cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

LockBit strikes back with ransomware spree

The LockBit ransomware gang has bounced back from its senior administrator being unmasked, with more than 65 leak posts in a single day. We talk to Recorded Future’s Alexander Leslie about what that activity means.

user icon David Hollingworth
Tue, 14 May 2024
LockBit strikes back with ransomware spree
expand image

Days after an international coalition of law enforcement agencies outed one of the LockBit group’s senior hackers as Russian national Dmitry Yuryevich Khoroshev, the gang has shared the details of a tsunami of attacks on its darknet leak site.

On 9 May alone, the gang made 68 posts to its leak site, representing 68 victims who have fallen victim to the gang.

Many of the victims were likely attacked before the Khoroshev announcement, but it’s a sure sign that the gang does not intend to slow its operations despite the sanctions levelled at the unmasked hacker.


It had posted two victims the day before, and 15 on 7 May. In May alone – so far – the gang has claimed more than 100 victims, putting the gang on track to have its busiest month since August last year.

Take that, law enforcement!

Alexander Leslie, threat intelligence analyst at Recorded Future, said the uptick in activity is likely the gang flexing its muscles in the face of recent law enforcement activity.

“This surge of leak site activity likely serves to enable a messaging campaign that signals, to both law enforcement and the general public, LockBit’s continued defiance in the aftermath of law enforcement action,” Leslie told Cyber Daily.

The gang has even gone so far as to deny law enforcement’s claims of identifying Khoroshev.

“At this moment, it is in LockBit’s best interest to deny the allegations because acknowledging law enforcement success will likely precipitate a total collapse of the LockBit business model. In an attempt to rebuild its reputation, LockBit is likely encouraging its affiliates to increase the volume and cadence of public victim disclosures to signal that LockBit is operating ‘business as usual’ and still poses a serious cyber security threat,” Leslie said.

“To be clear, LockBit is still a threat to organisations, but this short-term surge we are currently observing is likely indicative of an attempt to counter law enforcement narratives about the effectiveness of their disruption. LockBit will likely claim responsibility for disruptive and destructive attacks in the coming days, weeks, and months as a form of retaliation. It is now more important than ever to publicly share actionable intelligence related to LockBit and its affiliates, in order to enable defenders to effectively mitigate potential risks.”

Affiliate anxieties

Despite the denials, however, the international sanctions placed against Khoroshev, and his hacking aliases, could have a material effect on the gang’s ransom activities.

“The sanctions will likely impact the ability for LockBit affiliates to solicit ransom payments,” Leslie said. “The sanctions on Khoroshev include both the monikers ‘LockBitSupp’ and ‘LockBit’, the former being Khoroshev’s administrative moniker and the latter being the broader name for the group’s brand.”

“Organisations that find themselves under attack by a ‘LockBit’ affiliate, even if that affiliate has no direct relation to Khoroshev, will likely choose not to pay ransom due to the perceived risk of compliance failure. If LockBit affiliates cannot receive payments from victims, then the ‘ransomware-as-a-service’ business model will collapse.”

As to those affiliates themselves, Leslie feels they must now be in a difficult position.

“The so-called ‘cyber criminal supply chain’ is not one-dimensional, in that ransomware affiliates rely on several other non-ransomware partners to enable operations,” Leslie said. “These include initial access and data leak brokers, third-party malware and tool developers, obfuscation (‘crypting’) services, dark web forums and marketplaces, and more. Cyber crime is an evolving and interconnected ecosystem, of which ransomware is only one part.”

“This announcement likely sows further distrust amongst affiliates, but decoupling from the larger ‘brand’ is more difficult than making a clean break. LockBit affiliates have to consider their exposure to law enforcement, which will follow them to any other ransomware group that they may work with post-LockBit. This not only damages the future business prospects of the affiliate, but it will restrict other ransomware groups from taking on former LockBit affiliates that might pose an operational risk.”

According to Leslie, he expects that the sanctions and other law enforcement activity will ripple throughout the ransomware community “as affiliates try to maintain the continuity of their activities while simultaneously looking for alternatives”.

Enabling the long arm of the law

Leslie also believes that law enforcement can and should keep up the psychological pressure on ransomware gangs to keep them off balance.

“The United States, and its partners around the world, should continue with the practice of disclosing actionable intelligence – such as tactics, techniques, and procedures or indicators of compromise – to prevent future attacks,” Leslie said.

“There is no threat more serious to ransomware operations than a global culture of public-private partnerships and information sharing. The real-time and public disclosure of actionable intelligence will enable defenders to guard more effectively against future LockBit attacks.”

Leslie also believes in the psychological impact of naming and shaming, alongside website seizures, to keep the hackers off balance.

“The seized websites, atmosphere of uncertainty, and even the law enforcement-created memes targeting LockBit will all work to slow the group down. This strategy tarnishes the group’s reputation and sows distrust amongst affiliates,” Leslie said.

“In order to function effectively, LockBit must maintain its brand with a strong public messaging campaign that reassures affiliates of their security, while signalling to the world that LockBit is still a serious cyber security threat. The direct attacks on the LockBit brand undermine this goal, which will weaken LockBit as it attempts to recover, rebuild, or rebrand.”

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.