Pierluigi Paganini February 21, 2024

U.S. government offers rewards of up to $15 million for information that could lead to the identification or location of LockBit ransomware gang members and affiliates.

The U.S. Department of State is offering a reward of up to $15 million for information leading to the identification or location of members of the Lockbit ransomware gang and their affiliates. 

“The Department of State is announcing reward offers totaling up to $15 million for information leading to the arrest and/or conviction of any individual participating in a LockBit ransomware variant attack and for information leading to the identification and/or location of any key leaders of the LockBit ransomware group.” reads the press release published by the U.S. Department of State.

According to the press release published by the Department of State , the Lockbit ransomware operators carried out over 2,000 attacks against victims worldwide since January 2020. LockBit ransomware attacks have resulted in ransom payments exceeding $144 million for recovery.

The rewards are provided under the Transnational Organized Crime Rewards Program (TOCRP) which already targeted other ransomware operations.

The Department of State has set up a Tor website that can be used to anonymously provide information on LockBit’s operation.

Yesterday, a joint law enforcement action, code-named Operation Cronos, conducted by law enforcement agencies from 11 countries disrupted the LockBit ransomware operation.

The Operation Cronos operation is still ongoing and NCA announced that more information have yet to be shared.

The operation led to the arrest of two members of the ransomware gang in Poland and Ukraine and the seizure of hundreds of crypto wallets used by the group.

The British NCA took control of LockBit’s central administration environment used by the RaaS affiliates to carry out the cyberattacks. The authorities also seized the dark web Tor leak site used by the group.

The Tor leak site was seized by the NCA and is now used to publish updates on the law enforcement operation and provide support to the victims of the gang.


The NCA also obtained the source code of the LockBit platform and a huge trove of information on the group’s operation, including information on affiliates and supporters.

Law enforcement also had access to data stolen from the victims of the ransomware operation, a circumstance that highlights the fact that even when a ransom is paid, the ransomware gang often fails to delete the stolen information.

“LockBit had a bespoke data exfiltration tool, known as Stealbit, which was used by affiliates to steal victim data. Over the last 12 hours this infrastructure, based in three countries, has been seized by members of the Op Cronos taskforce, and 28 servers belonging to LockBit affiliates have also been taken down.” reads the NCA’s announcement. “The technical infiltration and disruption is only the beginning of a series of actions against LockBit and their affiliates. In wider action coordinated by Europol, two LockBit actors have been arrested this morning in Poland and Ukraine, over 200 cryptocurrency accounts linked to the group have been frozen.”

The US Department of Justice has charged two individuals for orchestrating ransomware attacks using the LockBit ransomware, they are currently in custody and will undergo trial in the US.

“The Justice Department also unsealed an indictment obtained in the District of New Jersey charging Russian nationals Artur Sungatov and Ivan Kondratyev, also known as Bassterlord, with deploying LockBit against numerous victims throughout the United States, including businesses nationwide in the manufacturing and other industries, as well as victims around the world in the semiconductor and other industries. Today, additional criminal charges against Kondratyev were unsealed in the Northern District of California related to his deployment in 2020 of ransomware against a victim located in California.” reads the press release published by DoJ. 

“Finally, the Department also unsealed two search warrants issued in the District of New Jersey that authorized the FBI to disrupt multiple U.S.-based servers used by LockBit members in connection with the LockBit disruption.”

Additionally, the US authorities has unveiled indictments against two Russian nationals, accusing them of conspiring to carry out LockBit attacks.

The NCA and its global partners have secured over 1,000 decryption keys that will allow victims of the gang to recover their files for free. The NCA will reach out to victims based in the UK in the coming days and weeks, providing support to help them recover encrypted data.

The free decryptor for the Lockbit ransomware can be downloaded from the website of the ‘No More Ransom’ initiative. It’s unclear which version of the ransomware is targeted by the decryptor.

LockBit is a prominent ransomware operation that first emerged in September 2019. In 2022, LockBit was one of the most active ransomware groups, and its prevalence continued into 2023. Since January 2020, affiliates utilizing LockBit have targeted organizations of diverse sizes spanning critical infrastructure sectors such as financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. The LockBit ransomware operation operated under a Ransomware-as-a-Service (RaaS) model, recruiting affiliates to carry out ransomware attacks through the utilization of LockBit ransomware tools and infrastructure.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

you might also like

leave a comment