LockBitSupp, the individual(s) behind the persona representing the LockBit ransomware service on cybercrime forums such as Exploit and XSS, “has engaged with law enforcement,” authorities said.
The development comes following the takedown of the prolific ransomware-as-a-service (RaaS) operation as part of a coordinated international operation codenamed Cronos. Over 14,000 rogue accounts on third-party services like Mega, Protonmail, and Tutanota used by the criminals have been shuttered.
“We know who he is. We know where he lives. We know how much he is worth. LockbitSupp has engaged with law enforcement,” according to a message posted on the now-seized (and offline) dark web data leak site.
The move has been interpreted by long-term watchers of LockBit as an attempt to create suspicion and sow the seeds of distrust among affiliates, ultimately undermining trust in the group within the cybercrime ecosystem.
According to research published by Analyst1 in August 2023, there is evidence to suggest that at least three different people have operated the “LockBit” and “LockBitSupp” accounts, one of them being the gang’s leader itself.
However, speaking to malware research group VX-Underground, LockBit stated “they did not believe law enforcement know his/her/their identities.” They also raised the bounty it offered to anyone who could message them their real names to $20 million. It’s worth noting that the reward was increased from $1 million USD to $10 million late last month.
LockBit – also called Gold Mystic and Water Selkie – has had several iterations since its inception in September 2019, namely LockBit Red, LockBit Black, and LockBit Green, with the cybercrime syndicate also secretly developing a new version called LockBit-NG-Dev prior to its infrastructure being dismantled.
“LockBit-NG-Dev is now written in .NET and compiled using CoreRT,” Trend Micro said. “When deployed alongside the .NET environment, this allows the code to be more platform-agnostic. It removed the self-propagating capabilities and the ability to print ransom notes via the user’s printers.”
One of the notable additions is the inclusion of a validity period, which continues its operation only if the current date is within a specific date range, suggesting attempts on the part of the developers to prevent the reuse of the malware as well as resist automated analysis.
Work on the next generation variant is said to have been spurred by a number of logistical, technical, and reputational problems, prominently driven by the leak of the ransomware builder by a disgruntled developer in September 2022 and also misgivings that one of its administrators may have been replaced by government agents.
It also didn’t help that the LockBit-managed accounts were banned from Exploit and XSS towards the end of January 2024 for failing to pay an initial access broker who provided them with access.
“The actor came across as someone who was ‘too big to fail’ and even showed disdain to the arbitrator who would make the decision on the outcome of the claim,” Trend Micro said. “This discourse demonstrated that LockBitSupp is likely using their reputation to carry more weight when negotiating payment for access or the share of ransom payouts with affiliates.”
PRODAFT, in its own analysis of the LockBit operation, said it identified over 28 affiliates, some of whom share ties with other Russian e-crime groups like Evil Corp, FIN7, and Wizard Spider (aka TrickBot).
These connections are also evidenced by the fact that the gang operated as a “nesting doll” with three distinct layers, giving an outward perception of an established RaaS scheme compromising dozens of affiliates while stealthily borrowing highly skilled pen testers from other ransomware groups by forging personal alliances.
The smokescreen materialized in the form of what’s called a Ghost Group model, according to RedSense researchers Yelisey Bohuslavskiy and Marley Smith, with LockBitSupp serving “as a mere distraction for actual operations.”
“A Ghost Group is a group that has very high capabilities but transfers them to another brand by allowing the other group to outsource operations to them,” they said. “The clearest version of this is Zeon, who has been outsourcing their skills to LockBit and Akira.”
The group is estimated to have made more than $120 million in illicit profits in its multi-year run, emerging as the most active ransomware actor in history.
“Given that confirmed attacks by LockBit over their four years in operation total well over 2,000, this suggests that their impact globally is in the region of multi-billions of dollars,” the U.K. National Crime Agency (NCA) said.
Needless to say, Operation Cronos has likely caused irreparable damage to the criminal outfit’s ability to continue with ransomware activities, at least under its current brand.
“The rebuilding of the infrastructure is very unlikely; LockBit’s leadership is very technically incapable,” RedSense said. “People to whom they delegated their infrastructural development have long left LockBit, as seen by the primitivism of their infra.”
“[Initial access brokers], which were the main source of LockBit’s venture, will not trust their access to a group after a takedown, as they want their access to be turned into cash.”