The FBI has announced it obtained over more than 7,000 decryption keys as a result of its operation targeting the LockBit ransomware collective, urging previous victims to come forward and seek support.
Bryan Vorndran, assistant director of the FBI’s Cyber Division, made the announcement during his keynote address at the 2024 Boston Conference on Cyber Security.
At the time of the initial seizure in February, the FBI said it had recovered over 2,500 decryption keys and created a free LockBit 3.0 Black ransomware decryptor, and Vorndran said continued efforts have brought this number up to 7,000.
Vorndran said the ongoing disruption to LockBit caused by the crackdown allowed the FBI to recover the extra keys that victims can use to reclaim their data and get back online.
He added the FBI is trying to get in touch with any parties affected by a LockBit ransomware attack to support them in their recovery.
“We are reaching out to known LockBit victims and encouraging anyone who suspects they were a victim to visit our Internet Crime Complaint Center at ic3.gov. “
Vorndran also touched on some other insights the agency gleaned from their investigation into LockBit’s infrastructure. The FBI found that LockBit and its affiliates were still holding data they promised to delete after receiving ransom payments.
This further complicates the challenge presented to business leaders when they are targeted by a ransomware attack, with no guarantee their cooperation will lead to resolution.
LockBit takedown shows ransomware threat not going anywhere
Despite the progress made by law enforcement agencies, their efforts to put an end to the LockBit organization have failed so far, with the group quickly bouncing back with new servers and dark web domains.
As such, Vorndran was clear the agency’s work was not done, promising it would not go easy on Dimitri Khoroshev, one of the group’s founding members whose identity was revealed in May 2024.
“[The] FBI will undoubtedly continue our pursuit of bringing him to justice here in the United States.”
But Vorndran was clear that the plague of ransomware will not be going anywhere and emphasized businesses need to take their cyber resilience seriously to minimize the disruption these attacks can cause.
This includes developing holistic plans for business continuity, crisis management, disaster recovery, and computer intrusion incident response, and exercising these plans at the executive and board level.
Vorndran said these exercises should have the explicit goal of developing better synergy among decision makers in the organization, and refining the decision-making process itself, highlighting three key areas to focus on.
“First communications. Internal and external communications protocols (and decision making) should be the number-one focus area for all your exercises,” he explained.
“The second goal is related to a ransomware attack and focuses on the ‘pay/no-pay’ decision. If you suffer a ransomware attack, does your organization and its board have clear expectations about when you will and won’t pay the ransom based on organizational impact (e.g. downtime)?`’
“The third goal of your exercises is determining whether you will or won’t share with the U.S. government. This is likely to be the most-debated topic during your exercises. And, even if there is an agreement to share, the second point of evaluation will be: ‘What do we want to share?’”
