Authorities allege that LockBit administrator “LockBitSupp” has engaged in law enforcement activities


LockBitSupp, the person(s) behind the persona representing the LockBit ransomware service on cybercrime forums such as Exploit and XSS, “has engaged in law enforcement activities,” authorities said.

The development follows the takedown of the prolific ransomware-as-a-service (RaaS) operation as part of a coordinated international operation codenamed Cronos. More than 14,000 fraudulent accounts on third-party services such as Mega, Protonmail and Tutanota used by the criminals have been closed.

“We know who he is. We know where he lives. We know how much he is worth. LockbitSupp has been involved with law enforcement,” one said message posted on the now seized (and offline) data leak site on the dark web.

The move has taken place interpreted by long-term observers of LockBit as an attempt to arouse suspicion and sow the seeds of distrust among its member companies, ultimately undermining trust in the group within the cybercrime ecosystem.

According to research published by Analyst1 in August 2023, this is the case proof to suggest that at least three different people have been running the “LockBit” and “LockBitSupp” accounts, one of which is the leader of the gang himself.


However, in conversation with malware research group VX-Underground, LockBit declared “They didn’t believe the police knew his/her/their identity.” They also increased the reward it offered to anyone who could send them their real name to $20 million. It is worth noting that the reward was increased from $1 million USD to $10 million at the end of last month.

LockBit – also called Gold Mystic Water Selkie – has had several iterations since its inception in September 2019, namely LockBit Red, LockBit Black and LockBit Green, with the cybercrime syndicate also secretly developing a new version called LockBit-NG-Dev before dismantling the infrastructure.

“LockBit-NG-Dev is now written in .NET and compiled using CoreRT”, Trend Micro said. “If the code is deployed alongside the .NET environment, it can be more cross-platform. It removes the ability to self-propagate and the ability to print ransom notes via the user’s printers.”

One of the notable additions is the inclusion of a validity period, which only continues if the current date falls within a specific date range, suggesting that the developers are trying to prevent the malware’s reuse and resist automated analysis. .

The work on the next-generation variant is said to have been fueled by a number of logistical, technical and reputational issues, caused in particular by the leak of the ransomware builder by a disgruntled developer in September 2022 and also by doubts that one of its administrators may have . replaced by government agents.

It also didn’t help that the LockBit-managed accounts were banned from Exploit and XSS in late January 2024 for failing to pay an initial access broker that granted them access.

“The actor came across as someone who was ‘too big to fail’ and even showed contempt for the arbitrator who would decide the outcome of the claim,” Trend Micro said. “This discourse showed that LockBitSupp is likely using their reputation to leverage more leverage when negotiating payment for access or share of ransom payments with affiliates.”

PRODAFT, in his own analysis of the LockBit operation, said it has identified more than 28 affiliated companies, some of whom share ties with other Russian e-crime groups such as Evil Corp, FIN7 and Wizard Spider (also known as TrickBot).

These connections are also evidenced by the fact that the gang operated as a ‘nesting doll’ with three different layers, giving the outward appearance of an established RaaS scheme that compromised dozens of affiliates, while secretly employing highly skilled penetration testers other ransomware groups by falsifying personal data. alliances.


The smokescreen manifested itself in the form of a so-called Ghost Group model, according to RedSense researchers Yelisey Bohuslavskiy and Marley Smith, with LockBitSupp “merely serving as a distraction from actual operations.”

“A Ghost Group is a group that has very high capabilities but transfers them to another brand by allowing the other group to outsource activities to them,” they say. said. “The clearest version of this is Zeon, which has outsourced its skills to LockBit and Akira.”

The group is estimated to have made over $120 million in illicit profits during its multi-year run, becoming the most active ransomware player in history.

“Given that the number of confirmed attacks by LockBit over the four years of LockBit’s operation totals over 2,000, this suggests that their global impact is in the region of billions of dollars,” the UK’s National Crime Agency (NCA) said.

Needless to say, Operation Cronos has likely caused irreparable damage to the criminal organization’s ability to continue ransomware activities, at least under its current brand name.

“Rebuilding the infrastructure is highly unlikely; LockBit’s leadership is highly technically incompetent,” RedSense said. “People to whom they delegated their infrastructural development have long since left LockBit, as evidenced by the primitivism of their infrastructure.”

“[Initial access brokers]who were the main source of LockBit’s business will not trust their access to a group after a takedown because they want their access to be converted into cash.

#Authorities #allege #LockBit #administrator #LockBitSupp #engaged #law #enforcement #activities

Notify of
Inline Feedbacks
View all comments
Previous Post
LockBit Ransomware Group

The LockBit Ransomware group resurfaces after taking down law enforcement

Next Post
Free Logging

Microsoft is expanding free logging capabilities to all US federal agencies

Related Posts