No Big Reveal: Cops Don't Unmask LockBit's LockBitSupp
After Teasing 'Who Is LockBitSupp,' Cops Say He's 'Engaged With Law Enforcement'"Who is LockBitSupp?" Police promised to reveal the answer to that question, unmasking the identity of "LockBit Support," the public mouthpiece for the notorious ransomware-as-a-service gang they infiltrated and disrupted earlier this week.
See Also: Cybersecurity Awareness Engagement Toolkit: Elevate Your Security Culture
At the appointed time, when the big reveal came, law enforcement disclosed very little, except to say they appear to be in touch. "We know who he is. We know where he lives. We know how much he is worth. LockBitSupp has engaged with Law Enforcement :)," according to a message posted to LockBit's Tor-based data leak site, seized by authorities earlier this week.*
The law enforcement statement, running alongside an image of a cartoon cat, said that contrary to previous claims, LockBitSupp doesn't live in the U.S. or the Netherlands and doesn't drive a Lamborghini but instead a Mercedes, "though parts may be hard to source."
Multiple security experts took to social media and described the big reveal as being a touch anticlimactic. Some had pulled all-nighters waiting for the promised reveal Friday at 7 a.m. GMT, at which point law enforcement announced a five-hour delay - for unspecified reasons. "We stayed up to 2 a.m. for the FBI / NCA UK / EUROPOL 'Who is LockbitSupp?'" tweeted malware researcher vx-underground.
International law enforcement agencies had been teasing the release of LockBitSupp's real identity since their Monday seizure of the group's dark web leak site, posting a countdown timer with the heading "Who is LockBitSupp?"
A joint investigation spearheaded by the cybercrime division of Britain's National Crime Agency and involving 10 countries' law enforcement agencies infiltrated and disrupted LockBit under the banner of Operation Cronos. U.S. officials said the group had successfully hit over 2,000 organizations, causing massive amounts of damage and receiving more than $144 million via cryptocurrency ransom payments made by victims (see: Arrests and Indictments in LockBit Crackdown).
The countdown timer is a ransomware trope, attempting to increase the pressure on a nonpaying victim to pony up before criminals leak stolen data. Only in this case, the U.S. State Department has offered rewards of up to $10 million for information leading to the arrest or conviction of LockBit's leadership, or up to $5 million for the same intelligence on anyone who conspired to work with the group.
Perhaps a Persona
Ransomware tracker Jon DiMaggio has interacted virtually with LockBitSupp on multiple occasions, and he found inconsistencies across different interactions. His hypothesis is that two or possibly three different individuals in total have run the persona, including the group's actual leader.
The actual leader of LockBit - LockBitSupp Prime, if you will - appears to be erratic. "It's a business that's run by an ego-driven CEO that has massive insecurities," DiMaggio said. No matter the sophistication of the group's attack code, "I think that what will eventually lead to their demise is that sort of ego and the constant overreacting because of their insecurities."
One sign of that erratic behavior came in the form of a $50,000 bug bounty that LockBit offered for anyone who could find flaws in its crypto-locking malware. DiMaggio said that when someone did find and report a flaw, the leadership paid out but docked the $50,000 from the main LockBit developer's salary. In a huff, he quit, leaked the LockBit source code and began publicly denigrating the group. Subsequently, other groups began using LockBit's leaked code.
Deep Connections
DiMaggio said in an interview in early 2023 that the leader of LockBit appeared to have connections to the leader of REvil - Sodinokibi - as well as DarkSide, which hit Colonial Pipeline and morphed into BlackMatter and later Alphv, aka BlackCat. The group also appeared to be working with a former key developer for the long-running cybercrime group FIN7.
Despite many groups coming and going, the number of top-tier individuals in the ransomware world doesn't appear to be large. "It's a really limited crowd of people. It's the same people that were there back in 2018, and they're still here in 2024," Yelisey Bohuslavskiy, co-founder and chief research officer at RedSense, recently told Information Security Media Group (see: Is Ransomware Finally in Decline? Groups Are 'Struggling').
Any Publicity Is Good Publicity
At the end of last month, the Russian-language XSS and Exploit cybercrime forums reported booting off LockBitSupp for refusing to pay an internet access broker - who uses the handle "michon" - after using a michon-provided access. Never mind XSS and other forums previously claiming to have banned all ransomware business from their forums. The ban happened after XSS' leadership ordered LockBitSupp to pay 10% of the ransom payment to michon, and he failed to comply.
"LockBitSupp displayed a degree of arrogance when responding to both the claimant and other supporters who weighed in on the topic," Trend Micro said. "The actor came across as someone who was 'too big to fail' and even showed disdain to the arbitrator who would make the decision on the outcome of the claim."
Security experts said the LockBitSupp's persona appeared to have been designed to keep the group in the public eye, not least via denigrating rivals and granting interviews. LockBitSupp garnered massive attention after saying anyone who got tattooed with the group's logo would receive $1,000 - this appears to have been a lie - and after offering a $1 million bounty to anyone able to reveal LockBitSupp's true identity.
This increased the group's profile, likely helping to recruit affiliates and drive more victims to quickly pay a ransom.
"One can have different opinions about LockBitSupp, but they definitely were able to trick English-speaking audiences into putting them and their group at the top of Google search lists, and this was an important win," researchers at RedSense said in a report.
Smokescreen
By mid-2023, the ransomware-as-a-service business model was failing, and LockBit's leadership began using highly skilled contractors, or "ghost groups," to quietly hit large victims, exfiltrate large amounts of data and receive numerous ransom payments, RedSense said. By 2024, as these attacks continued, LockBitSupp served "as a mere distraction for actual operations," by pretending LockBit was still a RaaS group and drawing attention to its data leak blog, when the vast majority of its profits derived from small teams of "pentesters" largely drawn from the Zeon group, formerly known as Conti Team 1, RedSense said.
Questions of Government Ties
Based on Conti internal communications that leaked in May 2022, that group's leader, aka "Stern," apparently had close ties to Russia's Federal Security Service, known as the FSB.
Two initial access brokers in mid-2022 reported severing their ties with LockBit and said the group's administrator had been replaced by "a security apparatus appointee," RedSense reported. While the threat intelligence group couldn't confirm this claim, if true, "this may also explain why so much emphasis was put on the distraction set by LockBitSupp: while low-tier affiliates were posting on Twitter, the real professionals from Conti were attacking high-profile targets all over the world."
As part of their infiltration of LockBit and infrastructure disruption, authorities said, they'll continue to pursue anyone involved in the group. "Our work does not stop here: together with our partners, we are turning the tables on LockBit - providing decryption keys, unlocking victim data and pursuing LockBit's criminal affiliates around the globe," U.S. Deputy Attorney General Lisa Monaco said this week.
*Update Feb. 23, 2024 12:20 UTC: This story has been updated to include the latest law enforcement statement on LockBitSupp's identity.