On Sunday May 5, 2024, law enforcement agencies started teasing visitors with fresh information about the criminals involved in LockBit.

We reported in February how, in an act of exquisite trolling, the UK’s National Crime Agency (NCA) announced details about the disruption of the LockBit ransomware group by using the group’s own dark web website.

Instead of showing information about LockBit’s victims, law enforcement displayed information the investigators had obtained from the service’s backend.

The US Department of Justice promised to reveal the identity of LockBit’s leadership in a few hours. At the same time, the NCA is promising a major announcement in 24 hours.

NCA announcing an official announcement on X

The task force coordinating Operation Cronos, the name of the targeted action against LockBit, must have been very happy to get their hands on the backend infrastructure. Since the demise of Conti in 2022, LockBit has been unchallenged as the most prolific ransomware group in the world. In the 12 months leading up to February it racked up more than two and half times as many known attacks as its closest rival, ALPHV.

Following the disruption operation in February, the group’s purported leader LockBitSupp stated that investigators had exaggerated their access into the gang’s backend infrastructure.

This very well may be be an attempt to lure LockBit’s leadership out of hiding. Last time around, one of the announcements had the title “Who is LockBitSupp?”, hinting that law enforcement would reveal information about who was running the ransomware operation. After days of waiting, however, the announcement changed to: “We know who he is. We know where he lives. We know how much he is worth. LockBitSupp has engaged with Law Enforcement :).”

Either way, new victims are being added to the new leak site all the time. Some researchers say they are even noticing an uptick in new postings.

The announcement

The announcement coming from Europol has just reached my inbox and reveals the following:

Today, authorities from the United Kingdom, United States and Australia are revealing the second phase of Operation Cronos – the sanctions.

The administrator and developer of LockBit, a Russian national, is now subject to a series of asset freezes and travel bans issued by the UK Foreign, Commonwealth and Development Office, alongside the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the Australian Department of Foreign Affairs and Trade.

Prosecutors in the United States have also unsealed an indictment against him based on his alleged role as the creator, developer, and administrator of the LockBit ransomware variant. Additionally, authorities in the United States are offering a reward of up to USD 10 million for information leading to his arrest and/or conviction.

For former victims of the LockBit ransomware group, the following information might be helpful.

Law enforcement is now in possession of over 2,500 decryption keys and are continuing to contact LockBit victims to offer support.”

With Europol’s support, the Japanese Police, the National Crime Agency and the Federal Bureau of Investigation have concentrated their technical expertise to develop decryption tools designed to recover files encrypted by the LockBit ransomware.

These solutions have been made available for free on the No More Ransom portal, available in 37 languages.

And in a coordinated “identity reveal” the NCA and the US Justice Department disclosed the identity of LockBitSupp as Russian national Dimitry Yuryevich Khoroshev.

To be continued. We’ll keep you posted. Stay tuned!