What LockBitSupp charges mean for ransomware investigations

SAN FRANCISCO -- Law enforcement gained a significant win last week after exposing the LockBit ransomware gang's alleged ringleader, but the threat is far from over.

On May 7, the Department of Justice publicly identified and issued sanctions against Dimitry Yuryevich Khoroshev, a top ransomware culprit known as "LockBitSupp," ringleader of the infamous LockBit ransomware group. LockBit was one of the most active ransomware groups last year and into 2024, despite multiple law enforcement actions taken to disrupt its operations. Authorities were successful in seizing LockBit infrastructure, but threat actors continued to restore operations.

Last week's law enforcement actions, which included criminal charges and sanctions against Khoroshev, involved authorities from the U.S., U.K. and Australia. The actions marked a new approach to the fight against ransomware, but the long-term effect remains to be seen.

During RSA Conference 2024 last week, TechTarget Editorial spoke with Allan Liska, threat intelligence analyst at Recorded Future, on all things ransomware-related. Liska addressed an array of topics, including the recent Department of Justice announcement, the reignited ransom payment ban debate and mitigation recommendations for enterprises.

This week, authorities announced they uncovered the identity of the LockBit ringleader known as LockBitSupp. This was a different approach compared with previous law enforcement actions taken to disrupt ransomware groups. How effective do you think it will be to quell the ransomware threat?

Allan Liska

Allan Liska: I think this is a model for the kind of operation that law enforcement must do going forward, where it's not just take down the site and you're done.

By making this a continuous and public-facing operation, it lets other ransomware groups know that we know about you, and just because you're in Russia and we can't arrest you doesn't mean you're going to be able to hide from law enforcement. That's the other change we're seeing: For a while, it was local field officers, or it was researchers trying to take these guys down. Now, you have massive intelligence services, and you have information sharing with the global Ransomware Task Force. It's one thing to hide from a local Department of Justice field office or researchers, but when you have every intelligence service in the world hunting you down, it is a lot harder to stay hidden.

We saw that [with Khoroshev] -- his name, his address, what kind of car he drove, what he liked to order food-wise; everything we knew about him was exposed. Again, we can't arrest him, but what we can do is make sure he can't start up another ransomware operation.

Do you think it will deter cybercriminals from working with Khoroshev?

Liska: Well, they can't. Now, there's sanctions against him. If you are part of his ransomware-as-a-service operation, you can't get paid. I mean, you can, people get paid. But mostly you can't get paid [because of the sanctions], and that's really the important thing. That's what we want to emphasize here; it's making it harder for them to get money. We aren't going to stop them from conducting cybercrime, but we are going to make it harder for them to carry it out.

You emphasized how this operation involved a massive and global law enforcement effort. Does that further signify how extensive the ransomware threat has become?

Liska: Business email compromise is just as bad [as ransomware] but the reason it doesn't get as much attention is that you don't have the BEC cybercriminals bragging about who they hit. Essentially, the ransomware operator becomes the public relations for the attack, which is crazy, but that's the reality we're at.

You also mentioned law enforcement operations intend to disrupt ransomware groups and operators' financial incomes. What do you think about a ransomware payment ban?

Liska: I think we should ban ransomware payments. I know it's going to cause a lot of pain and there's a lot of challenges that go along with it, but I think we should do it because nothing else is working. We've been trying everything else, largely letting people do whatever it is they want to do, and that's not working. We need something new to cause a jolt. Maybe these additional law enforcement actions will work more, but banning ransomware payments – again, it's not going to stop everything because people are going to figure out how to pay, but it will be a big deterrent for many organizations. Yes, it will increase suffering, but it will be a big deterrent. That's the problem: We don't want to increase suffering, but I don't know what other options we have.

Over the past year, ransomware threat actors have increasingly leveraged more brazen data extortion threats over actual ransomware deployment to pressure victims into paying. Do you think the term ransomware should be defined differently now?

Liska: Ransomware has always evolved. In 2015-2016, ransomware was single machine. Then it moved to taking over the whole network. Even before that, in 2009, when Symantec released their first report on ransomware, it was files being stolen and ransomed to get payment. And they referred to that as ransomware, though there was no encryption involved. The evolution continues. I understand why people want to give it a new name, but the name is already evolving, and the meaning is already evolving. I think coming up with a new name doesn't necessarily help in any way, shape or form.

Several vendors tracked record highs for ransomware in 2023 in terms of the number of ransomware victims and payments received by ransomware groups. Do you think that trend will continue into 2024?

Liska: I think we're seeing fewer people get paid but more ransomware attacks. Interestingly, with the shutdown of LockBit, we actually saw the number of attacks in March and April go down. That's probably a temporary blip, but they accounted for 25% of publicly reported attacks, so there probably is a difference in what we'll see this year. But I don't know what it's going to look like yet. It's really easy to start a ransomware operation; there's stolen code and things out there that make it easy to jump in, so there's nothing saying the affiliates who work for LockBit won't go and start their own or join another group. It is going to take time. I think the breathing room that we get is time for people to make the efforts to secure their networks.

Which ransomware groups may take over following LockBit's disruption?

Liska: We are seeing more activity out of the Rhysida and Akira ransomware groups right now – basically, all of the anime-named ones. Most likely the next big one is one we don't know yet. It's probably one of the new ones that started up and hasn't done much but will suddenly jump to the front.

One RSA session I attended this week discussed how ransomware actors continue to adapt to endpoint detection and response (EDR) tools? What have you seen there?

One of the big things I tell people in how to look for early signs of ransomware is, has something killed your EDR? Because that's the first thing a ransomware actor does.

Liska: One of the big things I tell people in how to look for early signs of ransomware is, has something killed your EDR? Because that's the first thing a ransomware actor does when it lands on a machine -- it kills the EDR. If that doesn't generate an alert that you're responding to, it should. It is something people should be looking at, but we're not quite there yet. If the security operations center doesn't get the alert until three days later, the ransomware attack is already happening.

Any other advice for enterprises to protect against ransomware?

The other thing I always tell people is to look for weird PowerShell scripts. Too many companies don't log PowerShell, but every ransomware campaign or attack that I've ever seen has involved some sort of PowerShell. The problem with saying that is, what do I mean by weird? That is going to depend on your network. That means you have to do the work. You have to develop a baseline of what PowerShell [activity] looks like on your network. For example, this is new, this is what we should investigate.

Now, the good thing is this takes time and effort, but it doesn't take money. This is not like every other vendor downstairs [at the RSA Conference Expo hall] saying 'Oh, this is an AI thing that you do.' You build your baseline, and you look for anomalies in your baseline. You can do that without spending more money, but it takes more time.

The impractical advice to give is to switch to all Macs. We've never seen a ransomware attack against an all-Mac network. Now, if everyone switched to all Macs, at some point we'd start to see those. But for now, we haven't.

Closing thoughts regarding LockBitsupp?

This week is a good week because we've gotten rid of one of the worst ransomware actors out there, and I think that's awesome. We should take a minute to celebrate that but just know there's a lot going on and nobody is saying ransomware is over. Of course, ransomware attacks are still happening, but let's celebrate the win because we don't get enough of them in infosec.

Editor's note: This interview was edited for clarity and length.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.