Getty Images

International authorities finally got an opportunity to troll snarky ransomware criminals who have been taunting and boasting about each new victim they target, after years of being outsmarted and outplayed by them. The trolling was executed at the time when authorities from the US, UK, and Europol dismantled most of the infrastructure owned by LockBit, a ransomware syndicate that has extorted over $120 million from thousands of victims worldwide. The majority of the websites used by LockBit to humiliate victims for being hacked, coerce them into paying, and boast about their hacking skills, started displaying content announcing the takedown. Additionally, the seized infrastructure also hosted decryptors that victims could utilize to restore their data.

The dark web site LockBit once used to name and shame victims, displaying entries such as "press releases," "LB Backend Leaks," and "LockbitSupp You've been banned from Lockbit 3.0."
Enlarge / The dark web site LockBit once used to name and shame victims, displaying entries such as “press releases,” “LB Backend Leaks,” and “LockbitSupp You’ve been banned from Lockbit 3.0.”

this_is_really_bad

Authorities didn’t solely utilize the confiscated name-and-shame site for informational purposes. A prominently displayed section gloated over the remarkable level of access to the system that investigators had obtained. Several images indicated that they had acquired control of /etc/shadow, a Linux file that stores cryptographically hashed passwords. Among the most security-sensitive files in Linux, access to this file is restricted to a user with root, the highest level of system privileges.

Screenshot showing a folder named
Enlarge / Screenshot showing a folder named “shadow” with hashes for accounts including “root,” “daemon,” “bin,” and “sys.”

Other images illustrated that investigators also had total control of the primary web panel and the system that LockBit operators used to communicate with affiliates and victims.

Screenshot of a panel used to administer the LockBit site.
Enlarge / Screenshot of a panel used to administer the LockBit site.
Screenshot showing chats between a LockBit affiliate and a victim.
Enlarge / Screenshot showing chats between a LockBit affiliate and a victim.

The ribbing didn’t end there. The file names of the images included titles such as: “this_is_really_bad.png,” “oh dear.png,” and “doesnt_look_good.png.” The seized page also teased the impending doxing of LockbitSupp, the alias of the main LockBit figure. It stated: “Who is LockbitSupp? The $10m question” and exhibited images of cash wrapped in chains with padlocks. Emulating a common practice of LockBit and rival ransomware groups, the seized site displayed a clock counting down the seconds until the identifying information will be posted.

Snapshot displaying
Enlarge / Snapshot displaying “who is lockbitsupp?”

Overall, authorities mentioned they took control of 14,000 accounts and 34 servers situated in the Netherlands, Germany, Finland, France, Switzerland, Australia, the US, and the UK. Two LockBit suspects have been detained in Poland and Ukraine, and five charges and three arrest warrants have been issued. Authorities also blocked 200 cryptocurrency accounts associated with the ransomware operation.

“Currently, a considerable amount of data collected during the investigation is now in the custody of law enforcement,” officials at Europol stated. “This data will be utilized to support ongoing international operational activities aimed at targeting the leaders of this group, as well as developers, associates, infrastructure, and criminal assets related to these illegal activities.”

LockBit has been active since at least 2019 under the alias “ABCD.” In three years, it became the most widely circulating ransomware. Similar to its counterparts, LockBit operates under what’s referred to as ransomware-as-a-service, in which it offers software and infrastructure to associates who use it to compromise victims. LockBit and the associates then share any resulting income. Hundreds of associates took part.

As per KrebsOnSecurity, one of the LockBit leaders stated on a Russian-language crime forum that a vulnerability in the PHP scripting language provided the means for authorities to hack the servers. This detail led to another round of teasing, this time from fellow forum participants.

“Does it mean that the FBI provided a pen-testing service to the affiliate program?” one participant wrote, according to reporter Brian Krebs. “Or did they decide to take part in the bug bounty program? :):).”

Several members also shared memes mocking the group about the security lapse.

“In January 2024, LockBitSupp told XSS forum members he was disappointed the FBI hadn’t offered a reward for his doxing and/or arrest, and that in response he was placing a bounty on his own head—offering $10 million to anyone who could discover his real name,” Krebs wrote. “‘My god, who needs me?’ LockBitSupp wrote on January 22, 2024. ‘There is not even a reward out for me on the FBI website.’”