LockBit identity reveal a bigger letdown than Game of Thrones Season 8 – Source: go.theregister.com

The grand finale of the week of LockBit leaks was slated to expose the real identity of LockBitSupp – the alias of the gang’s public spokesperson – but the reveal has fallen short of expectations.

Members of the global infosec community were gearing up for a mammoth revelation today following a week of incredible insights into the LockBit operation, but were left underwhelmed by authorities who in the end revealed very little.

The post dispels some previous claims of LockBitSupp, including that he lived in the US and separately that he lived in the Netherlands – both of which have been confirmed to not be true.

That’s pretty much a given at this point – authorities would almost certainly have nabbed him by now if he resided pretty much anywhere other than China, North Korea, Iran, or Russia, where he’s likely holed up.

Another crumb of information revealed was that he drives a Mercedes, not a Lamborghini as he’s previously claimed. Operation Cronos said he may find it difficult to source parts for this, a jibe referencing the sanctions placed on Russia since it invaded Ukraine two years ago this week.

The short post was rounded off with the following: 

The last line is what appears to have captured the attention of many. Is the leader of LockBit informing Operation Cronos on matters related to the wider investigation of the criminal enterprise? Could this be a ruse to rattle his closest allies into abandoning him and giving him up themselves? Or is it being purposefully vague to make more of a short exchange, to stoke speculation?

We asked the National Crime Agency (NCA) this morning about this, and whether it could share any more information, but it politely said no for now.

After a week filled with juicy leaks, today’s grand finale is damp squib to round off what has been one of the most compelling weeks in the cybersecurity world in recent memory.

Speaking to the malware collectors at vx-underground earlier this week, LockBit’s staff said they firmly believed law enforcement was unaware of their real identities.

The previous $1 million reward the gang offered to anyone who could message them their real names was raised to $20 million as a gesture of their confidence that their identities remained safe, even after the takedown.

The criminals also said they could bring their infrastructure back online, despite Cronos’s claim to have destroyed every last server.

Just what has LockBitSupp been helping Cronos with, if anything at all, is a question that will hopefully be answered before too long.

How the LockBit leaks unfolded

The lackluster “reveal” of LockBitSupp’s true identity is the sour cherry on top of a week full of landmark exposures from Operation Cronos, which took down LockBit on February 20.

The rumor started whirling the evening before, with the infosec community fearing a repeat of the US’s failed takedown of ALPHV/BlackCat a month earlier. 

But sure enough, law enforcement avoided a second embarrassment, instead pulling it off with humor and style.

The NCA led the efforts that saw LockBit’s site, which once hosted the myriad victims its affiliates claimed over the years, transformed into a hub of leaks compiled after authorities ransacked its systems.

Maximizing the publicity value of the takedown, the NCA turned LockBit’s countdown timers against them. Once used to taunt victims before their stolen data was published, the timers were repurposed to tease various “drops” of information, usually at 0700 UTC daily.

The first day saw decryption keys released, indictments announced, arrests made, and various leaks from LockBit’s backend. The NCA said it took control of the site and told the story of how each and every LockBit server, like the gang itself, was destroyed.

• Authorities dismantled LockBit before it could unleash revamped variant
• Ukrainian police arrest father and son in suspected LockBit affiliate double act
• LockBit leaks expose nearly 200 affiliates and bespoke data-stealing malware
• Cops turn LockBit ransomware gang’s countdown timers against them

The portal used only by affiliates was also defaced, displaying a message to each LockBit member upon logging in essentially saying authorities know who they are and they’re coming for them. Awesome stuff.

Speaking of affiliates, a full list of each LockBit 3.0 affiliate was released the following day, revealing their alias and the date they joined the organized cybercrime empire. 

Accompanying that leak were the details of StealBit, LockBit’s bespoke data exfiltration tool it gave to affiliates to make attacks that little bit easier – a continuation of Operation Cronos’s ambition to expose every corner of LockBit.

More details about the arrests were revealed the following day, including the fact that not one but two affiliate arrests were made in Ukraine, and that they were a father-son double act – an unusual and surprising finding.

Polish police published a video of their arrest of one affiliate, offering viewers a glimpse of his identity and living arrangements.

Continuing on the theme of arrests, the US announced it would offer $10-15 million as a reward to anyone who could provide the feds with information leading to the arrest, identification, or conviction of LockBit’s leadership.

It was later revealed that the Telegram account set up by the FBI to receive such tip-offs had the display name “FBI Supp” – one of the many small mockeries of LockBit authorities made this week.

Capping off the day’s announcements, and keeping this reporter exceptionally busy, private sector partners in the investigation dropped their various reports on the LockBit organization.

Trend Micro offered an insight into the next-generation ransomware variant that was under development at the time of LockBit’s takedown, a finding that could offer a window into the future endeavors of the gang’s leaders, who remain at large.

That brought us to today, where we learned of LockBitSupp’s possible snitchery, and also peeked under the hood of the gang’s finances.

The data authorities gathered blew previous estimations of LockBit’s wealth out of the water, suggesting the group likely extorted billions of dollars from victims over its four years in operation.

Its website will be shut down for good at midnight on Sunday, February 25. Good night and good riddance to one of the most prolific cybercrime rings ever run – one that targeted hospitals and schools. It certainly won’t be missed. ®