The FBI secured 7,000 LockBit decryption keys, providing victims of LockBit ransomware with the ability to unlock stolen data that was inaccessible for months or years.

In February, the FBI and 10 international agencies engaged in Operation Cronos to take down LockBit infrastructure, impose sanctions on LockBit and its affiliates, and obtain decryption keys. Victims of LockBit’s ransomware attacks can contact the FBI to access these decryption keys and unlock stolen data by visiting the Internet Crime Complaint Center.

Responsible for the most-deployed ransomware variant in 2022, LockBit is a Russia-based operation that uses a ransomware-as-a-service model. With this lucrative business model, LockBit licenses LockBit ransomware to other cyber criminals, enabling them to launch their own cyberattacks and steal data. Affiliates of LockBit have attacked organizations of varying sizes and in many different industries including financial services, healthcare, and food and agriculture.

LockBit and its affiliates are known for using double extortion tactics that include data encryption and data theft. But they may keep a copy of the data even after an initial ransom is paid and the data is unlocked for the victim, with nothing preventing LockBit from later demanding additional payments in exchange for not selling or releasing the stolen data.

Even after Operation Cronos, LockBit remains active and organizations worldwide face risk of Lockbit ransomware attacks. LockBit has released stolen data from before and after the operation. The U.S. State Department is offering a reward of $10 million for information leading to the arrest or conviction of LockBit leaders and $5 million for LockBit affiliates.

To guard against LockBit malware, the FBI advises that companies:

• Implement well-established cybersecurity practices across the entire organization, including MFA, password management, logging and log management, vulnerability and patch management, and maintaining backups;
• Plan for business continuity, crisis management, disaster recovery, and computer intrusion incident response; and
• Work through multiple scenarios at the operational, executive, and board levels, with special focus on decision-making related to internal and external communications, whether to pay a ransomware demand, and whether to share information with the U.S. government.

Summer associate Madeline Strasser contributed to this post.