Man
Professional
- Messages
- 3,222
- Reaction score
- 876
- Points
- 113
LockBit is a ransomware company that, over the years, has carried out a number of major attacks on some of the world's largest companies, including Royal Mail, SpaceX and Boeing. LockBit and its businesses have terrorised the world, extorting at least $500 million in ransoms and causing billions in losses.
This is the story of the world's most notorious ransomware group and the desperate hunt for the man behind it. He loved being a supervillain - it was like playing a video game.
Let’s go back a bit to the end of 2010, when this new business model started to appear on the dark web. Ransomware is malware designed to steal and lock files on a computer, then demand money to unlock them — always in cryptocurrency.
Let’s remember XSS, one of the oldest Russian-language hacker forums and platforms. Around this time, XSS became home to many ransomware companies, but on January 16, 2020, they got a new competitor. A man with the nickname “LockBit” appeared on the forum as a software seller, but there was a problem: no one had heard of him before. LockBit had no reputation. So, to reduce the degree of mistrust, they did something rather unusual — they made a deposit of 10.5 BTC (then their value was $100,000) on the site.
XSS had an escrow system and it was a way to show other users that they wouldn't scam potential buyers because otherwise they could file a fraud report and the XSS owners would refund the deposit.
When LockBit came to the forum, they immediately put money on deposit, having already been running their business for almost a year. Incidentally, they started in 2019 with a project called ABCD ransomware. It was not originally ransomware-as-a-service. However, on XSS they opened it as ransomware-as-a-service and started recruiting affiliates.
In this case, referring to this post promoting a new ransomware program that has apparently been in development since 2019. The post lists a long list of features, with a strong emphasis on encryption speed. What’s even more interesting is that LockBit didn’t just want to sell the software in one-off deals — it was looking for partners: people who would use ransomware to infect companies or individuals, demand money from the victims, and then share the profits with LockBit. In essence, the affiliates would do the dirty work.
This was a new phenomenon in the world of malware.
Previously, this kind of malware would sell for thousands of dollars a pop, but XSS hackers quickly realized that, like big businesses, it was much more profitable to make their software available to almost anyone and then just take a cut of the illegal profits. In LockBit’s case, the fee is 20%.
There’s one more thing I’d like to point out in this post: the rule that says LockBit can’t be used in CIS countries — like Russia, Kazakhstan, Armenia. This is a common rule that cybercriminals often use. It’s legal to hack anyone, as long as it’s not someone on their own territory. But cybercriminals also make such statements in order to try to throw investigators off track.
Whoever created LockBit realized that in order for the project to succeed, it needed to attract users, but advertising an illegal service is not exactly a simple matter. Around this time, they created a new persona - this would be the face of LockBit - called "Support LockBit" and registered new accounts under this name on the most popular hacker forums in Russia, including XSS.
LockBit Support became an active participant in the discussions that took place there, publishing informational content, interacting with other users, trying to attract attention and build a reputation. However, forum activity alone was not enough. LockBit Support clearly had spare money, so they launched a unique marketing campaign: the Summer Paper Contest, inviting participants to write articles about hacker tips, tricks, and stories with a cash reward of thousands of dollars.
The Summer Paper Contest allowed other hackers and criminals to submit new exploit ideas or new ways to hack targets. And it worked. By sponsoring events like this, the organization builds its image and credibility in the community by judging other criminals. This move was a significant achievement on the forum and LockBit’s first successful marketing move, attracting the attention of both authors and potential partners.
However, to achieve real success, LockBit needed a unique marketing campaign that would attract the attention of international newspapers. It took time to realize this idea, however. At the time, LockBit had a small user base that had discovered serious flaws in the system.
LockBit almost failed early in its existence – they were very close to ruining their reputation to the point that they would be forced out of the market altogether. Two months after the big marketing campaign, a user named Waxford, tired of LockBit’s poor quality software, filed an arbitration claim against them – this is like a fraud report.
This ransomware, when infected, directs you to a support service hosted on the Tor network, where you communicate directly with the hacker to make a deal. Below is an image of the LockBit chat.
After months of working as an affiliate, Waxford had not received any commission despite infecting many victims. After digging around, he discovered that LockBit does not actually encrypt files on network drives. Very rarely are individuals victims of ransomware - often it is companies. Companies have a lot of money, but companies use file-sharing networks, so this was a big problem. And if the files are not encrypted, there is no reason to pay.
Now a user on the forums was demanding 10 BTC from LockBit as compensation. This was not very pleasant for LockBit, but the way they handled it was even worse. They outright refused to take responsibility, said that he should have tested the software before deploying it, and rejected the claim. 10 BTC was still worth $100,000 in September 2020.
But things got a lot worse as a bunch of other participants came to support Waxford’s claims. Now, with a damaged reputation and a tiny user base, LockBit needed a new strategy.
Two weeks later, an advert appeared for a developer who knew Active Directory. Active Directory is what manages file sharing on Windows systems and user permissions on company internal networks, and LockBit was obviously looking for someone who understood it well so they could fix the problem and exploit it. This marked the beginning of the development of LockBit 2.0. The world didn’t know it yet, but the most popular ransomware in history would soon be released. But even LockBit didn’t know that as development of the new version neared its end, the perfect opportunity to release it would soon present itself.
On the morning of May 6, 2021, Colonial Pipelines, a company that supplies 45% of the fuel on the East Coast of America, fell victim to a ransomware attack. People went crazy, the problem spread to 17 states, and Joe Biden declared a state of emergency, saying it was a direct threat to national security. Seeing no other way out and wanting to fix the situation as quickly as possible, Colonial Pipelines paid a ransom of 75 BTC, which at the time was equal to $4.4 million, to one of the most notorious ransomware groups at the time, DarkSide.
But on May 13, just one day after restoring the fuel infrastructure, the DarkSide website went completely offline. They had gone too far. In a counter-operation, the FBI managed to hack DarkSide’s infrastructure, seize its assets, and even return part of the ransom to Colonial Pipelines. But there was bad news - the US blamed Russia, and the very next day the owner of XSS posted a message on the forum in which he announced a new rule: no more ransomware.
If you look at the message, you will see that it mainly expresses the author’s personal beliefs: he says that the forum is for learning and gaining knowledge, which is not entirely true. But then he writes that newbies open the media, see some crazy virtual millions of dollars there. They don’t want anything, they don’t want to learn anything. They don't program anything. They don't even think. Their whole existence is "encrypt, get paid."
But in reality, it wasn't forbidden. These forums are very much a popularity contest. For LockBit, it was a double win, because in addition to being part of the "bad boys club," there was one less player in the market. DarkSide affiliates were now looking for a new home, and LockBit was just a month away from releasing a new version that would soon be used to extort hundreds of millions of dollars.
In November 2023, LockBit leaked Boeing files, which brings us to the second part of the update. LockBit 2.0 had a shiny new website that hosted these extortion requests, along with a board of current victims and a countdown to when the data would be released if they didn’t pay up. Of course, the site was hosted on the Tor network, and yes, it served as a good incentive to get victims to pay up, not only because it created a sense of urgency, but also because it confirmed the reality of the threats. But it also created another phenomenon: people in the cybersecurity world started monitoring the LockBit page to see when new victims had been compromised. That’s what the Twitter post was about, and it helped LockBit grow in popularity, which also helped attract more and more affiliates – a vicious cycle.
This attention is exactly what LockBit wanted. But the other side of this increased popularity is that they are now just as interesting to the people who took down DarkSide just a month earlier.
In July 2021, news broke that Accenture had been hacked. LockBit 2.0 stole 6 terabytes of sensitive data from the company and its clients. This is a big deal because Accenture is the world's largest IT services and consulting company. That meant they worked with three-quarters of the Fortune Global 500. And thanks to LockBit, everyone knew exactly what had happened and the price they were asking for the decryption keys: $50 million, to be sent in cryptocurrency by August 11. Otherwise, all of the company's stolen secrets would be made public.
Any normal company would have called an emergency meeting and warned their clients, but Accenture kept quiet about the incident, claiming that the data they stole wasn’t, quote, “sensitive enough.” What’s more, they refused to pay, and LockBit wasn’t too happy about that. To up the ante, LockBit targeted Bangkok Airways and Ethiopian Airways, both Accenture clients, and Accenture still refused to pay. As a result, LockBit released 2,384 files to the public, a far cry from the 6 terabytes of data they claimed to have stolen. Even though the ransom was never paid, there must have been champagne flowing at LockBit headquarters because the debut of version 2.0 couldn’t have gone any better. In fact, it was the best advertising campaign to date. More and more affiliates joined the software, and LockBit became one of the top four players in the ransomware world.
In November 2021, they had another big success. One of the well-known leaders, RaaS company BlackMatter, went out of business. Being on friendly terms with the owner of LockBit, they recommended their partners to switch to the LockBit platform. The dude got an entire user base for free! But it wasn’t enough. As a result, LockBit was left with two main competitors: REvil and Conti. If they could destroy them, LockBit would get all their users.
And now, in late 2021, news of the lawsuit is making headlines. The hospital claimed, quote, “Nico suffered a severe traumatic brain injury because medical staff failed to notice that the umbilical cord was wrapped around her neck,” because, quote, “the loss of access to critical resources and information was caused by a cyberattack.” When LockBit saw this, they decided, “Hey, what better way to attack REvil than to accuse them of being the ones behind this?”
You see, in the world of cybercrime, where there are no legal rules, there is still a kind of criminal code. Many groups refuse to attack hospitals, and LockBit accuses REvil of being the ones behind this attack, hoping that people with moral principles will not work with them. Instead, they will work with LockBit.
This is terrible, knowing that LockBit will continue to hack hospitals, including children’s hospitals. So the motive for this was purely a campaign of incrimination, a campaign that will continue.
In the end, it was not even REvil who did the attack, it was someone else, but that was not revealed until six months later. If you look at what the FBI found, it was a tool called Ryuk, which was unique and controlled by Wizard Spider, known today as Conti. Shortly after, REvil successfully hacked MSP software provider Kaseya, gaining access to 1,500 companies using Kaseya’s software and infecting them with ransomware.
This was the main target, but the attack failed miserably as the FBI somehow managed to provide the victims with free decryption keys. Millions of dollars in potential ransom money were wasted.
The most interesting thing is how did the FBI get the decryption keys for REvil? They somehow got access to the backend, a backend that only REvil management was supposed to have access to. REvil had an honest answer to this question: they claimed that someone had hacked their servers and then distributed the keys to the companies that were affected. LockBit supporters immediately began suggesting that this was bullshit, that REvil had been infiltrated by the FBI, and that no one should work with them. LockBit wanted REvil gone, and they were about to get their biggest wish. On
January 14, 2022, the Russian Federal Security Service raided 25 addresses associated with 14 REvil members, seizing 20 luxury cars and $5.5 million in cash and cryptocurrency, apparently after receiving information from the United States. This came after an operation was carried out in several countries to hack and disable REvil servers.
But there was one company, a giant in the ransomware market, that LockBit couldn’t take down no matter how hard it tried: Conti. Conti had been the market leader since 2020. It was a well-known Russian ransomware-as-a-service (RaaS) provider that was itself responsible for attacks on hospitals, governments, and Fortune 500 companies. The company was powerful, and LockBit couldn’t take them down — until they did.
The day after February 24, 2024, Conti posted a message endorsing military action and threatening anyone who stood in Russia’s way. LockBit then posted their own message, claiming they were apolitical and only interested in money. Suddenly, Conti replaced their post with a new one, claiming they did not actually support any government and condemned the current war situation. Something had happened internally, but it was too late to reverse it.
Three days later, cybersecurity journalists began receiving unexpected emails from the Ukrainian branch of the Conti ransomware group. The email read, “We promise this is very, very interesting,” and contained a file with 60,000 messages, URLs of leaked private data, and Bitcoin addresses from Conti’s internal correspondence. But that was not all. Then, the same person leaked something even more serious: the source code for Conti’s ransomware encryptor, decryptor, and builder.
The leak caused a major crisis of confidence in the group and left it highly vulnerable to law enforcement. So, three months later, the remaining Conti management decided to liquidate the brand. The Conti name was officially destroyed, and its public infrastructure, including the ransomware negotiations and victim data leakage sites, was permanently disabled.
This was the perfect moment for LockBit to seize complete control of the market, but they faced a problem: Conti’s software had more advanced features. To capture its user base, LockBit needed to quickly implement these capabilities into its own software.
A month after Conti’s downfall, LockBit released a major update to the ransomware, suspiciously fast — LockBit 3.0, which was as capable as the fallen giant. In a similar vein, another marketing stunt was launched – this time offering $500 to $1,000 to anyone who would get a tattoo of the LockBit logo and post about it on social media. It’s hard to believe, but many people took the offer.
Within a month, LockBit and its affiliates were conducting almost two major attacks a day, outstripping all competitors. They officially took first place. LockBit had achieved its dream, and, in addition, the company found itself in the spotlight of developers, who happily began to study the new code. The results of their study were more than strange: some of LockBit’s new features used DarkSide code.
How is this possible? Remember when DarkSide was blamed for the Colonial Pipeline hack. After the FBI shut them down, DarkSide rebranded themselves as BlackMatter. But that didn’t help either, and one of the developers, not resigned to the constant failures, started looking for a more stable partner. He thought LockBit would be such a partner, but during the work on 3.0, it turned out that they had simply taken the code from their previous employer. This led to a heated exchange of messages on the forum between DarkSide and LockBit. DarkSide accused LockBit of stealing their developer.
On September 21, a mysterious Twitter account made a statement claiming that it had hacked LockBit’s servers and stolen their builder. It is intended exclusively for affiliates. Within hours, cybersecurity experts downloaded it and decompiled it for analysis and study.
But in fact, LockBit was not hacked. You see, 11 days before Ali posted this leak, VX Underground made their own post. An unknown user named Proton contacted us and provided access to LockBit 3.0 builds. VX Underground then contacted LockBit support via TOX chat and asked if the leak was real and how it could have happened. The answer? The leak was 100% real and they know who the leaker is. It’s a new developer they hired for 3.0.
Continuing on the topic, LockBit admits to hiring the developer and the whole story about buying or not buying the BlackMatter source code was nothing more than a fairy tale to save the developer’s ass from the revenge of his previous employer. But now things have gone awry. Probably because LockBit posted a message that basically said that they know the developer’s real identity and can ruin his life if they want. Messages like these allowed the experts to deduce what gangs the developer had previously worked for.
It was obvious that this person wanted to stay in the shadows, so of course he was upset. None of this would have happened if this guy had been treated decently. LockBit spends so much time on customer service - getting revenue from its affiliates, finding out what they want to change, what they like and don't like - but then, instead of developing and supporting the core people who worked for it, it just screwed them.
It's kind of funny that in version 3.0, they introduced a bug bounty program, and someone sent in a bug that was in BlackMatter, but it was already fixed. And because the developer copied the code, LockBit blamed him. LockBit 3.0 had a lot of BlackMatter code, and the bug that was in BlackMatter was still there. Someone found the bug, and they had to pay a bounty - $50,000.
LockBit deducted the $50,000 from the developer's money and did not pay him the full amount. This situation made the developer very angry and LockBit started threatening him, to which the guy said: "Okay, I'm leaving." The developer then leaked the code, creating two different fake accounts, but this is not really relevant to this story.
The main thing is that the code was publicly available. The real damage was that now anyone could use it. Many affiliates simply started working on their own.
LockBit claimed that the success rate of attacks was not the same as when using their "licensed" program. Plus, this created a lot of confusion for specialists in studying and responding to hacker attacks, since now, having seen an attack by LockBit, specialists had to figure out whether it was really LockBit or just a lone wolf using the leaked code. For LockBit, this was a double whammy. In addition to leaking information, they now had no developer to support the software.
That’s where things went awry. In December, one of the affiliates attacked SickKids Children’s Hospital in Toronto and took down its internal systems. Two days later, LockBit’s support team responded, gave SickKids the decryption keys for free, and banned the affiliate for “violating the terms of service” because they don’t allow attacks on healthcare facilities. But that was a lie. In this case, he did return the key to the organization, but not because he cared about the children. The story repeated itself later with St. Anthony’s Hospital.
That hospital also had a pediatric oncology ward. Six months before that, another affiliate had attacked a French hospital called CHSF. Surgeries were delayed, doctor appointments were cancelled, and when the $10 million ransom was not paid, sensitive data was leaked. LockBit did nothing, most likely because the situation was not widely publicized at the time.
We know that if a ransomware attack is large enough, it can literally wipe out anyone. This was the case with DarkSide and REvil. Likewise, LockBit has often denied that its affiliates were involved in these attacks.
In January 2023, someone hacked Royal Mail, stole gigabytes of sensitive data, and then encrypted it, demanding a mind-boggling $80 million in exchange. This was a huge problem for Royal Mail. Without their systems, they were forced to stop all international deliveries. The deadline for them to bend the knee and pay was February 9th. The news made headlines.
Meanwhile, LockBit support said it was a leaked version of the builder with unknown content (whatever that means) and that the attack was "aimed at tarnishing our good name" and did not provide a decryptor after payment. They claimed there was no ransom to pay. Something doesn't add up here. To add insult to injury, they discovered that it was in fact definitely done using LockBit software, as Royal Mail was directed to an official LockBit negotiation page.
When this was revealed, LockBit still refused to take any responsibility. This is a great example of them using this as an excuse when things got heated. They used leaked code when necessary: "It wasn't me; it was a partner who went solo and used my leaked builder." But just when LockBit thought it was going to make them money, it would suddenly turn out to be them. And this happened several times.
First, a Royal Mail negotiator would just try to get them to lower the price. Then he would drag them out for a few days, and then he would ask them to decrypt this small file, apparently related to the delivery of medical supplies. But it seemed to be a lie. In fact, this small file contained data that was important to Royal Mail, and they were hoping that LockBit would decrypt it. LockBit wasn’t buying it.
Still, the negotiator dragged on, and LockBit dragged on and on. Finally, on February 6th, they had enough. A small portion of Royal Mail’s files were leaked online, with the threat of releasing the rest if an $80 million ransom was not paid within the next 50 hours. Again, Royal Mail refused. So they stopped all contact, and on February 9th, LockBit leaked the files, but they didn’t contain anything of substance. There was no confidential customer information, no financial information. Royal Mail was right; they called LockBit’s bluff.
News stories started appearing about what was going on. In June, it was discovered that the page from which the files could be downloaded was no longer online.
Another interesting case is Maximum Industries. It’s an aerospace company that makes parts for SpaceX. Someone from LockBit hacked them and stole all their data, including thousands of secret engineering schematics. This, of course, caused a big stir on Twitter, but despite the threats, SpaceX and Maximum Industries refused to pay up. So when it came time to leak the files they claimed to have stolen, they had nothing to release. It seems that LockBit started claiming they had data they didn’t, which means that future victims will be less likely to pay up, anticipating the bluff.
With the release of LockBit 3.0, many aspects of the attack were automated, not requiring manual keyboard control as before, which made the attack much easier. It received a huge influx of affiliates, which is what made it the “Walmart of ransomware”. But with all this growth and volume, it became difficult to deal with all the small problems that were arising, and they escalated into much larger ones.
Just a month later, on April 12, 2023, a cybersecurity researcher named DarkTracer posted a blog post accusing LockBit of becoming lazier.
LockBit Support didn’t like it. So instead of shrugging it off, LockBit continued its attack on DarkTracer, hacked their site, and published their data. Admittedly, it was a pretty quick response. But it hacked DarkTrace, not DarkTracer, who was tweeting about LockBit’s services. In their anger, LockBit support accidentally targeted another cybersecurity company.
Given these issues, some partners left, but there were still so many people wanting to take their spots that it didn’t have a significant impact on operations.
At one point, things went completely awry, and other ransomware groups started fighting LockBit. One user wrote to Exploit (one of the best Russian underground forums) asking where he could find a leaked builder 3.0 so he could use it himself. Unexpectedly, LockBit support responded, offering to simply join their affiliate program. But before the user could respond, Baddie, a known member of the Royal Ransomware group, chimed in with a question that sounded accusing. He asked LockBit support why they were asking developers to give them access to their builders.
LockBit responded with excuses, but Baddie wasn’t buying it. Instead, he directly accused LockBit’s support team of trying to steal the code of a competitor’s ransomware to incorporate into their own.
This was a clear rebuke, implying that LockBit was so desperate that it was resorting to copying code from rival ransomware groups. And Baddie was right. As we already know, version 3.0 was essentially a copy, but in the same month that this post was published, LockBit released a new version called LockBit Big Green.
This was seven months after the problematic version 3.0 was released, and with the developer gone, 3.0 was likely difficult to maintain. They couldn’t add new features to it, so instead of trying to fix the problem, LockBit apparently released a new version, Green, which boasted even more features. But when experts analyzed it, they found that it was essentially a rebranded version of CONTI ransomware.
Shortly after CONTI's downfall, the source code was leaked and there it was, a rebranded LockBit. After this news broke, LockBit support quickly began to change its position, stating that its goal was to include all the best ransomware variants in the panel, giving affiliates the ability to choose which ones to use. And even asked what else they needed to be happy, promising to "please them endlessly".
The truth was that users were not happy with version 2.0. While LockBit support continued to desperately try to create the impression that they were the most effective, this was not the case at all. From February to June 2023, the stolen data was not published on the site at all. Download links either completely disappeared or simply led to nowhere. Affiliates were the first to notice, many of whom chose to work with other ransomware providers. Eventually, LockBit support claimed that the issues had been resolved after hiring a tester, and blamed the large files being uploaded by affiliates. But the problem still persisted.
If you hack a company and the ransomware screws everything up, the affiliates are going to be pissed because they just lost a ton of money. And one of them was going to change the entire trajectory of LockBit. On January 30, 2024, a user named Mitch filed an XSS arbitration claim against LockBit support. It was a fraud report. Mitch is a tier 1 reseller. These guys infiltrate networks, find weaknesses, but instead of exploiting them, they just sell the compromised access to the highest bidder, usually an extortion ring.
In this case, Mitch had given access to LockBit, and now he was demanding $4 million for his services, a fraction of what LockBit had made from the attack. But of course, LockBit refused to pay. The case was so specific that the owner of XSS Admin decided to review the claim and make a final decision, and it didn’t go in favor of LockBitsupport. Admin demanded that Mitch share 10% of the profits. LockBit, of course, in typical LockBit fashion, refused. And this is Admin's reaction: "Unfortunately, the defendant has rejected the demand. Case closed." Support LockBit was banned.
But there is a rule on Russian hacker forums: if you get banned from one, you get banned from all. Seeing this, Exploit banned him from his forum as well, assigning him the same status: scammer.
After being banned from the most popular hacker forums, he tried as a last ditch effort to appeal his ban on the less popular Ramp forum. This forum is almost entirely dedicated to hacking software. He asked the owner of Ramp to reconsider and not do anything about his status on the other two forums. This meant that at the very least, he could remain on this forum, albeit with much less influence due to its low popularity. But in the end, it didn't matter, given the events that would happen just a few days later.
Later, on February 19, people attempting to access the LockBit website were greeted by a startling image: the LockBit logo surrounded by 11 balloons with the message, “This site is now under law enforcement control.” VX Underground quickly reached out to the Tox chatroom for an answer. LockBit employees responded simply, “FBI pwned me.” Law enforcement had somehow exploited a vulnerability in the LockBit server and taken over the site entirely.
To further garner media attention, the message included an invitation for visitors to return at 11:30 GMT the following day for more details. This officially marked the start of Operation Cronos, a coordinated effort by the FBI, Europol, and the NCA to take down LockBit once and for all.
The next day, the site was updated and looked almost exactly the same as before, except that all the leaked company cards had been replaced with law enforcement announcements, press releases, recovery tools and decryption keys, and the headline: “This site is now under the control of the Kronos Task Force.” Meanwhile, on the page where affiliates would normally go to log in, they were greeted with this chilling warning: “Law enforcement has received information about victims you have targeted, amounts extorted, data stolen, and more. Please thank LockBit support for this situation. We may be in touch soon.”
Just imagine the conflicting thoughts that must have been going through the affiliates’ heads. You are an affiliate, you are a criminal, you don’t want anyone to know who you are, and you trust LockBit to provide you with that anonymity. Now all your data has been leaked to a third party. Literally, literally, affiliates felt like victims.
Back on the main page, one card stood out: “Who is LockBitSupport?” — the $10 million question, complete with a ransomware-style countdown. The FBI was trolling hard here, demeaning LockBit support in its own style.
In January, just before LockBit support was banned for XSS, he wrote this post saying he was disappointed that the FBI had not yet put out a reward for his file and arrest. Likewise, he had put a bounty on his own head — $1 million for anyone who could find out his real name.
The entire cybersecurity world would be waiting until February 23 for an answer to that question, and in the meantime, Operation Kronos was just getting started.
The police were starting to arrest affiliates. First, a father-and-son duo from Ukraine accused of attacking French medical facilities. The next day, Polish special forces arrested one of the affiliates in his own home.
Three members of the group were arrested in the first week, and you can bet many more were shaking in their boots because the FBI released a list of 193 people suspected of being active in the group, information they said they got by hacking LockBit. And the FBI also said they got payout data. To get a handle on the scale of LockBit’s operation, law enforcement teamed up with Chainalysis, the same company that cracked the Mt. Gox case.
What they found was staggering. From July 2022, when LockBit 2.0 launched, to February 2024 — just 18 months — more than 30,000 Bitcoin addresses collected $120 million worth of cryptocurrency. But that’s just the 20 percent fee LockBit admins took, meaning affiliates swindled more than $600 million in just 18 months. Even harder to measure is the damage this has caused to companies, which is literally in the billions.
As the number of arrests mounted, attention turned to the next big question: Is the FBI finally going to reveal the identity of the “$100 Million Man”? The view counter on the bottom right of the “$10 Million Question” post quickly climbed to 30,000 as anticipation of the identity of LockBit support grew. That’s a lot, considering the site was hosted on the Tor network.
Then, as the date approached, the FBI upped the ante, offering a bounty of up to $15 million for information on LockBit administrators and affiliates.
They even created a Telegram account called “FBI Support” to reward tipsters. But despite all this, LockBit Support seemed unfazed. He contacted VX Underground and shared his thoughts on the situation.
First, he claimed that the feds had made a mistake in arresting them — the men had nothing to do with LockBit. Second, he suggested that the feds didn’t really know who he was, and that he was now willing to pay up to $20 million to anyone who could discover his true identity. Lastly, he disparaged the FBI’s technical skills, blaming the hack on his own laziness, claiming that he hadn’t updated PHP. The old version the site was using had a critical vulnerability, making it easy to hack.
But when the day finally arrived, the FBI extended the countdown for a few more hours, presumably to get attention. Because when it hit zero and the page refreshed, perhaps one of the biggest events in the history of online organized crime had occurred. Two new messages appeared, claiming that Lockbit support was not based in the US or the Netherlands, and that he drove a Mercedes, not a Lamborghini. These were refutations of the false information he had previously spread about himself online.
Then the FBI claimed to know who he was, where he was, and how much he was worth, hinting that he had even been cooperating with law enforcement. But there were no photos, no names, nothing but a few blank lines of bland Lockbit support information.
This outcome seemed to confirm the Lockbit support team’s assumptions that the whole thing was just a psyop, that the feds really had nothing on him. The very next day, the Lockbit site was restored using backup servers. At the same time, Lockbit support posted this incredibly long response detailing their side of the story. He begins by saying that, due to his laziness, after “years of swimming in money,” he hadn’t paid much attention to the problem, thinking it was a trivial matter.
So, at 6:00 AM on February 19th, he noticed that the site was throwing a 502 Bad Gateway error. However, he was able to quickly resolve the issue by simply restarting the web servers. In reality, it wasn’t that simple. By 8:00 PM, another 404 Not Found error had appeared on the site, and after digging around, he noticed that all the information on the server's hard drives had been completely wiped. Whoever had gained access had done this. He goes on to say that he had accidentally stumbled upon what he believed the FBI had used to gain access to his servers. You see, he had an outdated version of PHP running; due to his laziness, he had not updated it to the latest version, which was a big no-no because there was a known vulnerability. He suspects that the FBI had used this to gain access, since he had a ton of other servers, but only the ones running this version of PHP were actually taken over.
He has now brought the servers back online and running the latest version of PHP, so the problem shouldn't happen again. He even goes on to praise the agent who found the vulnerability, asking how much he was paid for the job, and says that if it was less than a million dollars, he should just go work for him. And finally, he shares some personal thoughts: “Everything the FBI does is aimed at destroying the reputation of my affiliate program. They want me to leave and quit my job. They want to intimidate me because they will not be able to find and eliminate me. I am unstoppable. I am very glad that the FBI has invigorated me, charged me with energy and made me distracted from entertainment and spending money. It is very difficult to sit at a computer with hundreds of millions of dollars. The only thing that motivates me to work is strong competitors in the FBI. There is a sporting interest and a desire to compete.
Therefore, I am ready to risk my life for the sake of my work. This is how a bright, rich and interesting life should be. Neither FBI agents nor their assistants will be able to scare me or stop me.”
And now Lockbit Support is back in full combat readiness, ready to do anything to restore their credibility. A fresh list of new victims has appeared on the restored Lockbit website, including the FBI. Needless to say, the entire Internet laughed at the FBI for a while, because this was damn weak dirt. But it seems that the FBI just needed time to turn the information they had into a full-fledged information bomb. Just when it seemed that the case was going cold, the US Department of Justice released this sensation: an indictment against the founder of Lockbit. They didn’t just have a name, they had a face.
Meet Dmitry, aka Lockbit Support, the mastermind behind Lockbit, a 31-year-old Russian who lives a seemingly ordinary life. He drives a Mercedes, plays pool, and maybe even does gardening. And we know all this because in an instant, the Twitter OSINT community went into overdrive. The indictment revealed his two email addresses. It’s crazy that one of the biggest hackers uses iCloud. And these emails were more than enough to reveal almost everything about his life. In January 2023, Yandex was hacked, and now experts were digging through his order data. Crucially, the leak revealed his phone number, which led to his VK profile - which at that point was completely public.
They also found that he registered the company in July 2021. This is the beginning of Lockbit 2.0, and it’s quite possible that it’s a front for money laundering. It’s just a weird blog about fabrics and clothes, full of seemingly generated posts. But the most important thing is the address and a review he left on his Mercedes with the license plate number. There are also several gardening-related blogs that someone posted under his well-known nickname - perhaps he’s a gardening enthusiast.
They even found his first VK profile. Apparently this guy was a fan of Counter-Strike 1.6 as a teenager, even offering to help run servers for the game when he was 14. Maybe that was the beginning of his tech talent.
It just goes on and on. There's a dating profile where he says he has an "average income." A post about being a ransomware victim himself may have been the motivation for this whole thing.
All it takes is a day where his entire life was exposed. And so, out of desperation, he turned to VX Underground, claiming that the FBI was bluffing, that he felt sorry for this Dmitry guy because they got the wrong guy, and now he was going to take the blame. To further cement this idea, he posted a message announcing a contest: $1,000 to anyone who could get in touch with this poor Dmitry, because it couldn't be him and he really wanted to know if he was okay.
And a lot of people were like, "Well, it probably wasn't him because Lockbit would have better security than this guy." But when you have a name for the suspected bad guy and you go from there, it's a lot easier. If he didn't have good anonymity, people would have figured out who he was. The reality is, no one did until his name was released. So he had good OPSEC.
There's no guess at this point as to how law enforcement figured him out. They haven't provided any evidence. If you look at the indictments of other ransomware bad guys, the evidence is generally never released because it's held until the day the person gets to court to use it against them and prosecute them. So the FBI generally doesn't share that information with the public. But we can be sure that they have secret tools that they used that we'll never know about to confirm 100% that it was him.
One of the versions of the reason for the unlocking was cryptocurrency. That LockBit started selling crypto. But VX Underground said that was not the case. "He barely touched it." LockBit presented himself on forums as a gangster from a movie, you know, but in reality, he was never obsessed with material things. It was important to him to become famous in the Russian cybercrime world. He liked being a supervillain. He wanted this criminal fame. And most likely, this is more important to him than money.
Meanwhile, the feds announced a reward for Dmitry of $ 10 million / for any information that will lead to his arrest. How everything turned upside down. They have his full name, his face, and if so, then why hasn't he been arrested.
The thing is: for Dmitry, the main thing is not the United States. The United States cannot touch a hacker who is in Russia. The Russian Constitution protects them; they do not extradite their citizens. And if the hackers are very famous, the government may even allow them to continue hacking in exchange for them acting on their behalf. They have good relations with cybercriminals because they know they can use their talents for espionage. For example, VX Underground recently reported that Dmitry is now working for the FSB.
But Russia isn’t the only place Lockbit affiliates are based. Many ransomware gangs are much more global than we might think. They have members all over the world. Perhaps the reason Dmitry was defeated was because he allowed anyone to join Lockbit. And it’s likely that too many of these affiliates live in countries that extradite to the US. For example, last year they announced the capture of one Lockbit member living in Canada, Mikhail Vasiliev. He has been charged with several charges related to his ties to the gang and is currently awaiting extradition to the US to face trial. Another person we know about is a guy named Michal. He’s a Polish citizen who was arrested for extorting 49 different companies using Lockbit. He’s currently in custody in Cyprus and will likely be extradited to the US.
Source
This is the story of the world's most notorious ransomware group and the desperate hunt for the man behind it. He loved being a supervillain - it was like playing a video game.
Start
Let’s go back a bit to the end of 2010, when this new business model started to appear on the dark web. Ransomware is malware designed to steal and lock files on a computer, then demand money to unlock them — always in cryptocurrency.
Let’s remember XSS, one of the oldest Russian-language hacker forums and platforms. Around this time, XSS became home to many ransomware companies, but on January 16, 2020, they got a new competitor. A man with the nickname “LockBit” appeared on the forum as a software seller, but there was a problem: no one had heard of him before. LockBit had no reputation. So, to reduce the degree of mistrust, they did something rather unusual — they made a deposit of 10.5 BTC (then their value was $100,000) on the site.
XSS had an escrow system and it was a way to show other users that they wouldn't scam potential buyers because otherwise they could file a fraud report and the XSS owners would refund the deposit.
When LockBit came to the forum, they immediately put money on deposit, having already been running their business for almost a year. Incidentally, they started in 2019 with a project called ABCD ransomware. It was not originally ransomware-as-a-service. However, on XSS they opened it as ransomware-as-a-service and started recruiting affiliates.
In this case, referring to this post promoting a new ransomware program that has apparently been in development since 2019. The post lists a long list of features, with a strong emphasis on encryption speed. What’s even more interesting is that LockBit didn’t just want to sell the software in one-off deals — it was looking for partners: people who would use ransomware to infect companies or individuals, demand money from the victims, and then share the profits with LockBit. In essence, the affiliates would do the dirty work.
This was a new phenomenon in the world of malware.
Previously, this kind of malware would sell for thousands of dollars a pop, but XSS hackers quickly realized that, like big businesses, it was much more profitable to make their software available to almost anyone and then just take a cut of the illegal profits. In LockBit’s case, the fee is 20%.
There’s one more thing I’d like to point out in this post: the rule that says LockBit can’t be used in CIS countries — like Russia, Kazakhstan, Armenia. This is a common rule that cybercriminals often use. It’s legal to hack anyone, as long as it’s not someone on their own territory. But cybercriminals also make such statements in order to try to throw investigators off track.
Whoever created LockBit realized that in order for the project to succeed, it needed to attract users, but advertising an illegal service is not exactly a simple matter. Around this time, they created a new persona - this would be the face of LockBit - called "Support LockBit" and registered new accounts under this name on the most popular hacker forums in Russia, including XSS.
LockBit Support became an active participant in the discussions that took place there, publishing informational content, interacting with other users, trying to attract attention and build a reputation. However, forum activity alone was not enough. LockBit Support clearly had spare money, so they launched a unique marketing campaign: the Summer Paper Contest, inviting participants to write articles about hacker tips, tricks, and stories with a cash reward of thousands of dollars.
The Summer Paper Contest allowed other hackers and criminals to submit new exploit ideas or new ways to hack targets. And it worked. By sponsoring events like this, the organization builds its image and credibility in the community by judging other criminals. This move was a significant achievement on the forum and LockBit’s first successful marketing move, attracting the attention of both authors and potential partners.
However, to achieve real success, LockBit needed a unique marketing campaign that would attract the attention of international newspapers. It took time to realize this idea, however. At the time, LockBit had a small user base that had discovered serious flaws in the system.
LockBit almost failed early in its existence – they were very close to ruining their reputation to the point that they would be forced out of the market altogether. Two months after the big marketing campaign, a user named Waxford, tired of LockBit’s poor quality software, filed an arbitration claim against them – this is like a fraud report.
This ransomware, when infected, directs you to a support service hosted on the Tor network, where you communicate directly with the hacker to make a deal. Below is an image of the LockBit chat.
After months of working as an affiliate, Waxford had not received any commission despite infecting many victims. After digging around, he discovered that LockBit does not actually encrypt files on network drives. Very rarely are individuals victims of ransomware - often it is companies. Companies have a lot of money, but companies use file-sharing networks, so this was a big problem. And if the files are not encrypted, there is no reason to pay.
Now a user on the forums was demanding 10 BTC from LockBit as compensation. This was not very pleasant for LockBit, but the way they handled it was even worse. They outright refused to take responsibility, said that he should have tested the software before deploying it, and rejected the claim. 10 BTC was still worth $100,000 in September 2020.
But things got a lot worse as a bunch of other participants came to support Waxford’s claims. Now, with a damaged reputation and a tiny user base, LockBit needed a new strategy.
Two weeks later, an advert appeared for a developer who knew Active Directory. Active Directory is what manages file sharing on Windows systems and user permissions on company internal networks, and LockBit was obviously looking for someone who understood it well so they could fix the problem and exploit it. This marked the beginning of the development of LockBit 2.0. The world didn’t know it yet, but the most popular ransomware in history would soon be released. But even LockBit didn’t know that as development of the new version neared its end, the perfect opportunity to release it would soon present itself.
On the morning of May 6, 2021, Colonial Pipelines, a company that supplies 45% of the fuel on the East Coast of America, fell victim to a ransomware attack. People went crazy, the problem spread to 17 states, and Joe Biden declared a state of emergency, saying it was a direct threat to national security. Seeing no other way out and wanting to fix the situation as quickly as possible, Colonial Pipelines paid a ransom of 75 BTC, which at the time was equal to $4.4 million, to one of the most notorious ransomware groups at the time, DarkSide.
But on May 13, just one day after restoring the fuel infrastructure, the DarkSide website went completely offline. They had gone too far. In a counter-operation, the FBI managed to hack DarkSide’s infrastructure, seize its assets, and even return part of the ransom to Colonial Pipelines. But there was bad news - the US blamed Russia, and the very next day the owner of XSS posted a message on the forum in which he announced a new rule: no more ransomware.
If you look at the message, you will see that it mainly expresses the author’s personal beliefs: he says that the forum is for learning and gaining knowledge, which is not entirely true. But then he writes that newbies open the media, see some crazy virtual millions of dollars there. They don’t want anything, they don’t want to learn anything. They don't program anything. They don't even think. Their whole existence is "encrypt, get paid."
But in reality, it wasn't forbidden. These forums are very much a popularity contest. For LockBit, it was a double win, because in addition to being part of the "bad boys club," there was one less player in the market. DarkSide affiliates were now looking for a new home, and LockBit was just a month away from releasing a new version that would soon be used to extort hundreds of millions of dollars.
LockBit 2.0
The biggest new feature in LockBit 2.0 was called “StealBit.” It was actually a feature offered by DarkSide. Instead of simply encrypting a company’s data, StealBit now saved a copy of it and sent it to LockBit’s servers. Partners could set specific requirements for the files they wanted to get, and the reason for this was simple: additional leverage. If a company had a disaster recovery plan in place in the event of a ransomware attack, there was nothing to pay for. But if all the sensitive files were stolen first, the ransomware could threaten to leak the information if the company didn’t pay up. This could be sensitive customer information or internal company secrets.
In November 2023, LockBit leaked Boeing files, which brings us to the second part of the update. LockBit 2.0 had a shiny new website that hosted these extortion requests, along with a board of current victims and a countdown to when the data would be released if they didn’t pay up. Of course, the site was hosted on the Tor network, and yes, it served as a good incentive to get victims to pay up, not only because it created a sense of urgency, but also because it confirmed the reality of the threats. But it also created another phenomenon: people in the cybersecurity world started monitoring the LockBit page to see when new victims had been compromised. That’s what the Twitter post was about, and it helped LockBit grow in popularity, which also helped attract more and more affiliates – a vicious cycle.
This attention is exactly what LockBit wanted. But the other side of this increased popularity is that they are now just as interesting to the people who took down DarkSide just a month earlier.
In July 2021, news broke that Accenture had been hacked. LockBit 2.0 stole 6 terabytes of sensitive data from the company and its clients. This is a big deal because Accenture is the world's largest IT services and consulting company. That meant they worked with three-quarters of the Fortune Global 500. And thanks to LockBit, everyone knew exactly what had happened and the price they were asking for the decryption keys: $50 million, to be sent in cryptocurrency by August 11. Otherwise, all of the company's stolen secrets would be made public.
Any normal company would have called an emergency meeting and warned their clients, but Accenture kept quiet about the incident, claiming that the data they stole wasn’t, quote, “sensitive enough.” What’s more, they refused to pay, and LockBit wasn’t too happy about that. To up the ante, LockBit targeted Bangkok Airways and Ethiopian Airways, both Accenture clients, and Accenture still refused to pay. As a result, LockBit released 2,384 files to the public, a far cry from the 6 terabytes of data they claimed to have stolen. Even though the ransom was never paid, there must have been champagne flowing at LockBit headquarters because the debut of version 2.0 couldn’t have gone any better. In fact, it was the best advertising campaign to date. More and more affiliates joined the software, and LockBit became one of the top four players in the ransomware world.
In November 2021, they had another big success. One of the well-known leaders, RaaS company BlackMatter, went out of business. Being on friendly terms with the owner of LockBit, they recommended their partners to switch to the LockBit platform. The dude got an entire user base for free! But it wasn’t enough. As a result, LockBit was left with two main competitors: REvil and Conti. If they could destroy them, LockBit would get all their users.
Destruction of Compounds
Let’s go back in time. July 2019, Spring Hill Memorial Hospital. Stressed-out mother Terrani Kidd spent agonizing hours trying to deliver her baby. Finally, her beautiful baby boy, Nico, was born. Everything seemed normal, except what the hospital staff failed to tell her was that their computers had been down for 8 days. They had been the victims of a hacker attack that left patient records inaccessible. But more importantly, the staff was cut off from the fetal heart rate monitoring equipment in the delivery room. As a result, Nico tragically passed away 9 months later.
And now, in late 2021, news of the lawsuit is making headlines. The hospital claimed, quote, “Nico suffered a severe traumatic brain injury because medical staff failed to notice that the umbilical cord was wrapped around her neck,” because, quote, “the loss of access to critical resources and information was caused by a cyberattack.” When LockBit saw this, they decided, “Hey, what better way to attack REvil than to accuse them of being the ones behind this?”
You see, in the world of cybercrime, where there are no legal rules, there is still a kind of criminal code. Many groups refuse to attack hospitals, and LockBit accuses REvil of being the ones behind this attack, hoping that people with moral principles will not work with them. Instead, they will work with LockBit.
This is terrible, knowing that LockBit will continue to hack hospitals, including children’s hospitals. So the motive for this was purely a campaign of incrimination, a campaign that will continue.
In the end, it was not even REvil who did the attack, it was someone else, but that was not revealed until six months later. If you look at what the FBI found, it was a tool called Ryuk, which was unique and controlled by Wizard Spider, known today as Conti. Shortly after, REvil successfully hacked MSP software provider Kaseya, gaining access to 1,500 companies using Kaseya’s software and infecting them with ransomware.
This was the main target, but the attack failed miserably as the FBI somehow managed to provide the victims with free decryption keys. Millions of dollars in potential ransom money were wasted.
The most interesting thing is how did the FBI get the decryption keys for REvil? They somehow got access to the backend, a backend that only REvil management was supposed to have access to. REvil had an honest answer to this question: they claimed that someone had hacked their servers and then distributed the keys to the companies that were affected. LockBit supporters immediately began suggesting that this was bullshit, that REvil had been infiltrated by the FBI, and that no one should work with them. LockBit wanted REvil gone, and they were about to get their biggest wish. On
January 14, 2022, the Russian Federal Security Service raided 25 addresses associated with 14 REvil members, seizing 20 luxury cars and $5.5 million in cash and cryptocurrency, apparently after receiving information from the United States. This came after an operation was carried out in several countries to hack and disable REvil servers.
But there was one company, a giant in the ransomware market, that LockBit couldn’t take down no matter how hard it tried: Conti. Conti had been the market leader since 2020. It was a well-known Russian ransomware-as-a-service (RaaS) provider that was itself responsible for attacks on hospitals, governments, and Fortune 500 companies. The company was powerful, and LockBit couldn’t take them down — until they did.
New stage
The day after February 24, 2024, Conti posted a message endorsing military action and threatening anyone who stood in Russia’s way. LockBit then posted their own message, claiming they were apolitical and only interested in money. Suddenly, Conti replaced their post with a new one, claiming they did not actually support any government and condemned the current war situation. Something had happened internally, but it was too late to reverse it.
Three days later, cybersecurity journalists began receiving unexpected emails from the Ukrainian branch of the Conti ransomware group. The email read, “We promise this is very, very interesting,” and contained a file with 60,000 messages, URLs of leaked private data, and Bitcoin addresses from Conti’s internal correspondence. But that was not all. Then, the same person leaked something even more serious: the source code for Conti’s ransomware encryptor, decryptor, and builder.
The leak caused a major crisis of confidence in the group and left it highly vulnerable to law enforcement. So, three months later, the remaining Conti management decided to liquidate the brand. The Conti name was officially destroyed, and its public infrastructure, including the ransomware negotiations and victim data leakage sites, was permanently disabled.
This was the perfect moment for LockBit to seize complete control of the market, but they faced a problem: Conti’s software had more advanced features. To capture its user base, LockBit needed to quickly implement these capabilities into its own software.
A month after Conti’s downfall, LockBit released a major update to the ransomware, suspiciously fast — LockBit 3.0, which was as capable as the fallen giant. In a similar vein, another marketing stunt was launched – this time offering $500 to $1,000 to anyone who would get a tattoo of the LockBit logo and post about it on social media. It’s hard to believe, but many people took the offer.
Within a month, LockBit and its affiliates were conducting almost two major attacks a day, outstripping all competitors. They officially took first place. LockBit had achieved its dream, and, in addition, the company found itself in the spotlight of developers, who happily began to study the new code. The results of their study were more than strange: some of LockBit’s new features used DarkSide code.
How is this possible? Remember when DarkSide was blamed for the Colonial Pipeline hack. After the FBI shut them down, DarkSide rebranded themselves as BlackMatter. But that didn’t help either, and one of the developers, not resigned to the constant failures, started looking for a more stable partner. He thought LockBit would be such a partner, but during the work on 3.0, it turned out that they had simply taken the code from their previous employer. This led to a heated exchange of messages on the forum between DarkSide and LockBit. DarkSide accused LockBit of stealing their developer.
On September 21, a mysterious Twitter account made a statement claiming that it had hacked LockBit’s servers and stolen their builder. It is intended exclusively for affiliates. Within hours, cybersecurity experts downloaded it and decompiled it for analysis and study.
But in fact, LockBit was not hacked. You see, 11 days before Ali posted this leak, VX Underground made their own post. An unknown user named Proton contacted us and provided access to LockBit 3.0 builds. VX Underground then contacted LockBit support via TOX chat and asked if the leak was real and how it could have happened. The answer? The leak was 100% real and they know who the leaker is. It’s a new developer they hired for 3.0.
Continuing on the topic, LockBit admits to hiring the developer and the whole story about buying or not buying the BlackMatter source code was nothing more than a fairy tale to save the developer’s ass from the revenge of his previous employer. But now things have gone awry. Probably because LockBit posted a message that basically said that they know the developer’s real identity and can ruin his life if they want. Messages like these allowed the experts to deduce what gangs the developer had previously worked for.
It was obvious that this person wanted to stay in the shadows, so of course he was upset. None of this would have happened if this guy had been treated decently. LockBit spends so much time on customer service - getting revenue from its affiliates, finding out what they want to change, what they like and don't like - but then, instead of developing and supporting the core people who worked for it, it just screwed them.
It's kind of funny that in version 3.0, they introduced a bug bounty program, and someone sent in a bug that was in BlackMatter, but it was already fixed. And because the developer copied the code, LockBit blamed him. LockBit 3.0 had a lot of BlackMatter code, and the bug that was in BlackMatter was still there. Someone found the bug, and they had to pay a bounty - $50,000.
LockBit deducted the $50,000 from the developer's money and did not pay him the full amount. This situation made the developer very angry and LockBit started threatening him, to which the guy said: "Okay, I'm leaving." The developer then leaked the code, creating two different fake accounts, but this is not really relevant to this story.
The main thing is that the code was publicly available. The real damage was that now anyone could use it. Many affiliates simply started working on their own.
LockBit claimed that the success rate of attacks was not the same as when using their "licensed" program. Plus, this created a lot of confusion for specialists in studying and responding to hacker attacks, since now, having seen an attack by LockBit, specialists had to figure out whether it was really LockBit or just a lone wolf using the leaked code. For LockBit, this was a double whammy. In addition to leaking information, they now had no developer to support the software.
That’s where things went awry. In December, one of the affiliates attacked SickKids Children’s Hospital in Toronto and took down its internal systems. Two days later, LockBit’s support team responded, gave SickKids the decryption keys for free, and banned the affiliate for “violating the terms of service” because they don’t allow attacks on healthcare facilities. But that was a lie. In this case, he did return the key to the organization, but not because he cared about the children. The story repeated itself later with St. Anthony’s Hospital.
That hospital also had a pediatric oncology ward. Six months before that, another affiliate had attacked a French hospital called CHSF. Surgeries were delayed, doctor appointments were cancelled, and when the $10 million ransom was not paid, sensitive data was leaked. LockBit did nothing, most likely because the situation was not widely publicized at the time.
We know that if a ransomware attack is large enough, it can literally wipe out anyone. This was the case with DarkSide and REvil. Likewise, LockBit has often denied that its affiliates were involved in these attacks.
In January 2023, someone hacked Royal Mail, stole gigabytes of sensitive data, and then encrypted it, demanding a mind-boggling $80 million in exchange. This was a huge problem for Royal Mail. Without their systems, they were forced to stop all international deliveries. The deadline for them to bend the knee and pay was February 9th. The news made headlines.
Meanwhile, LockBit support said it was a leaked version of the builder with unknown content (whatever that means) and that the attack was "aimed at tarnishing our good name" and did not provide a decryptor after payment. They claimed there was no ransom to pay. Something doesn't add up here. To add insult to injury, they discovered that it was in fact definitely done using LockBit software, as Royal Mail was directed to an official LockBit negotiation page.
When this was revealed, LockBit still refused to take any responsibility. This is a great example of them using this as an excuse when things got heated. They used leaked code when necessary: "It wasn't me; it was a partner who went solo and used my leaked builder." But just when LockBit thought it was going to make them money, it would suddenly turn out to be them. And this happened several times.
First, a Royal Mail negotiator would just try to get them to lower the price. Then he would drag them out for a few days, and then he would ask them to decrypt this small file, apparently related to the delivery of medical supplies. But it seemed to be a lie. In fact, this small file contained data that was important to Royal Mail, and they were hoping that LockBit would decrypt it. LockBit wasn’t buying it.
Still, the negotiator dragged on, and LockBit dragged on and on. Finally, on February 6th, they had enough. A small portion of Royal Mail’s files were leaked online, with the threat of releasing the rest if an $80 million ransom was not paid within the next 50 hours. Again, Royal Mail refused. So they stopped all contact, and on February 9th, LockBit leaked the files, but they didn’t contain anything of substance. There was no confidential customer information, no financial information. Royal Mail was right; they called LockBit’s bluff.
News stories started appearing about what was going on. In June, it was discovered that the page from which the files could be downloaded was no longer online.
Another interesting case is Maximum Industries. It’s an aerospace company that makes parts for SpaceX. Someone from LockBit hacked them and stole all their data, including thousands of secret engineering schematics. This, of course, caused a big stir on Twitter, but despite the threats, SpaceX and Maximum Industries refused to pay up. So when it came time to leak the files they claimed to have stolen, they had nothing to release. It seems that LockBit started claiming they had data they didn’t, which means that future victims will be less likely to pay up, anticipating the bluff.
With the release of LockBit 3.0, many aspects of the attack were automated, not requiring manual keyboard control as before, which made the attack much easier. It received a huge influx of affiliates, which is what made it the “Walmart of ransomware”. But with all this growth and volume, it became difficult to deal with all the small problems that were arising, and they escalated into much larger ones.
Just a month later, on April 12, 2023, a cybersecurity researcher named DarkTracer posted a blog post accusing LockBit of becoming lazier.
LockBit Support didn’t like it. So instead of shrugging it off, LockBit continued its attack on DarkTracer, hacked their site, and published their data. Admittedly, it was a pretty quick response. But it hacked DarkTrace, not DarkTracer, who was tweeting about LockBit’s services. In their anger, LockBit support accidentally targeted another cybersecurity company.
Given these issues, some partners left, but there were still so many people wanting to take their spots that it didn’t have a significant impact on operations.
At one point, things went completely awry, and other ransomware groups started fighting LockBit. One user wrote to Exploit (one of the best Russian underground forums) asking where he could find a leaked builder 3.0 so he could use it himself. Unexpectedly, LockBit support responded, offering to simply join their affiliate program. But before the user could respond, Baddie, a known member of the Royal Ransomware group, chimed in with a question that sounded accusing. He asked LockBit support why they were asking developers to give them access to their builders.
LockBit responded with excuses, but Baddie wasn’t buying it. Instead, he directly accused LockBit’s support team of trying to steal the code of a competitor’s ransomware to incorporate into their own.
This was a clear rebuke, implying that LockBit was so desperate that it was resorting to copying code from rival ransomware groups. And Baddie was right. As we already know, version 3.0 was essentially a copy, but in the same month that this post was published, LockBit released a new version called LockBit Big Green.
This was seven months after the problematic version 3.0 was released, and with the developer gone, 3.0 was likely difficult to maintain. They couldn’t add new features to it, so instead of trying to fix the problem, LockBit apparently released a new version, Green, which boasted even more features. But when experts analyzed it, they found that it was essentially a rebranded version of CONTI ransomware.
Shortly after CONTI's downfall, the source code was leaked and there it was, a rebranded LockBit. After this news broke, LockBit support quickly began to change its position, stating that its goal was to include all the best ransomware variants in the panel, giving affiliates the ability to choose which ones to use. And even asked what else they needed to be happy, promising to "please them endlessly".
The truth was that users were not happy with version 2.0. While LockBit support continued to desperately try to create the impression that they were the most effective, this was not the case at all. From February to June 2023, the stolen data was not published on the site at all. Download links either completely disappeared or simply led to nowhere. Affiliates were the first to notice, many of whom chose to work with other ransomware providers. Eventually, LockBit support claimed that the issues had been resolved after hiring a tester, and blamed the large files being uploaded by affiliates. But the problem still persisted.
Greed creates problems
If you hack a company and the ransomware screws everything up, the affiliates are going to be pissed because they just lost a ton of money. And one of them was going to change the entire trajectory of LockBit. On January 30, 2024, a user named Mitch filed an XSS arbitration claim against LockBit support. It was a fraud report. Mitch is a tier 1 reseller. These guys infiltrate networks, find weaknesses, but instead of exploiting them, they just sell the compromised access to the highest bidder, usually an extortion ring.
In this case, Mitch had given access to LockBit, and now he was demanding $4 million for his services, a fraction of what LockBit had made from the attack. But of course, LockBit refused to pay. The case was so specific that the owner of XSS Admin decided to review the claim and make a final decision, and it didn’t go in favor of LockBitsupport. Admin demanded that Mitch share 10% of the profits. LockBit, of course, in typical LockBit fashion, refused. And this is Admin's reaction: "Unfortunately, the defendant has rejected the demand. Case closed." Support LockBit was banned.
But there is a rule on Russian hacker forums: if you get banned from one, you get banned from all. Seeing this, Exploit banned him from his forum as well, assigning him the same status: scammer.
After being banned from the most popular hacker forums, he tried as a last ditch effort to appeal his ban on the less popular Ramp forum. This forum is almost entirely dedicated to hacking software. He asked the owner of Ramp to reconsider and not do anything about his status on the other two forums. This meant that at the very least, he could remain on this forum, albeit with much less influence due to its low popularity. But in the end, it didn't matter, given the events that would happen just a few days later.
Exposure
Later, on February 19, people attempting to access the LockBit website were greeted by a startling image: the LockBit logo surrounded by 11 balloons with the message, “This site is now under law enforcement control.” VX Underground quickly reached out to the Tox chatroom for an answer. LockBit employees responded simply, “FBI pwned me.” Law enforcement had somehow exploited a vulnerability in the LockBit server and taken over the site entirely.
To further garner media attention, the message included an invitation for visitors to return at 11:30 GMT the following day for more details. This officially marked the start of Operation Cronos, a coordinated effort by the FBI, Europol, and the NCA to take down LockBit once and for all.
The next day, the site was updated and looked almost exactly the same as before, except that all the leaked company cards had been replaced with law enforcement announcements, press releases, recovery tools and decryption keys, and the headline: “This site is now under the control of the Kronos Task Force.” Meanwhile, on the page where affiliates would normally go to log in, they were greeted with this chilling warning: “Law enforcement has received information about victims you have targeted, amounts extorted, data stolen, and more. Please thank LockBit support for this situation. We may be in touch soon.”
Just imagine the conflicting thoughts that must have been going through the affiliates’ heads. You are an affiliate, you are a criminal, you don’t want anyone to know who you are, and you trust LockBit to provide you with that anonymity. Now all your data has been leaked to a third party. Literally, literally, affiliates felt like victims.
Back on the main page, one card stood out: “Who is LockBitSupport?” — the $10 million question, complete with a ransomware-style countdown. The FBI was trolling hard here, demeaning LockBit support in its own style.
In January, just before LockBit support was banned for XSS, he wrote this post saying he was disappointed that the FBI had not yet put out a reward for his file and arrest. Likewise, he had put a bounty on his own head — $1 million for anyone who could find out his real name.
The entire cybersecurity world would be waiting until February 23 for an answer to that question, and in the meantime, Operation Kronos was just getting started.
The police were starting to arrest affiliates. First, a father-and-son duo from Ukraine accused of attacking French medical facilities. The next day, Polish special forces arrested one of the affiliates in his own home.
Three members of the group were arrested in the first week, and you can bet many more were shaking in their boots because the FBI released a list of 193 people suspected of being active in the group, information they said they got by hacking LockBit. And the FBI also said they got payout data. To get a handle on the scale of LockBit’s operation, law enforcement teamed up with Chainalysis, the same company that cracked the Mt. Gox case.
What they found was staggering. From July 2022, when LockBit 2.0 launched, to February 2024 — just 18 months — more than 30,000 Bitcoin addresses collected $120 million worth of cryptocurrency. But that’s just the 20 percent fee LockBit admins took, meaning affiliates swindled more than $600 million in just 18 months. Even harder to measure is the damage this has caused to companies, which is literally in the billions.
As the number of arrests mounted, attention turned to the next big question: Is the FBI finally going to reveal the identity of the “$100 Million Man”? The view counter on the bottom right of the “$10 Million Question” post quickly climbed to 30,000 as anticipation of the identity of LockBit support grew. That’s a lot, considering the site was hosted on the Tor network.
Then, as the date approached, the FBI upped the ante, offering a bounty of up to $15 million for information on LockBit administrators and affiliates.
They even created a Telegram account called “FBI Support” to reward tipsters. But despite all this, LockBit Support seemed unfazed. He contacted VX Underground and shared his thoughts on the situation.
First, he claimed that the feds had made a mistake in arresting them — the men had nothing to do with LockBit. Second, he suggested that the feds didn’t really know who he was, and that he was now willing to pay up to $20 million to anyone who could discover his true identity. Lastly, he disparaged the FBI’s technical skills, blaming the hack on his own laziness, claiming that he hadn’t updated PHP. The old version the site was using had a critical vulnerability, making it easy to hack.
But when the day finally arrived, the FBI extended the countdown for a few more hours, presumably to get attention. Because when it hit zero and the page refreshed, perhaps one of the biggest events in the history of online organized crime had occurred. Two new messages appeared, claiming that Lockbit support was not based in the US or the Netherlands, and that he drove a Mercedes, not a Lamborghini. These were refutations of the false information he had previously spread about himself online.
Then the FBI claimed to know who he was, where he was, and how much he was worth, hinting that he had even been cooperating with law enforcement. But there were no photos, no names, nothing but a few blank lines of bland Lockbit support information.
This outcome seemed to confirm the Lockbit support team’s assumptions that the whole thing was just a psyop, that the feds really had nothing on him. The very next day, the Lockbit site was restored using backup servers. At the same time, Lockbit support posted this incredibly long response detailing their side of the story. He begins by saying that, due to his laziness, after “years of swimming in money,” he hadn’t paid much attention to the problem, thinking it was a trivial matter.
So, at 6:00 AM on February 19th, he noticed that the site was throwing a 502 Bad Gateway error. However, he was able to quickly resolve the issue by simply restarting the web servers. In reality, it wasn’t that simple. By 8:00 PM, another 404 Not Found error had appeared on the site, and after digging around, he noticed that all the information on the server's hard drives had been completely wiped. Whoever had gained access had done this. He goes on to say that he had accidentally stumbled upon what he believed the FBI had used to gain access to his servers. You see, he had an outdated version of PHP running; due to his laziness, he had not updated it to the latest version, which was a big no-no because there was a known vulnerability. He suspects that the FBI had used this to gain access, since he had a ton of other servers, but only the ones running this version of PHP were actually taken over.
He has now brought the servers back online and running the latest version of PHP, so the problem shouldn't happen again. He even goes on to praise the agent who found the vulnerability, asking how much he was paid for the job, and says that if it was less than a million dollars, he should just go work for him. And finally, he shares some personal thoughts: “Everything the FBI does is aimed at destroying the reputation of my affiliate program. They want me to leave and quit my job. They want to intimidate me because they will not be able to find and eliminate me. I am unstoppable. I am very glad that the FBI has invigorated me, charged me with energy and made me distracted from entertainment and spending money. It is very difficult to sit at a computer with hundreds of millions of dollars. The only thing that motivates me to work is strong competitors in the FBI. There is a sporting interest and a desire to compete.
Therefore, I am ready to risk my life for the sake of my work. This is how a bright, rich and interesting life should be. Neither FBI agents nor their assistants will be able to scare me or stop me.”
And now Lockbit Support is back in full combat readiness, ready to do anything to restore their credibility. A fresh list of new victims has appeared on the restored Lockbit website, including the FBI. Needless to say, the entire Internet laughed at the FBI for a while, because this was damn weak dirt. But it seems that the FBI just needed time to turn the information they had into a full-fledged information bomb. Just when it seemed that the case was going cold, the US Department of Justice released this sensation: an indictment against the founder of Lockbit. They didn’t just have a name, they had a face.
Meet Dmitry, aka Lockbit Support, the mastermind behind Lockbit, a 31-year-old Russian who lives a seemingly ordinary life. He drives a Mercedes, plays pool, and maybe even does gardening. And we know all this because in an instant, the Twitter OSINT community went into overdrive. The indictment revealed his two email addresses. It’s crazy that one of the biggest hackers uses iCloud. And these emails were more than enough to reveal almost everything about his life. In January 2023, Yandex was hacked, and now experts were digging through his order data. Crucially, the leak revealed his phone number, which led to his VK profile - which at that point was completely public.
They also found that he registered the company in July 2021. This is the beginning of Lockbit 2.0, and it’s quite possible that it’s a front for money laundering. It’s just a weird blog about fabrics and clothes, full of seemingly generated posts. But the most important thing is the address and a review he left on his Mercedes with the license plate number. There are also several gardening-related blogs that someone posted under his well-known nickname - perhaps he’s a gardening enthusiast.
They even found his first VK profile. Apparently this guy was a fan of Counter-Strike 1.6 as a teenager, even offering to help run servers for the game when he was 14. Maybe that was the beginning of his tech talent.
It just goes on and on. There's a dating profile where he says he has an "average income." A post about being a ransomware victim himself may have been the motivation for this whole thing.
All it takes is a day where his entire life was exposed. And so, out of desperation, he turned to VX Underground, claiming that the FBI was bluffing, that he felt sorry for this Dmitry guy because they got the wrong guy, and now he was going to take the blame. To further cement this idea, he posted a message announcing a contest: $1,000 to anyone who could get in touch with this poor Dmitry, because it couldn't be him and he really wanted to know if he was okay.
And a lot of people were like, "Well, it probably wasn't him because Lockbit would have better security than this guy." But when you have a name for the suspected bad guy and you go from there, it's a lot easier. If he didn't have good anonymity, people would have figured out who he was. The reality is, no one did until his name was released. So he had good OPSEC.
There's no guess at this point as to how law enforcement figured him out. They haven't provided any evidence. If you look at the indictments of other ransomware bad guys, the evidence is generally never released because it's held until the day the person gets to court to use it against them and prosecute them. So the FBI generally doesn't share that information with the public. But we can be sure that they have secret tools that they used that we'll never know about to confirm 100% that it was him.
One of the versions of the reason for the unlocking was cryptocurrency. That LockBit started selling crypto. But VX Underground said that was not the case. "He barely touched it." LockBit presented himself on forums as a gangster from a movie, you know, but in reality, he was never obsessed with material things. It was important to him to become famous in the Russian cybercrime world. He liked being a supervillain. He wanted this criminal fame. And most likely, this is more important to him than money.
Meanwhile, the feds announced a reward for Dmitry of $ 10 million / for any information that will lead to his arrest. How everything turned upside down. They have his full name, his face, and if so, then why hasn't he been arrested.
The thing is: for Dmitry, the main thing is not the United States. The United States cannot touch a hacker who is in Russia. The Russian Constitution protects them; they do not extradite their citizens. And if the hackers are very famous, the government may even allow them to continue hacking in exchange for them acting on their behalf. They have good relations with cybercriminals because they know they can use their talents for espionage. For example, VX Underground recently reported that Dmitry is now working for the FSB.
But Russia isn’t the only place Lockbit affiliates are based. Many ransomware gangs are much more global than we might think. They have members all over the world. Perhaps the reason Dmitry was defeated was because he allowed anyone to join Lockbit. And it’s likely that too many of these affiliates live in countries that extradite to the US. For example, last year they announced the capture of one Lockbit member living in Canada, Mikhail Vasiliev. He has been charged with several charges related to his ties to the gang and is currently awaiting extradition to the US to face trial. Another person we know about is a guy named Michal. He’s a Polish citizen who was arrested for extorting 49 different companies using Lockbit. He’s currently in custody in Cyprus and will likely be extradited to the US.
Source
