Who is LockBitSupp? Police Delay Promise to Reveal Identity

“Who is LockBitSupp?” Police promised to reveal the answer to that question, unmasking the identity of “LockBit Support,” the public mouthpiece for the notorious ransomware-as-a-service gang they infiltrated and disrupted earlier this week.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

On Friday morning, at the promised appointed time for making their big reveal, Britain’s National Crime Agency instead announced a five-hour delay, to 12 p.m. GMT.

Security experts pulling all-nighters over the pond criticized the delay. “We stayed up to 2 a.m. for the FBI / NCA UK / EUROPOL “Who is LockbitSupp?” malware researcher vx-underground posted on X.

International law enforcement authorities have been teasing the release of LockbitSupp’s real identity since their Monday seizure of the group’s dark web leak site, posting a countdown timer with the heading “Who is LockbitSupp?”

A joint investigation spearheaded by the cybercrime division of Britain’s National Crime Agency and involving 10 countries’ law enforcement agencies infiltrated and disrupted LockBit under the banner of “Operation Cronos.” U.S. officials said the group successfully hit over 2,000 organizations, causing massive amounts of damage and receiving more than $144 million via cryptocurrency ransom payments made by victims (see: Arrests and Indictments in LockBit Crackdown).

The countdown timer is a ransomware trope, attempting to increase the pressure on a non-paying victim to pony up before criminals leak stolen data. Only in this case, the U.S. State Department has offered rewards of up to $10 million for information leading to the arrest or conviction of LockBit’s leadership, or up to $5 for the same intelligence on anyone who conspired to work with the group.

Perhaps a Persona

Ransomware tracker Jon DiMaggio has interacted virtually with LockBitSupp on multiple occasions, and found inconsistencies across different interactions. His hypothesis is that two or possibly three different individuals in total have run the persona, including the group’s actual leader.

The actual leader of LockBit – LockBitSupp Prime, if you will – appears to be erratic. “It’s a business that’s run by an ego-driven CEO that has massive insecurities,” DiMaggio said. No matter the sophistication of the group’s attack code, “I think that what will eventually lead to their demise is that sort of ego and the constant overreacting because of their insecurities.”

One sign of that erratic behavior came in the form of a $50,000 bug bounty that LockBit offered for anyone who could find flaws in its crypto-locking malware. DiMaggio said that when someone did find and report a flaw, the leadership paid out but docked the $50,000 from the main LockBit developer’s salary. In a huff, he quit, leaked the LockBit source code and began publicly denigrating them. Subsequently, other groups began using LockBit’s leaked code.

Deep Connections

DiMaggio said in an interview in early 2023 that the leader of LockBit appeared to have connections to the leader of REvil – Sodinokibi – as well as DarkSide, which hit Colonial Pipeline, and which morphed into BlackMatter and later Alphv, aka BlackCat. The group also appeared to be working with a former key developer for the long-running cybercrime group FIN7.

Despite many groups coming and going, the number of top-tier individuals in the ransomware world doesn’t appear to be large. “It’s a really limited crowd of people. It’s the same people that were there back in 2018, and they’re still here in 2024,” Yelisey Bohuslavskiy, co-founder and chief research officer at RedSense, recently told Information Security Media Group (see: Is Ransomware Finally in Decline? Groups Are ‘Struggling’).

All Publicity is Good Publicity

At the end of last month, the Russian-language XSS and Exploit cybercrime forums reported booting off LockBitSupp for refusing to pay an internet access broker using the handle “michon,” after using an access they provided. (Never mind XSS and other forums previously claiming to have banned all ransomware business from their forums.) The ban resulted after XSS’ leadership ordered LockBitSupp to pay 10% of the ransom payment to michon, and he failed to comply.

“LockBitSupp displayed a degree of arrogance when responding to both the claimant and other supporters who weighed in on the topic,” Trend Micro said. “The actor came across as someone who was ‘too big to fail’ and even showed disdain to the arbitrator who would make the decision on the outcome of the claim.”

Security experts said the LockBitSupp’s persona appeared to be designed to keep the group in the public eye, not least via denigrating rivals and granting interviews. LockBitSupp garnered massive attention after saying anyone who got a tattoo with the group’s logo would receive $1,000 – this appears to have been a lie – as well as offering a $1 million bounty to anyone able to reveal LockBitSupp’s true identity.

This increased the group’s profile, likely helping to recruit affiliates and drive more victims to quickly pay a ransom.

“One can have different opinions about LockBitSupp, but they definitely were able to trick English-speaking audiences into putting them and their group at the top of Google search lists, and this was an important win,” researchers at RedSense said in a report.

Smokescreen

By mid-2023, the ransomware-as-a-service business model was failing, and LockBit’s leadership began using highly skilled contractors, or “ghost groups,” to quietly hit large victims, including exfiltrating large amounts of data, and resulting in numerous ransom payments, RedSense said. By 2024, with these attacks continuing, LockBitSupp served “as a mere distraction for actual operations,” by pretending LockBit was still a RaaS group and drawing attention to its data-leak blog, when the vast majority of its profits derived from small teams of “pentesters” largely drawn from the Zeon group, formerly known as Conti Team 1, it said.

Questions of Government Ties

Based on Conti internal communications that leaked in May 2022, that group’s leader, known as “Stern,” apparently had close ties to Russia’s Federal Security Service, known as the FSB.

Not long after, two initial access brokers in mid-2022 reported severing their ties with LockBit, saying the group’s administrator had been replaced by “a security apparatus appointee,” RedSense reported. While this claim couldn’t be confirmed by the threat-intelligence group, if true, “this may also explain why so much emphasis was put on the distraction set by LockBitSupp: while low-tier affiliates were posting on Twitter, the real professionals from Conti were attacking high-profile targets all over the world.”

As part of their infiltration of LockBit and infrastructure disruption, authorities said they’ll continue to pursue anyone involved in the group. “Our work does not stop here: together with our partners, we are turning the tables on LockBit – providing decryption keys, unlocking victim data and pursuing LockBit’s criminal affiliates around the globe,” U.S. Deputy Attorney General Lisa Monaco said this week.