Russian Cybercriminals Thwarted as FBI Disrupts LockBit Ransomware Operations

U.S. and U.K. announce five Russian nationals indicted for LockBit ransomware crimes

One of the most active ransomware gangs in the world, the LockBit group of cybercriminals has targeted over 2,000 victims, extorted more than $120 million in ransom payments, and demanded ransoms totaling hundreds of millions of dollars. The criminal organization has been active since at least September of 2019, when it launched LockBit as ransomware-as-a-service (RaaS) for sale to hackers.

On February 21, 2024, the U.S. Department of Justice joined the United Kingdom and international law enforcement partners in London to announce a serious blow to the LockBit ransomware group. Authorities reported seizing numerous public-facing websites used by LockBit and also seizing control of servers used by LockBit administrators—thereby disrupting their ability to attack and encrypt networks and extort victims.

The announcement further stated that the U.K. National Crime Agency (NCA), in cooperation with the FBI and international law enforcement partners, has developed decryption capabilities that may enable hundreds of victims around the world to restore systems that were encrypted by LockBit ransomware. Victims are urged to contact the FBI’s Internet Crimes Complaint Center so that law enforcement can determine whether an affected system is able to be successfully decrypted. 

A Brief History of LockBit

LockBit ransomware has been active since at least September 2019, when it launched as ransomware-as-a-service (RaaS), one of the four most common types of ransomware. LockBit RaaS was made available by its creators as a for-profit product for use by other cyber criminals. Even the dark web has a commercial hierarchy.

The ransomware software was upgraded when LockBit creators rolled out LockBit 2.0 in June 2021. Six months later, in January 2022, cybercriminals added a Linux encryptor tool to specifically target VMware ESXi servers.

The Federal Bureau of Investigation was sufficiently concerned that, on February 4, 2022, they published a technical alert on the FBI Internet Crimes Complaint Center (IC3) regarding an increase in the frequency and sophistication of LockBit ransomware attacks. The alert requested that victims promptly report attacks to their local FBI Cyber Squad.

LockBit Combines Features of RaaS, Crypto, and Locker Ransomware

With the addition of the Linux encryptor tool in 2022, LockBit became a hybrid, combining ransomware-as-a-service and features of crypto-ransomware and locker ransomware.

Ransomware-as-a-service is so named because its creators host their various ransomware offerings on dark websites and allow other cybercriminals to purchase them on a subscription basis. Subscription fees may vary depending on a particular offering’s capabilities and are paid to the creators from the proceeds of the ransom.

Crypto-ransomware works by encrypting some or all files on a computer, rendering their contents inaccessible without a decryption key. A ransom is demanded in exchange for the key. Once the ransom is paid, the key is delivered, and the files are unencrypted. The process is effective because both sides honor their promises.

Taking the crypto concept a step further, locker ransomware completely blocks access to the entire computer system. A message on the computer screen demands a ransom in exchange for access. Again, once the ransom is paid, the files become accessible.

Many victims refuse to pay the ransom because they have complete and current backups of their data. Accessing a current backup enables them to resume business operations promptly, despite the ransomware encryption of the previous working copy. Data backups may be offline or online, with both formats offering certain advantages.

How LockBit Ransomware Works

The LockBit ransomware-as-a-service (RaaS) variant, like other major ransomware variants, follows this multi-step process, according to the FBI’s press release:

• Administrators or developers design ransomware and recruit other members or affiliates to deploy it.
• The developers maintain an online software dashboard or control panel to provide the affiliates with the tools necessary to deploy LockBit.
• These criminal affiliates then identify and unlawfully access vulnerable computer systems, either through their own hacking or by purchasing stolen access credentials on the dark web.
• Using the control panel operated by the developers, the criminal affiliates then deploy LockBit within the victim's computer system, which allows them to encrypt and steal data.
• The criminal affiliates then demand a ransom to decrypt the data or to avoid its release on a public data leak website maintained by LockBit developers.
  
  

Five Russians Indicted for Ransomware Crimes

With the indictments unsealed on February 21, 2024, a total of five LockBit members have now been charged for their participation in the LockBit conspiracy, as detailed in the FBI press release. The five are Artur Sungatov, Ivan Kondratyev, Mikhail Pavlovich Matveev, Mikhail Vasiliev, and Ruslan Magomedovich Astamirov, all Russian nationals.

• An indictment obtained in the District of New Jersey charges Artur Sungatov and Ivan Kondratyev with deploying LockBit against numerous victims throughout the United States and globally, including businesses in manufacturing, semiconductors, and other industries.
  

• Additional criminal charges against Kondratyev were unsealed in the Northern District of California related to his deployment in 2020 of ransomware against a victim located in that state. Kondratyev is also charged with three criminal counts arising from his use of the Sodinokibi or REvil ransomware variant to encrypt data, exfiltrate victim information, and extort a ransom payment from a corporate victim based in Alameda County, California.
• Also unsealed, two search warrants issued in the District of New Jersey authorized the FBI to disrupt multiple U.S.-based servers used by LockBit members in connection with the LockBit disruption. The servers were used by LockBit administrators to host the StealBit platform, a criminal tool used by LockBit members to organize and transfer victim data.
• Sungatov, Kondratyev, Matveev, and Vasiliev are alleged to have joined in the global LockBit conspiracy, along with other LockBit members, to develop and deploy LockBit ransomware and to extort payments from victim corporations.
• In May 2023, two indictments were unsealed in Washington, D.C., and the District of New Jersey charging Matveev with using different ransomware variants, including LockBit, to attack numerous victims throughout the United States, including the Washington, D.C. Metropolitan Police Department. Matveev is the subject of a reward of up to $10 million through the U.S. State Department’s Transnational Organized Crime Rewards Program, with information accepted through the FBI Tips website.
• In June 2023, Astamirov was charged with a criminal complaint in the District of New Jersey for his participation in the LockBit conspiracy, including his deployment of LockBit against victims in Florida, Japan, France, and Kenya. Astamirov is currently in custody in the U.S. awaiting trial.
• In November 2022, a criminal complaint was filed in the District of New Jersey charging Vasiliev in connection with his participation in the global LockBit ransomware campaign. Vasiliev, a dual Russian-Canadian national, is currently in custody in Canada awaiting extradition to the United States.
  
  

What to Do if You Become a Ransomware Victim

Due to its profitability, ransomware continues to be a popular cybercrime—although the LockBit disruption operation coordinated by domestic and international law enforcement organizations should throw a wrench in the LockBit machine. Still, businesses in the U.S. fall victim to ransomware on a regular basis. There are several actions to take the moment you realize your business is a ransomware target.

• First, contact the nearest FBI Field Office or report the incident on the FBI Tips website. The FBI is the lead federal agency for investigating cyberattacks and intrusions, collecting and sharing intelligence and “engaging with victims while working to unmask those committing malicious cyber activities, wherever they are.”
• Second, implement your organization’s Incident Response Plan immediately to address the incident, contain the damage, and notify required parties.

If you do not have a current Incident Response Plan, work with a cybersecurity firm to formulate and test a plan tailored to your organization.

How to Avoid Becoming a Ransomware Target

To reduce the likelihood of suffering an Internet-enabled crime or cyber intrusion, the FBI urges “every user of a connected device to be aware and on guard” and to implement the following preventive actions: 

• Keep systems and software up to date and install a strong, reputable antivirus program.

• Be careful when connecting to a public Wi-Fi network and do not conduct any sensitive transactions, including purchases, when on a public network.
• Create a strong and unique passphrase for each online account.
• Set up multifactor authentication on all accounts that allow it.
• Examine the email address in all correspondence and scrutinize website URLs before responding to a message or visiting a site.
• Don’t click on anything in unsolicited emails or text messages.
• Be cautious about the information you share in online profiles and social media accounts. Disclosing the names of pets, schools, and family members can give scammers the hints they need to guess your passwords or the answers to your account security questions.
• Don't send payments to unknown people or organizations that are seeking urgent, immediate monetary support.

In addition, employees and management should receive regular cybersecurity awareness training, including how to recognize phishing schemes, which often lead to ransomware attacks.

Summary

Ransomware continues to claim victims on a regular basis. Organizations are the most profitable targets for ransomware gangs, and unwitting employees too often serve as open doors into their organizations. Ongoing employee and management training in cybersecurity awareness, along with implementing the preventive actions urged by the FBI, have proven successful in reducing vulnerability.

Every organization should back up their data routinely and have a current Incident Response Plan in place to enable cybersecurity incidents to be addressed promptly and effectively. Working with a credentialed, experienced cybersecurity firm to proactively implement safeguards is far more attractive than the prospect of working with the FBI to try to recover ransomed data.