FBI urges LockBit ransomware victims to come forward

During a keynote address at the 2024 Boston Conference on Cyber Security, the FBI urged LockBit ransomware victims to visit the Internet Crime Complaint Center (IC3) for assistance and decryption keys.

Bryan Vorndran, assistant director of the FBI’s Cyber Division, delivered the keynote and discussed the FBI’s strategies for disrupting cyber adversaries, with a particular focus on LockBit.

As previously reported, LockBit ransomware was one of the most prolific ransomware variants in the world in 2022 and 2023. LockBit has claimed responsibility for multiple attacks in the healthcare sector, including a November 2023 cyberattack on Capital Health that resulted in system downtime.

The FBI, along with UK authorities, disrupted LockBit in February 2024 by seizing multiple public-facing websites and servers used by LockBit administrators, concluding an investigation that spanned three years. Vorndran explained that the FBI identified the creator of LockBit as Dimitri Khoroshev.

“Last month, the Justice Department unsealed charges against him and six co-conspirators for fraud, extortion, and other crimes,” Vorndran explained. “In total, that included 26 charges against Khoroshev. FBI will undoubtedly continue our pursuit of bringing him to justice here in the United States.”

In addition to tracking down Khoroshev, the FBI is focused on helping LockBit victims with the more than 7,000 decryption keys it has obtained.

“We are reaching out to known LockBit victims and encouraging anyone who suspects they were a victim to visit our Internet Crime Complaint Center at ic3.gov,” Vorndran stated.

In addition to discussing LockBit news, Vorndran shed light on target identification for ransomware actors and provided tips for mitigating risk.

“Ransomware actors evaluate three key things. First, who is easily targetable? Second, who is likely to pay based on brand damage? Finally, who will pay the most?” Vorndran said.

“Put in more industry standard terms: who doesn’t have good net defense, has a high willingness to pay, and will suffer the most economic impact from the encryption of key systems?”

In many cases, critical infrastructure entities end up in the target pool due to the impact that unavailable systems can have on operations, forcing ransom payments. However, the FBI stressed that paying a ransom does not guarantee that impacted data is safe from future compromise.  

Despite the intensity of the ransomware threat landscape, Vorndran stressed that the simplest mitigation efforts can go a long way.

“Doing the basics well in a repeatable fashion is the most important thing you can do,” Vorndran noted.

“Well-established cybersecurity practices—including MFA [multi-factor authentication] and password management, effective logging and log management, vulnerability and patch management, and maintaining air-gapped, encrypted, and current backups—have to be done in a repeatable fashion by your entire organization.”

During his keynote presentation, Vorndran also emphasized the importance of business continuity, disaster recovery and crisis management plans, and provided guidance on conducting incident response exercises.

Vorndran concluded his speech by noting that the most powerful cyber threat intelligence is held by people outside the US government, highlighting the importance of partnerships and knowledge sharing.

“Not one of our past—or future—disruptions is possible without exceptional partnerships. We have to realize, and execute upon this theme, that we are in this together. We are stronger together,” Vorndran said.

“My ask of each of you today is this: Please be an ambassador for this message. We need everyone—private industry, nonprofits, academia, the U.S. government—in the boat, rowing in the same direction. This is how we will be most effective.”