“He did not simply take money for himself, but he reinvested it into developing his operation and making it more desirable to criminals,” DiMaggio says. Throughout the lifecycle of the LockBit group, two major updates and releases of its malware happened, with each more capable and easier to use than the last. Analysis from the law enforcement operation by security company Trend Micro shows it was working on a new version too.
DiMaggio says the person he was speaking to privately using the LockBitSupp moniker was “arrogant” but “all business and very serious”—aside from sending cat stickers as part of chats. Publicly, on Russian language cybercrime forums where hackers trade data and discuss hacking politics and news, LockBitSupp was entirely different, DiMaggio says.
“The persona he amplified on the Russian hacking forums was a mix of a supervillain and Tony Montana from Scarface,” DiMaggio says. “He flaunted his success and money, and it rubbed people the wrong way at times.”
In addition to setting a bounty on their own identity, LockBitSupp’s more innovative and erratic side also organized an essay-writing competition on the hacking forums, offered a “bug bounty” if people found flaws in LockBit’s code, and said they would pay $1,000 to anyone who got the LockBit logo as a tattoo. Around 20 people posted pictures and videos of their tattoos.
LockBitSupp was banned from two prominent Russian-language cybercrime forums in January after a complaint was made about their behavior. “They’ve made partners, supporters, haters, and fans over the years,” says Victoria Kivilevich, director of threat research at security firm KELA.
Analysis of cybercrime forums by Kivilevich shows the Russian-language ecosystems had mixed responses, including surprise when LockBit was first compromised by law enforcement. “Users gloating that LockBit finally failed and got what he deserved, making references to his statements where he bragged how [about how] LockBit ‘RaaS’ is secure and better than any other operations,” Kivilevich says.
Other forum users questioned the technical decisions of LockBitSupp and whether they had collaborated with law enforcement, the researcher says. There were forum users who reacted neutrally, “mostly saying the operation won’t affect LockBit much and the operation will continue to exist,” Kivilevich says.
Downfall
After Operation Cronos took LockBit offline in February, it took LockBitSupp only five days to create replica versions of the group’s leak site. The website then started to be filled with apparent victims; it seemed like the LockBit group hadn’t been impacted by having all of its internal secrets accessed by police around the world.
These recently posted victims aren’t what they seem, though, multiple experts say. “The actual law enforcement intervention has been significant,” says Matt Hull, the global head of threat intelligence at cybersecurity firm NCC Group. The NCA says the number of LockBit affiliates has dropped to 69 since its February takedown, while the DOJ indictment says LockBit’s victim count has “greatly diminished” since then.
On top of this, much of the credibility of the LockBit brand has been destroyed. Hull says he is seeing smaller ransomware affiliates and groups “really starting to distance themselves” from LockBit and moving around other RaaS operations. “It’s unlikely that we’ll see another big name like LockBit appearing with those sorts of numbers unless there’s some massive rebranding or some sudden change in allegiance toward the individuals behind LockBit,” Hull says.
As for LockBitSupp, it’s unlikely they’ll respond well to being publicly identified. When Operation Cronos took down LockBit’s systems in February, police repurposed its leak website to publish details about the group itself. After the takedown, the DOJ indictment says, Khoroshev got in touch with law enforcement—but was trying to “stifle his competition.”
He “offered his services in exchange for information regarding the identity of his RaaS competitors,” the indictment says. “Specifically Khoroshev asked law enforcement during that exchange to, in sum and substance, ‘[g]ive me the names of my enemies’.” Ahead of law enforcement naming Khoroshev, a countdown appeared on the website, and LockBitSupp responded by publishing scores of victims.
“LockBitSupp has a lot of enemies and people waiting to take his place,” says DiMaggio, the Analyst1 researcher, who adds it is unlikely they will stop their actions, although it will be harder to continue. “It is much easier to be a bad guy when no one knows who you are. His reputation is shot and that will be very difficult to come back from.”