The cybercrime world was recently shaken by the significant disruption of LockBit, a notorious ransomware supplier once described as the world's most harmful cybercrime group. LockBit operated by providing ransomware-as-a-service to a global network of hackers. These affiliates used LockBit's tools and infrastructure to execute attacks, steal data, communicate with victims, store exfiltrated information, and launder cryptocurrency payments. Ransomware, a type of malicious software, functions by encrypting a victim's data, rendering computer files or entire networks inaccessible until a ransom is paid for their release.

According to the US State Department, LockBit's ransomware was deployed in attacks against more than 2,500 victims worldwide between 2020 and early 2024. These attacks resulted in ransom demands totaling hundreds of millions of dollars, with the group successfully receiving at least $150 million in actual ransom payments, predominantly made in digital currencies. The sheer scale of its operations underscored its position as a dominant force in the ransomware landscape.

LockBit's reign faced its first major setback in February 2024. In a coordinated international effort, the British National Crime Agency (NCA), working alongside the US FBI and law enforcement agencies from several other nations, announced a significant victory: they had successfully infiltrated LockBit's network and seized control of its services. This operation dealt a devastating blow to the group's operational capabilities.

Later that year, the NCA revealed a crucial piece of information: they had identified LockBit's leader as Dmitry Khoroshev, a Russian national also known by the alias LockBitSupp. Following this identification, the US State Department issued a reward of up to $10 million for information that could lead to Khoroshev's arrest, further intensifying the pressure on the group and its figurehead.

Despite attempts to adapt by using different online infrastructures, LockBit suffered another severe blow earlier this year. The group experienced a taste of its own medicine when its systems were hacked, and some of its data was stolen. The origins of this attack remain mysterious and, unusually for the cybercrime world, no group has claimed responsibility. A cryptic message, "Don't do crime. Crime is bad. Xoxo from Prague," was left on the website LockBit had been using, adding to the intrigue surrounding this breach.

Vincent Hinderer, Cyber Threat Intelligence team manager with Orange Cyberdefense, commented on LockBit's diminished status, stating, "Lockbit was number one. It was in survival mode and took another hit" with the data leak. He noted that while not all members have been arrested and less experienced cybercriminals might join, observations of online activities suggest "attacks with small ransoms, and therefore a relatively low return on investment" for the remnants of the group.

However, the fall of a major player like LockBit does not signify the end of cybercrime. A French cyberdefence official, speaking anonymously, drew a parallel with counterterrorism: "You cut off one head and others grow back." The balance of power in the cybercrime ecosystem is dynamic, with other groups quickly moving to fill any vacuum. Analysts noted that LockBit was responsible for an estimated 44 percent of ransomware attacks worldwide in 2023, highlighting the significant void its decline creates.

Hinderer further elaborated on this dynamic, explaining, "Some groups achieve a dominant position and then fall into disuse because they quit on their own, are challenged or there's a breakdown in trust that causes them to lose their partners. Conti was the leader, then LockBit, then RansomHub. Today, other groups are regaining leadership. Groups that were in the top five or top 10 are rising, while others are falling." This constant flux underscores the resilience and adaptability of the ransomware ecosystem.

A significant revelation from the LockBit data leak was an incident where one of its affiliates attacked a Russian town of 50,000 inhabitants. In a surprising move, LockBit offered the town decryption software to counteract the attack. However, according to the French official, this attempt was unsuccessful. "It was reported to the FSB (security service), who quietly resolved the problem," the official stated, hinting at the complexities within the Russian cyber landscape.

The cybercrime field, particularly ransomware, appears to be heavily dominated by Russian-speaking individuals and groups. A senior executive working on cybercrime in the private sector, also choosing to remain anonymous, observed that among the top 10 cybercrime service providers, "there are two Chinese groups. All the others are Russian-speaking, most of them still physically located in Russia or its satellites." This concentration raises questions about the environment that allows such groups to flourish.

The potential role of the Russian state in this cybercrime ecosystem is a significant point of discussion, particularly in light of Moscow's 2022 invasion of Ukraine. A French cyberdefence official suggested that while direct state sponsorship of these groups cannot be confirmed, "the impunity they enjoy are enough to make it complicit." This official also pointed to a "porosity" between the criminal entities and Russian security services. Reinforcing this view, a private sector expert alleged, "The Russian state lets the groups do what they want. It's very happy with this form of continuous harassment."

The current whereabouts and status of Dmitry Khoroshev, the alleged LockBit leader, remain a mystery. The US State Department's bounty notice for the 32-year-old includes his date of birth and passport number but notes that his physical descriptors like height, weight, and eye color are unknown. The wanted picture depicts an intense man with cropped hair and muscular forearms. Experts believe his arrest is unlikely as long as he remains in Russia. "As long as he doesn't leave Russia, he won't be arrested," said the private sector expert, who also bleakly added, "(But) we're not sure he's alive."

The geopolitical climate, particularly the war in Ukraine, has severely impacted international cooperation in combating cybercrime. Previously, there were instances of collaboration, such as the case of Sodinokibi (also known as REvil), a hacker group dismantled in January 2022. French expert Damien Bancal recalled, "The FBI helped the FSB arrest the group. During the arrests, they found gold bars and their mattresses were stuffed with cash." However, since the invasion of Ukraine, Bancal stated, "no-one is cooperating with anyone any more." When asked if Moscow had been questioned about Khoroshev following the bounty, Kremlin spokesman Dmitry Peskov simply replied, "Unfortunately, I have no information." This lack of cooperation further complicates efforts to tackle global cybercrime networks.