Skip to main content

Search site

Find podcasts, news, articles, webinars, and contributors in one search.

2 Minute Drill
2 Minute Drill artwork

LockBit Is Gone, but Now There Are 41 Gangs in Its Place | 2 Minute Drill with Drex DeFord

About This Episode

In February 2024, LockBit affiliates logged into their ransomware mothership and found it had been seized by the FBI and the UK's National Crime Agency. The countdown clock ran out, and the feds answered the one question LockBit spent years protecting: who runs this place? Dmitry Khoroshev, 31, going by LockBitSupp. Over $100 million in earnings. A $10 million bounty on his head. A clean win.

Except the criminal world didn't fold. It fractured. When affiliates realized the FBI had been living inside Hive and the Brits inside LockBit for months, trust collapsed across the board. Paranoid criminals don't quit, they scatter. Researchers counted 41 brand-new ransomware gangs in a single year.

Remember, Stay a Little Paranoid

Contributors

People featured in this episode — open a profile for more.

Transcript

Hey everyone, I'm Drex and this is the Two Minute Drill. It's great to see you today. Here's some stuff you might want to know about. There's a website on the dark web. It's the kind of website most people never see. It's where a ransomware gang called LockBit posted the names of the companies it had robbed, and for years it was one of the most feared addresses on the internet. But in February 2024, LockBit affiliates logged in like always. They logged into the mothership to see what the next deal was gonna be, but the site had changed. Where the stolen data used to sit, there was a countdown clock and a message from the FBI and the UK's National Crime Agency. They'd seized the whole thing, the whole site, the affiliate list, the negotiation logs, the back end servers. And then the countdown clock ran out, and the FBI answered the one question LockBit had spent years protecting, "Who runs this place?" His name is Dmitry Khoroshev, a 31-year-old in Russia who went by LockBitSupp, and believed he was untouchable. Prosecutors say he pulled in more than $100 million. The State Department had put a $10 million bounty on his head And all of that's a clean win. The authorities, the hunters, they took the gang's own website and they used it to unmask the boss. So you figure that the story ends with a ransomware gang on their back foot. But it didn't quite go that way. Something strange happened inside the criminal world after LockBit and another associated cyber threat group called Hive were taken down. The crooks stopped trusting each other. If the FBI could embed itself inside of Hive and the Brits could live inside of LockBit for months, the bad guys realized that their affiliates, the folks that you're partnering with right now, uh, they might be cops. John Fokker, who used to be a police official in the Netherlands and now tracks these gangs, calls it a Mexican standoff. Everybody's suspicious of everybody else now. And paranoid criminals don't quit, they scatter. A big centralized gang shattered into pieces. Researchers at Malwarebytes counted 41 brand new ransomware gangs in a single year. The top 10 gangs used to account for nearly 70% of all the attacks, and now it's about half. More crews, smaller, faster, harder to name, harder to track. An important part of this crime fighting is the ability to attribute ransomware and other crimes to specific groups. It helps the good guys understand the pattern of how these cyber gangs execute their crimes. But when a couple of gangs splinter into 40 plus groups, and a lot of those use the tools and playbooks from their former employers, well, attribution becomes way more difficult. So what does this mean for you? The takedowns were good and necessary, but the threats that you're defending against today are messier than the one from two years ago. Today, you're kind of facing a swarm, 30 or 40 small groups that improvise. Half of them are too new to have a name or a reputation yet. The playbook built around one big name adversary doesn't map onto 30 no-names. At least it doesn't as well as it probably should. When you brief your board on ransomware, are you describing last year's enemy? Do your tabletop exercises assume that the gang that you're fighting with will be one that you recognize and have intel on? And if the group hitting you right now didn't exist six months ago, would your team even know who they were fighting against? The cyber adversary world becomes more complicated on a daily basis, but you need to understand the shifting environment, the shifting landscape, because knowing which gang you're up against during a real-world cyber event can mean the difference between hours of downtime and months of downtime. That's it for today's two-minute drill. Drop me a note. Let me know what you're working on. I'm always happy to hear from you. I'm drex@229project.com. Thanks for being here. Stay a little paranoid, and I will see you around campus

Found this useful? Share it with your network