As part of the internationally orchestrated police operation (Operation Cronos), the police announced the arrest of two individuals belonging to the group LockBitSupp who operated in Poland and Ukraine. These are people who were “puppeteers” of the ransomware LockBitwhose servers were hacked in recent days and placed under the direct control of the authorities.
The joint effort that allowed law enforcement technicians to take control of LockBit and finally break the link with the cyber criminals who managed the platform exploited – as already reported – some security vulnerabilities present in the configuration of the PHP environment, used by cyber criminals.
Decryption tool available to recover files encrypted by LockBit for free
Following the “break-in” into the servers used by the managers of LockBit, a group of developers led, among other authorities, by Europol, FBI and National Crime Agency of the United Kingdom, they were able to develop a tool per decodificare files encrypted by ransomware. The initiative is the result of the recovery of over 1,000 decryption keys contained in the servers violated by the agents and now seized. The decoding softwarecreated by Japanese programmers, is available for free on the No More Ransom website.
However, some important aspects need to be clarified: as the name of the decoding tool already makes clear, Decryption Checker for Lockbit 3.0the program must for the moment be understood as a tool aimed at verifying whether data recovery was materially possible or not.
How the two modules for analyzing and restoring encrypted data work
The module Decryption ID CheckerFirst, it verifies each user’s unique decryption ID by comparing it to a list of known keys recovered by law enforcement. In case of correspondence between the victim’s unique ID and the decryption key collected on the server side, it is actually possible to proceed with the decrypting. Lo script (check_decryption_id.exe) can be run from the Windows terminal window, requires no installation and works completely offline.
The instrument check_decrypt.exe allows you to evaluate the feasibility of recovering data encrypted by LockBit 3.0. This is not yet a complete decryption solution but aims at a procedure partial recovery.
This also tool it works in completely offline mode and does not rely on remote services. Carry out the scan of all encrypted files with the same 9-letter extension, then produces a CSV file with information about the scanned files. If decoding is possible, the program provides the number of recoverable files and contact information to proceed with decoding.
A first step that cannot ignore the study of the LockBit source
For now, therefore, the developers have limited themselves to using the decryption keys acquired following the breach of the LockBit servers to provide help to those who still find themselves with data blocked by the well-known ransomware.
However, this is not a general and “wide-ranging” solution. Develop a Universal decoding tool involves the study of the LockBit source codes, which the police authorities now claim to possess.
The officers also seized 200 wallets in cryptocurrency connected to the operators of LockBit: they were used to collect the ransoms paid by the victims of the ransomware. The amount of funds present in these virtual wallets is not known.
The imperative now is not to let our guard down
As Chester Wisniewski, Director Global Field CTO of, rightly observes Sophos“Lockbit has become the most active ransomware group since Conti left the scene in mid-2022. The frequency of their attacks, combined with the fact that they have no limits on the type of infrastructure they can cripple, has also made them the most dangerous in recent years“. However, Wisniewski notes that – despite the “Operation Cronos” announced yesterday – “much of the infrastructure used by LockBit is still online, which likely means it is beyond the reach of law enforcement“.
This is echoed by Richard Cassidy, Field CISO of Rubricwho in turn comments on the blow dealt to the LockBit group: “a battle has been won, but the war continues“. And he continues: “Although the LockBit Group’s operations appear to be compromised for an indefinite period, we should not underestimate its ability to adapt. These groups have always demonstrated a remarkable ability to adapt to the actions of law enforcement, to evolve their tactics and to continue their operations, sometimes under new guises“.
Groups like Hive, ALPHV/BlackCatwith the evolution from DarkSide a BlackMatterhave highlighted the ability of cybercriminals to bounce back, while also leveraging ecosystem support Ransomware-as-a-Service (RaaS).
Suffice it to say that LockBit has collected something like 91 million dollars from US companies alone: Cassidy points out that the group would still have the opportunity to “reorganize and develop new tactics, techniques and procedures, evolving and learning from mistakes“. In short, the key word is not to let your guard down.
Opening image credit: iStock.com – KTStock