www.theregister.com
Open in
urlscan Pro
104.18.5.22
Public Scan
URL:
https://www.theregister.com/2024/02/23/lockbit_identity_reveal/
Submission: On February 26 via api from TR — Scanned from DE
Submission: On February 26 via api from TR — Scanned from DE
Form analysis
2 forms found in the DOMPOST /CBW/custom
<form id="RegCTBWFAC" action="/CBW/custom" class="show_regcf_custom" method="POST">
<h5>Manage Cookie Preferences</h5>
<ul>
<li>
<label>
<input type="checkbox" disabled="disabled" checked="checked" name="necessary" value="necessary">
<strong>Necessary</strong>. <strong>Always active</strong>
</label>
<label for="accordion_necessary" class="accordion_toggler">Read more<img width="7" height="10" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/arrow_down_grey.svg" class="accordion_arrow"></label>
<div class="accordion">
<input type="checkbox" id="accordion_necessary">
<p class="accordion_info"> These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect. </p>
</div>
</li>
<li>
<label>
<input type="checkbox" name="tailored_ads" value="tailored_ads">
<strong>Tailored Advertising</strong>. </label>
<label for="accordion_advertising_tailored_ads" class="accordion_toggler">Read more<img width="7" height="10" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/arrow_down_grey.svg"
class="accordion_arrow"></label>
<div class="accordion">
<input type="checkbox" id="accordion_advertising_tailored_ads">
<p class="accordion_info"> These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers,
and in some cases selecting advertisements that are based on your interests. </p>
</div>
</li>
<li>
<label>
<input type="checkbox" name="analytics" value="analytics">
<strong>Analytics</strong>. </label>
<label for="accordion_analytics" class="accordion_toggler">Read more<img width="7" height="10" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/arrow_down_grey.svg" class="accordion_arrow"></label>
<div class="accordion">
<input type="checkbox" id="accordion_analytics">
<p class="accordion_info"> These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our
sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance. </p>
</div>
</li>
</ul> See also our <a href="https://www.theregister.com/Profile/cookies/">Cookie policy</a> and <a href="https://www.theregister.com/Profile/privacy/">Privacy policy</a>. <input type="submit" value="Accept Selected" class="reg_btn_primary"
name="accept" id="RegCTBWFBAC">
</form>
POST /CBW/all
<form id="RegCTBWFAA" action="/CBW/all" method="POST" class="hide_regcf_custom">
<input type="submit" value="Accept All Cookies" name="accept" class="reg_btn_primary" id="RegCTBWFBAA">
</form>
Text Content
Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”. REVIEW AND MANAGE YOUR CONSENT Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer. MANAGE COOKIE PREFERENCES * Necessary. Always active Read more These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect. * Tailored Advertising. Read more These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests. * Analytics. Read more These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance. See also our Cookie policy and Privacy policy. Customize Settings Sign in / up TOPICS Security SECURITY All SecurityCyber-crimePatchesResearchCSO (X) Off-Prem OFF-PREM All Off-PremEdge + IoTChannelPaaS + IaaSSaaS (X) On-Prem ON-PREM All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector (X) Software SOFTWARE All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization (X) Offbeat OFFBEAT All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us (X) Special Features SPECIAL FEATURES All Special Features Cloud Infrastructure Week Cybersecurity Month Blackhat and DEF CON Sysadmin Month The Reg in Space Emerging Clean Energy Tech Week Spotlight on RSA Energy Efficient Datacenters VENDOR VOICE Vendor Voice VENDOR VOICE All Vendor Voice Amazon Web Services (AWS) Business Transformation DDN Google Cloud Infrastructure Hewlett Packard Enterprise: AI & ML solutions Hewlett Packard Enterprise: Edge-to-Cloud Platform Intel vPro VMware (X) Resources RESOURCES Whitepapers Webinars & Events Newsletters CYBER-CRIME 7 LOCKBIT IDENTITY REVEAL A BIGGER LETDOWN THAN GAME OF THRONES SEASON 8 7 NCA STILL LEFT ENOUGH FOR ONLOOKERS TO WONDER IF THERE'S ANYTHING MORE TO COME Connor Jones Fri 23 Feb 2024 // 16:25 UTC The grand finale of the week of LockBit leaks was slated to expose the real identity of LockBitSupp – the alias of the gang's public spokesperson – but the reveal has fallen short of expectations. Members of the global infosec community were gearing up for a mammoth revelation today following a week of incredible insights into the LockBit operation, but were left underwhelmed by authorities who in the end revealed very little. The post dispels some previous claims of LockBitSupp, including that he lived in the US and separately that he lived in the Netherlands – both of which have been confirmed to not be true. That's pretty much a given at this point – authorities would almost certainly have nabbed him by now if he resided pretty much anywhere other than China, North Korea, Iran, or Russia, where he's likely holed up. Another crumb of information revealed was that he drives a Mercedes, not a Lamborghini as he's previously claimed. Operation Cronos said he may find it difficult to source parts for this, a jibe referencing the sanctions placed on Russia since it invaded Ukraine two years ago this week. The short post was rounded off with the following: We know who he is. We know where he lives. We know how much he is worth. LockbitSupp has engaged with Law Enforcement :) The last line is what appears to have captured the attention of many. Is the leader of LockBit informing Operation Cronos on matters related to the wider investigation of the criminal enterprise? Could this be a ruse to rattle his closest allies into abandoning him and giving him up themselves? Or is it being purposefully vague to make more of a short exchange, to stoke speculation? We asked the National Crime Agency (NCA) this morning about this, and whether it could share any more information, but it politely said no for now. After a week filled with juicy leaks, today's grand finale is damp squib to round off what has been one of the most compelling weeks in the cybersecurity world in recent memory. Speaking to the malware collectors at vx-underground earlier this week, LockBit's staff said they firmly believed law enforcement was unaware of their real identities. The previous $1 million reward the gang offered to anyone who could message them their real names was raised to $20 million as a gesture of their confidence that their identities remained safe, even after the takedown. The criminals also said they could bring their infrastructure back online, despite Cronos's claim to have destroyed every last server. Just what has LockBitSupp been helping Cronos with, if anything at all, is a question that will hopefully be answered before too long. HOW THE LOCKBIT LEAKS UNFOLDED The lackluster "reveal" of LockBitSupp's true identity is the sour cherry on top of a week full of landmark exposures from Operation Cronos, which took down LockBit on February 20. The rumor started whirling the evening before, with the infosec community fearing a repeat of the US's failed takedown of ALPHV/BlackCat a month earlier. But sure enough, law enforcement avoided a second embarrassment, instead pulling it off with humor and style. The NCA led the efforts that saw LockBit's site, which once hosted the myriad victims its affiliates claimed over the years, transformed into a hub of leaks compiled after authorities ransacked its systems. Maximizing the publicity value of the takedown, the NCA turned LockBit's countdown timers against them. Once used to taunt victims before their stolen data was published, the timers were repurposed to tease various "drops" of information, usually at 0700 UTC daily. The first day saw decryption keys released, indictments announced, arrests made, and various leaks from LockBit's backend. The NCA said it took control of the site and told the story of how each and every LockBit server, like the gang itself, was destroyed. * Authorities dismantled LockBit before it could unleash revamped variant * Ukrainian police arrest father and son in suspected LockBit affiliate double act * LockBit leaks expose nearly 200 affiliates and bespoke data-stealing malware * Cops turn LockBit ransomware gang's countdown timers against them The portal used only by affiliates was also defaced, displaying a message to each LockBit member upon logging in essentially saying authorities know who they are and they're coming for them. Awesome stuff. Speaking of affiliates, a full list of each LockBit 3.0 affiliate was released the following day, revealing their alias and the date they joined the organized cybercrime empire. Accompanying that leak were the details of StealBit, LockBit's bespoke data exfiltration tool it gave to affiliates to make attacks that little bit easier – a continuation of Operation Cronos's ambition to expose every corner of LockBit. More details about the arrests were revealed the following day, including the fact that not one but two affiliate arrests were made in Ukraine, and that they were a father-son double act – an unusual and surprising finding. Polish police published a video of their arrest of one affiliate, offering viewers a glimpse of his identity and living arrangements. Continuing on the theme of arrests, the US announced it would offer $10-15 million as a reward to anyone who could provide the feds with information leading to the arrest, identification, or conviction of LockBit's leadership. It was later revealed that the Telegram account set up by the FBI to receive such tip-offs had the display name "FBI Supp" – one of the many small mockeries of LockBit authorities made this week. Capping off the day's announcements, and keeping this reporter exceptionally busy, private sector partners in the investigation dropped their various reports on the LockBit organization. Trend Micro offered an insight into the next-generation ransomware variant that was under development at the time of LockBit's takedown, a finding that could offer a window into the future endeavors of the gang's leaders, who remain at large. That brought us to today, where we learned of LockBitSupp's possible snitchery, and also peeked under the hood of the gang's finances. The data authorities gathered blew previous estimations of LockBit's wealth out of the water, suggesting the group likely extorted billions of dollars from victims over its four years in operation. Its website will be shut down for good at midnight on Sunday, February 25. Good night and good riddance to one of the most prolific cybercrime rings ever run – one that targeted hospitals and schools. It certainly won't be missed. ® Get our Tech Resources Share MORE ABOUT * Cybercrime * Ransomware More like these × MORE ABOUT * Cybercrime * Ransomware NARROWER TOPICS * NCSC * REvil * Wannacry BROADER TOPICS * Security MORE ABOUT Share 7 COMMENTS MORE ABOUT * Cybercrime * Ransomware More like these × MORE ABOUT * Cybercrime * Ransomware NARROWER TOPICS * NCSC * REvil * Wannacry BROADER TOPICS * Security TIP US OFF Send us news -------------------------------------------------------------------------------- OTHER STORIES YOU MIGHT LIKE COPS TURN LOCKBIT RANSOMWARE GANG'S COUNTDOWN TIMERS AGAINST THEM Authorities dismantle cybercrime royalty by making mockery of their leak site Cyber-crime5 days | 17 INTERPOL'S LATEST CYBERCRIME INTERVENTION DISMANTLES RANSOMWARE, BANKING MALWARE SERVERS Efforts part of internationally coordinated operations carried out in recent months Cyber-crime24 days | 2 ROMANIAN HOSPITAL RANSOMWARE CRISIS ATTRIBUTED TO THIRD-PARTY BREACH Emergency impacting more than 100 facilities appears to be caused by incident at software provider Cyber-crime11 days | 1 TIGHTER IT/OT INTEGRATION STARTS WITH ZERO TOUCH Going to work on the edge? Then IT and OT teams shouldn’t be pulling in opposite directions, says Dell Sponsored Feature AUTHORITIES DISMANTLED LOCKBIT BEFORE IT COULD UNLEASH REVAMPED VARIANT New features aimed to stamp out problems of the past Cyber-crime3 days | 2 LOCKBIT LEAKS EXPOSE NEARLY 200 AFFILIATES AND BESPOKE DATA-STEALING MALWARE Operation Cronos's 'partners' continue to trickle the criminal empire's secrets Cyber-crime5 days | 15 ALPHV GANG CLAIMS IT'S THE ATTACKER THAT BROKE INTO PRUDENTIAL FINANCIAL, LOANDEPOT Ransomware group continues to exploit US regulatory requirements to its advantage Cyber-crime7 days | LOCKBIT EXTORTED BILLIONS OF DOLLARS FROM VICTIMS, FRESH LEAKS SUGGEST Investigating LockBit’s finances has blown previous estimates of the operation’s wealth out of the water Cyber-crime2 days | 1 LOCKBIT RANSOMWARE GANG DISRUPTED BY GLOBAL OPERATION Updated Website has been seized and replaced with law enforcement logos from eleven nations Security6 days | 12 JET ENGINE DEALER TO MAJOR AIRLINES DISCLOSES 'UNAUTHORIZED ACTIVITY' Pulls part of system offline as Black Basta docs suggest the worst Cyber-crime13 days | 6 ALPHV BLACKMAILS CANADIAN PIPELINE AFTER 'STEALING 190GB OF VITAL INFO' Updated Gang still going after critical infrastructure because it's, you know, critical Cyber-crime12 days | 11 UNCLE SAM SWEETENS THE POT WITH $15M BOUNTY ON HIVE RANSOMWARE GANG MEMBERS Honor among thieves about to be put to the test Cyber-crime17 days | 3 The Register Biting the hand that feeds IT ABOUT US * Contact us * Advertise with us * Who we are OUR WEBSITES * The Next Platform * DevClass * Blocks and Files YOUR PRIVACY * Cookies Policy * Your Consent Options * Privacy Policy * T's & C's Copyright. All rights reserved © 1998–2024