The FBI has acquired more than 7,000 decryption keys from the massive ransomware group LockBit — and is encouraging corporate victims to come forward to see if the keys can unlock any of their data.
“From our ongoing disruption of LockBit, we now have over 7,000 decryption keys and can help victims reclaim their data and get back online,” said Bryan Vorndran, the FBI’s assistant director in the cyber division, in a speech to the 2024 Boston Conference on Cyber Security. “We are reaching out to known LockBit victims and encouraging anyone who suspects they were a victim to visit our Internet Crime Complaint Center at ic3.gov.”
LockBit, which until recently was the world’s largest ransomware attack group, has been the focus of global law enforcement for years.
The significance of the key capture to enterprise CISOs is not clear given that it is unknown how many of the keys are functional. But there is an excellent chance that many of the obtained keys are still effective and could unlock data from enterprise victims who chose to not pay the ransom or were given keys that either didn’t work or worked incompletely, said Brian Levine, a managing director at Ernst & Young who used to oversee FBI cyber operations when he worked at the US Justice Department.
The situation where an enterprise pays the ransom and gets a key that doesn’t properly unlock all of the encrypted data is not at all unusual, Levine said, often because of attacker incompetence.
Once a victim contacts the FBI, there are various ways that authorities can identify the right key for that victim, Levine said. Sometimes, the victim’s name is in a LockBit SQL database that ties the victim to specific keys. That doesn’t often happen, though, because “the notations may be too cryptic” or the actual attacker is merely a LockBit client (another thief paying for the use of LockBit software in a SaaS model). In that case, the LockBit databases wouldn’t even know who the victim is.
The most likely way the FBI will associate specific keys with specific victims — assuming that particular victim contacts the authorities — is that “the FBI will generate a script that will run all 7,000-plus keys” against the victim’s still-locked files, Levine said. There’s also a possibility that LockBit was reusing keys, he said.
A reason to call the FBI
The biggest benefit of the FBI announcement, Levine said, is that it gives CISOs a concrete reason to contact the FBI. A problem that many enterprises have when they are hit with any kind of cyberattack is that they don’t have a current direct FBI contact — including mobile number. Critically, law enforcement contacts need to be established for every geographic where the enterprise has servers. In an emergency, the last thing an enterprise wants to do is start reaching out to a federal switchboard.
“This is just another great example of how law enforcement can add real value in responding to an incident,” Levine said. “But it’s very important that organizations develop a personal relationship with an existing FBI cyber agent prior to the incident. Otherwise, organizations may be spending a lot of time tapping their toes to light jazz during an endless hold.”
Vorndran, in his speech, said that the FBI is still seeing ransomware groups in the same countries where they have historically been based.
“Almost all of the criminals developing sophisticated malware to enable ransomware attacks are based in Russian-speaking countries and operate as organized crime syndicates, similar to traditional organized crime elements. They’re entrepreneurial and have successfully lowered barriers to entry through ransomware-as-a-service,” he said, adding that the skillsets needed for successful attacks are lowering.
“Highly skilled malware coders are developing more-and-more-sophisticated malware. Their affiliate model allows less technically skilled criminals who are obscured from the enterprise leaders to deploy highly sophisticated malware for their personal gain, while paying a percentage of their proceeds to the highly skilled malware coders,” he said. “Ransomware attacks are almost always coupled with data theft — which we refer to as double extortion — or data theft and harassment of the victims and company officials, called triple extortion.”
The typical kickback rate for use of these systems is about 20 percent for LockBit, which covers “assistance through hosting and storage, by estimating optimal ransom demands and by laundering cryptocurrency,” Vorndran said. LockBit “even offers discounts for high-volume customers.”