Up to $15 million in cash prizes have been made public by the United States Department in exchange for information. This department helps to identify important figures in the LockBit ransomware gangs and apprehend any individuals involved in the operation.

As per the State Department, “Since January 2020, LockBit actors have carried out more than 2,000 attacks against victims in the United States and worldwide, resulting in expensive disruptions to operations and the destruction or exfiltration of sensitive information. To recover from LockBit ransomware events, more than $144 million in ransom payments have been made.”

This development coincides with a broad law enforcement investigation spearheaded by the National Crime Agency (NCA) of the United Kingdom that has crippled LockBit. It is a ransomware gang with ties to Russia that has been operating for more than 4 years and wreaking havoc on businesses & critical infrastructure sectors across the world.

Russian e-crime groups profit greatly from Ransomware-as-a-Service (RaaS) operations such as LockBit and others. These e-crime groups extort companies by stealing their sensitive data and encrypting it. This allows the groups to act with impunity as they aren’t under the jurisdiction of Western law enforcement.

The main developers usually use a network of affiliates that they recruit to use LockBit's infrastructure and malicious software to carry out the assaults. It's known that the affiliates use Initial Access Brokers (IABs) to buy access to targets of interest.

LockBit emerged as the most active ransomware organization since Conti's departure in the middle of 2022. They are the most damaging group in recent years due to their frequent attacks and their unrestricted ability to destroy any kind of infrastructure. Chester Wisniewski, worldwide field CTO (Chief Technological Officer) at Sophos, stated that “anything that disrupts their operations and sows distrust among their affiliates and suppliers is a huge win for law enforcement.”

The first ransomware outfit, LockBit, is credited with launching a bug bounty program in 2022 and paying up to $1 million in incentives for locating security flaws in website and locker software. According to Intel 471, “LockBit's operation grew in scale by consistently delivering new product features, providing good customer support, and at times, marketing stunts that included paying people to tattoo themselves with the group's logo.”

“By allowing its affiliates to gather the ransom and relying on them to pay it in part, LockBit turned the script on its head. More affiliates were drawn in as a result of the affiliates’ increased confidence that they would receive payment,” Intel 471 further said.

The gang known as Gold Mystic is being tracked by SecureWorks Counter Threat Unit (CTU), which revealed that from July 2020 to January 2024, it looked into 22 compromises involving LockBit ransomware, some of which depended just on data theft to threaten victims.

The cybersecurity firm added that LockBit was able to grow and attract multiple affiliates over time because of its policy of handing over control of ransom negotiations and payments to its affiliates.

Following a months-long investigation that started in April 2022, LockBit was taken down. During that time, three affiliates were arrested in Poland and Ukraine, two more alleged members were indicted in the United States, 34 servers were seized, and 1,000 decryption keys that could help victims recover their data without having to pay for it were also found.

Two individuals who were arrested were a “father & son” pair from Ukraine and a 38-year-old male from Warsaw. Between January 31, 2022, and February 5, 2024, LockBit is estimated to have employed roughly 194 affiliates. The actors utilized a custom data exfiltration tool called StealBit.

The NCA claimed that “StealBit is an example of LockBit's attempt to offer a full ‘one-stop shop’ service to its affiliates," and that in an apparent attempt to avoid detection, the executable is used to export the data through the affiliate's infrastructure before StealBit's.

However, because of the flexible nature of these RaaS brands, closing them down might not have a significant effect on criminal activity, giving them time to reorganize and reappear under a new moniker. Likely, they will soon rebrand and carry on where they left off, based on the history of comparable takedowns.

“Comprehensive degradation of LockBit's infrastructure will likely result in a short cessation in activity from LockBit operatives before they resume operations – either under the LockBit name or an alternative banner,” ZeroFox stated.

“Even if we don't always get a complete victory, like has happened with QakBot, imposing disruption, fueling their fear of getting caught, and increasing the friction of operating their criminal syndicate is still a win. We must continue to band together to raise their costs ever higher until we can put all of them where they belong – in jail,” Wisniewski said.