and taking action against you,” says Paul Foster, the head of the NCA’s National Cyber Crime Unit.
LockBit first emerged in 2019 as a fledgling “ransomware-as-a-service” (RaaS) platform. Under this setup, a core handful of individuals, organized by the LockBitSupp handle, created the group’s easy-to-use malware and launched its leak website. This group licenses LockBit’s code to “affiliate” hackers who launched attacks and negotiated ransom payments, eventually providing LockBit with around 20 percent of their profits.
Despite launching thousands of attacks, the group initially tried to keep a low profile compared to other ransomware groups. Over time, as LockBit became more well known and started to dominate the cybercrime ecosystem, its members became more brazen and arguably careless. The NCA senior investigator says they pulled data about 194 affiliates from LockBit’s systems and are piecing together their offline identities—only 114 of them didn’t make any money, the investigator says. “There were some that were incompetent and didn't carry out attacks,” they say.
At the center of it all was the LockBitSupp persona. The NCA investigator says there were “numerous” examples of the LockBit administrator directly “taking responsibility” for high-profile or high-ransom negotiations after affiliates had initially attacked the companies or organizations.
The DOJ indictment claims Khoroshev, as LockBitSupp, kept a close track of his affiliates, keeping databases of each affiliate and the victims they had targeted. “In some cases, Khoroshev demanded identification documents from his affiliate co-conspirators, which he also maintained on his infrastructure,” the indictment says.
Jon DiMaggio, a researcher at cybersecurity firm Analyst1, has spent years researching LockBit and communicating with the LockBitSupp handle. “He treated it like a business and often sought out feedback from his affiliate partners on how he could make the criminal operation more effective,” DiMaggio says. The LockBitSupp character would ask affiliates what they needed in order to more effectively do their work, the researcher says.
DashCat9 on May 7th, 2024 at 16:17 UTC »
I do IT work for a company that supports hundreds of hospitals.
There was a long run there where every week it was a different cyber security event that we had to deal with.
To call these people scum would be an insult to actual scum.
rnilf on May 7th, 2024 at 16:09 UTC »
Oops, he attacked his own motherland, I wonder if he'll actually face some punishment for that.
wiredmagazine on May 7th, 2024 at 15:12 UTC »
By Matt Burgess
For years, the leader of LockBit has remained an enigma. Carefully hiding behind their online moniker, LockBitSupp has evaded identification and bragged that people wouldn’t be able to reveal their offline identity—even offering a $10 million reward for their real name.
Now, law enforcement officials from the US, UK, and Australia say they’ve identified a Russian national who is 31 and lives in Russia, along with details of his sanction designation also listing multiple email addresses and cryptocurrency addresses, alongside his Russian passport details.
Before the takedown earlier this year, LockBit had risen to become one of the most prolific ransomware groups ever, launching hundreds of attacks per month and ruthlessly publishing stolen data from companies if they refused to pay. Boeing, the UK’s Royal Mail postal service, a children’s hospital in Canada, and the Industrial and Commercial Bank of China were all included in LockBit’s or its affiliates’ recent roster of victims.
Read the full story here: https://www.wired.com/story/lockbitsupp-lockbit-ransomware/