The FBI is urging victims of one of the most prolific ransomware groups to come forward after agents recovered thousands of decryption keys that may allow the recovery of data that has remained inaccessible for months or years.
The revelation, made Wednesday by a top FBI official, comes three months after an international roster of law enforcement agencies seized servers and other infrastructure used by LockBit, a ransomware syndicate that authorities say has extorted more than $1 billion from 7,000 victims around the world. Authorities said at the time that they took control of 1,000 decryption keys, 4,000 accounts, and 34 servers and froze 200 cryptocurrency accounts associated with the operation.
At a speech before a cybersecurity conference in Boston, FBI Cyber Assistant Director Bryan Vorndran said Wednesday that agents have also recovered an asset that will be of intense interest to thousands of LockBit victims—the decryption keys that could allow them to unlock data that’s been held for ransom by LockBit associates.
“Additionally, from our ongoing disruption of LockBit, we now have over 7,000 decryption keys and can help victims reclaim their data and get back online,” Vorndran said after noting other accomplishments resulting from the seizure. “We are reaching out to known LockBit victims and encouraging anyone who suspects they were a victim to visit our Internet Crime Complaint Center at ic3.gov.”
The number of decryption keys now in the possession of law enforcement is significantly higher than the 1,000 keys authorities said they had obtained on the day the takedown was announced.
The assistant director warned that recovering decryption keys by purchasing them from the operators solves only one of two problems for victims. Like most ransomware groups, LockBit follows a double-extortion model, which demands a bounty not only for the decryption key but also the promise not to sell confidential data to third parties or publish it on the Internet. While the return of the keys may allow victims to recover their data, it does nothing to prevent LockBit from selling or disseminating the data.
“When companies are extorted and choose to pay to prevent the leak of data, you are paying to prevent the release of data right now—not in the future,” Vorndran said. “Even if you get the data back from the criminals, you should assume it may one day be released, or you may one day be extorted again for the same data.”
It stands to reason that victims who obtain one of the 7,000 keys recovered by law enforcement face the same threat that their data will be released unless they pay.
The fight against ransomware is marked with similarly limited victories, and efforts to curb LockBit’s activities are no different. Authorities arrested one LockBit associate named Mikhail Vasiliev in 2022 and secured a four-year prison sentence against him in March. Last month, authorities named the shadowy LockBit kingpin as 31-year-old Russian national Yuryevich Khoroshev.
Despite those actions and the February seizure of key LockBit infrastructure, LockBit-based malware has continued to spread. Researchers have also observed new LockBit attacks and the release of new encryptors by the group. Since the law enforcement operation, LockBit associates have also released tranches of data stolen from victims both before and since.
The US State Department is offering $10 million for information that leads to the arrest or conviction of LockBit leaders and $5 million for affiliates of the group.