The FBI is urging victims of one of the most prolific ransomware groups to come forward after agents recovered thousands of decryption keys that may allow the recovery of data that has remained inaccessible for months or years.
The revelation, made Wednesday by a top FBI official, comes three months after an international roster of law enforcement agencies seized servers and other infrastructure used by LockBit, a ransomware syndicate that authorities say has extorted more than $1 billion from 7,000 victims around the world. Authorities said at the time that they took control of 1,000 decryption keys, 4,000 accounts, and 34 servers and froze 200 cryptocurrency accounts associated with the operation.
At a speech before a cybersecurity conference in Boston, FBI Cyber Assistant Director Bryan Vorndran said Wednesday that agents have also recovered an asset that will be of intense interest to thousands of LockBit victims—the decryption keys that could allow them to unlock data that’s been held for ransom by LockBit associates.
“Additionally, from our ongoing disruption of LockBit, we now have over 7,000 decryption keys and can help victims reclaim their data and get back online,” Vorndran said after noting other accomplishments resulting from the seizure. “We are reaching out to known LockBit victims and encouraging anyone who suspects they were a victim to visit our Internet Crime Complaint Center at ic3.gov.”
The number of decryption keys now in the possession of law enforcement is significantly higher than the 1,000 keys authorities said they had obtained on the day the takedown was announced.
The assistant director warned that recovering decryption keys by purchasing them from the operators solves only one of two problems for victims. Like most ransomware groups, LockBit follows a double-extortion model, which demands a bounty not only for the decryption key but also the promise not to sell confidential data to third parties or publish it on the Internet. While the return of the keys may allow victims to recover their data, it does nothing to prevent LockBit from selling or disseminating the data.