If you were a victim of LockBit ransomware, please stand up. The FBI has acquired over 7,000 ransomware decryption keys, which can help victims “reclaim their data and get back online,” according to FBI Cyber Assistant Director Bryan Vorndran.
A LockBit of backstory. Based in Russia, LockBit is one of the most prolific ransomware groups in the world, according to the US Department of Treasury. The US and UK previously disrupted the ransomware group’s operations in February of this year, “seizing numerous public-facing websites used by LockBit to connect to the organization’s infrastructure and seizing control of servers used by LockBit administrators,” the US Department of Justice said in a press release that month.
After the FBI announced the obtained decryption keys at the 2024 Boston Conference on Cyber Security on June 5—in which the agency also spoke on the criminal ecosystem and cyber ops in a keynote address—IT Brew discovered that LockBit had posted contact information for former FBI employees, including the former CIO and former director, in what we believe is one of its group chats on Telegram—sharing addresses and phone numbers the group had collected on 30 people, almost all of whom had affiliations with the FBI.
IT Brew caught up with Adam Marrè—a cybersecurity expert who spent almost 12 years at the FBI and current CISO at Arctic Wolf—to chat about the FBI’s treasure trove of decryption keys and what they could mean for victims of the ransomware group.
How does the FBI usually obtain these decryption keys?
Well, in any operation, if you're able to take over the servers that the attackers use, or the threat actors use to conduct their attacks—you’re able to get many things that help them conduct those attacks, including tools. And, as is the case with ransomware, especially ransomware as a service, you’re able to recover those keys.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Have you seen the FBI do this before?
What is significant about this one is the number of keys made, because likely, it was so prolific and successful—unfortunately. But in this case, the FBI was able to recover so many of those keys. So, the sheer number is massive. There’s nothing that I’m aware of that's been on the scale…The FBI and other law enforcement organizations around the world, and other groups, have been able to discover keys from various ransomware threat actors in the past that released those to victims … Even in some cases, researchers have been able to reverse engineer or discover the keys in other ways, and then release them to the public as well.
With news of LockBit’s leader Dmitry Yuryevich Khoroshev’s indictment, what do you make of the claims by LockBit telling the FBI they have the wrong guy?
A couple of thoughts—and to caveat these thoughts, I do not have direct information about this case …There’s a couple of things going on here. One is, it’s absolutely, not only in their best interest, it’s also core to their playbook for LockBit to say, “This isn’t the guy,” right? They’re totally incentivized to do that, and lie about it, whether or not it’s true.
“One—it makes them seem like they're resistant to law enforcement—law enforcement can't get them. And two, they desperately need their affiliates … to have confidence that … they're not going to be tracked down through law enforcement—otherwise, their business model completely fails.”
Victims seeking additional information can get in touch with the FBI here.
IT Brew has reached out to the FBI for comment.