A day after U.S. and international law enforcement agencies disrupted the operations of notorious ransomware group LockBit, the State Department is offering up to $15 million in rewards for information about the gang’s leaders or its affiliates

The bounties – up to $10 million for information that leads to the arrest or conviction of the leaders and up to $5 million for help in identifying affiliates – puts even more pressure on what has been the most prolific ransomware-as-a-service (RaaS) groups in the last four years.

According to U.S. authorities, the LockBit gang and its affiliates – who get access to LockBit’s malware and infrastructure in exchange for a percentage from the ransoms collected – have run more than 2,000 attacks in the United States and globally since January 2020, collecting more than $144 million in ransom payments.

It also marks the latest effort by the United States and other countries to aggressively pursue ransomware gangs and shut down their operations. The Ragnar Locker and Hive groups found themselves in the crosshairs and, more recently, the BlackCat group – also known as ALPHV – in last December saw their online operations seized by the FBI and Justice Department (DOJ).

The U.S. last week offered $10 million and $5 million rewards for information on BlackCat leaders and affiliates. A week earlier, a similar reward was offered for information about Hive.

A Wide-Ranging Operation

The sprawling operation against LockBit, led by the DOJ and the UK’s National Crime Agency’s (NCA) Cyber Division, included seizing a number of public-facing websites used the group to connect to its infrastructure. The domains now show messages from law enforcement agencies, from reports about LockBit’s activities to rewards for information to details about arrests.

In addition, law enforcement took control of servers used by LockBit administrators, damaging the ability of the group and its affiliates to run double-extortion attacks, which included not only encrypting victims’ data but also stealing files and threatening to publish the stolen data if the ransom wasn’t paid.

Other servers seized were located in the United States and used by LockBit members to host the “StealBit” platform, which was used to organize and transfer victim data.

Double-extortion is becoming the common tactic of ransomware groups, with researchers from BlackFog writing this month that the more than 10,000 appearing on threat actors’ data leak sites last year “is a microcosm of the growing ransomware menace. … Leak sites do not reveal the full scope of impact from ransomware attacks. However, they do provide insight into emerging ransomware as a service groups and ongoing trends such as dual ransomware attacks, where after the initial compromise they send a secondary strain to inflict even more damage.”

Decryption Keys Seized

As part of the operation, law enforcement also got decryption keys from the LockBit infrastructure, which will help victims regain access to their data. At the same time, the FBI and NCA created decryption tools and told organizations attacked by LockBit to contact the FBI to see whether their encrypted systems can be decrypted.

The DOJ also indicted two Russian nationals – Artur Sungatov and Ivan Kondratyev (also known as “Bassterlord”) for deploying the LockBit variant against businesses in the United States in the manufacturing and other sectors and around the world in the semiconductor and other industries. While those indictments were unsealed in New Jersey, Kondratyev also was charged in California for deploying ransomware in that state in 2020.

LockBit over the years has targeted a range of critical infrastructure sectors, including hospitals, education, and financial services, and emergency services institutions, as well as municipal and county governments.

Two Russian Nationals Indicted and Designated

The U.S. Treasury Department also got into the mix, designating both Kondratyev and Sungatov for their roles in LockBit. The department said that Kondratyev – which it spelled as “Kondratiev” and noted that he’s also known as “Fisheye” – also was linked to other ransomware groups, including REvil, RansomEXX, and Avaddon.

All property and other interests the two have in the United States or with U.S. citizens are blocked and must be reported to the U.S. Office of Foreign Assets Control (OFAC). In addition, U.S. citizens can’t transact with the two or risk being designated as well.

“Using all our authorities and working alongside partners in the United Kingdom and around the world, we have now destroyed the online backbone of the LockBit group, one of the world’s most prolific ransomware gangs,” Deputy Attorney General Lisa Monaco said in a statement. “But our work does not stop here: together with our partners, we are turning the tables on LockBit – providing decryption keys, unlocking victim data, and pursuing LockBit’s criminal affiliates around the globe.”

Toby Lewis, global head of threat analysis at Darktrace, said that while the partial takedown of LockBit was a “huge win for global law enforcement,” the ransomware group will likely go underground to regroup and then return to operations.

That said, a lot of good will come from the operation, Lewis said. Almost 1,000 decryption keys were seized, which will let many victims unlock their data and systems. In addition, law enforcement agencies “will be able to unlock their data and systems and, in the longer term, they could go on to turn the affiliate model on itself, using chat logs and information from private forums to pursue, shutdown and arrest LockBit’s network of affiliates,” he said.

“One interesting aspect, however, is LockBit’s reputation,” Lewis added. “Their affiliate model means reputation matters and LockBit may struggle to retain credibility following this shut down, even if they attempt a re-launch. They’ll likely do what any business would do – rebrand.”