当局声称LockBit管理员“LockBitSupp”已与执法部门接触

LockBitSupp, the individual(s) behind the persona representing the LockBit ransomware service on cybercrime forums such as Exploit and XSS, "has engaged with law enforcement," authorities said.

LockBitSupp，LockBit勒索软件服务在网络犯罪论坛上代表的个人，在Exploit和XSS等论坛上与执法部门合作。

The development comes following the takedown of the prolific ransomware-as-a-service (RaaS) operation as part of a coordinated international operation codenamed Cronos. Over 14,000 rogue accounts on third-party services like Mega, Protonmail, and Tutanota used by the criminals have been shuttered.

此举是由一个名为Cronos的协调国际行动的一部分，作为一个旨在摧毁流行的勒索软件服务（RaaS）运营的结果。

"We know who he is. We know where he lives. We know how much he is worth. LockbitSupp has engaged with law enforcement," according to a message posted on the now-seized (and offline) dark web data leak site.

据一条发布在现在被查封（并离线）的暗网数据泄露网站上的信息称，“我们知道他是谁。我们知道他住在哪里。我们知道他值多少钱。LockbitSupp已与执法部门合作。

The move has been interpreted by long-term watchers of LockBit as an attempt to create suspicion and sow the seeds of distrust among affiliates, ultimately undermining trust in the group within the cybercrime ecosystem.

长期观察LockBit的人将此举解释为试图制造怀疑，并在合作伙伴之间播下不信任的种子，最终破坏了在网络犯罪生态系统中对该组织的信任。

According to research published by Analyst1 in August 2023, there is evidence to suggest that at least three different people have operated the "LockBit" and "LockBitSupp" accounts, one of them being the gang's leader itself.

根据Analyst1于2023年8月发布的研究，有证据表明至少有三个不同的人操作了“LockBit”和“LockBitSupp”账户，其中之一就是团伙的领导本人。

However, speaking to malware research group VX-Underground, LockBit stated "they did not believe law enforcement know his/her/their identities." They also raised the bounty it offered to anyone who could message them their real names to $20 million. It's worth noting that the reward was increased from $1 million USD to $10 million late last month.

然而，与恶意软件研究组织VX-Underground交谈时，LockBit表示“他们不认为执法部门知道他/她/他们的身份。”他们还将提供给能够向他们发送真实姓名的任何人的赏金提高到2000万美元。值得注意的是，奖励从100万美元提高到1000万美元，上个月下旬。

LockBit – also called Gold Mystic and Water Selkie – has had several iterations since its inception in September 2019, namely LockBit Red, LockBit Black, and LockBit Green, with the cybercrime syndicate also secretly developing a new version called LockBit-NG-Dev prior to its infrastructure being dismantled.

自2019年9月成立以来，LockBit（又称Gold Mystic和Water Selkie）已经经历了多次演变，即LockBit Red、LockBit Black和LockBit Green，该网络犯罪团伙还秘密开发了一个名为LockBit-NG-Dev的新版本，在拆除其基础设施之前。

"LockBit-NG-Dev is now written in .NET and compiled using CoreRT," Trend Micro said. "When deployed alongside the .NET environment, this allows the code to be more platform-agnostic. It removed the self-propagating capabilities and the ability to print ransom notes via the user's printers."

趋势微观表示：“LockBit-NG-Dev现在是用.NET编写的，并使用CoreRT编译。部署时与.NET环境一起使用，使代码更具平台无关性。它去除了自传播功能和通过用户打印机打印赎金通知的功能。”

One of the notable additions is the inclusion of a validity period, which continues its operation only if the current date is within a specific date range, suggesting attempts on the part of the developers to prevent the reuse of the malware as well as resist automated analysis.

其中一个显著的增加是包含一个有效期，只有在当前日期在特定日期范围内时才会继续运行，这表明开发人员试图防止恶意软件的重复使用，并抵抗自动化分析。

Work on the next generation variant is said to have been spurred by a number of logistical, technical, and reputational problems, prominently driven by the leak of the ransomware builder by a disgruntled developer in September 2022 and also misgivings that one of its administrators may have been replaced by government agents.

据说，对下一代变体的工作受到了一系列后勤、技术和声誉问题的推动，主要是由2022年9月一位不满的开发人员泄露了勒索软件生成器，以及一个管理员可能已被政府特工取代的疑虑。

It also didn't help that the LockBit-managed accounts were banned from Exploit and XSS towards the end of January 2024 for failing to pay an initial access broker who provided them with access.

LockBit管理的帐户在2024年1月底被Exploit和XSS禁止，因为他们未能支付最初提供访问权限的中间经纪人。

"The actor came across as someone who was 'too big to fail' and even showed disdain to the arbitrator who would make the decision on the outcome of the claim," Trend Micro said. "This discourse demonstrated that LockBitSupp is likely using their reputation to carry more weight when negotiating payment for access or the share of ransom payouts with affiliates."

趋势微观表示：“这位演员似乎是一个‘不会失败的人’，甚至对会对裁决访问权限支付或勒索分成的仲裁员表示蔑视。这种对话表明，LockBitSupp很可能正利用他们的声誉在谈判中更具份量，以获取访问权限或与合作伙伴分享赎金支付。”

PRODAFT, in its own analysis of the LockBit operation, said it identified over 28 affiliates, some of whom share ties with other Russian e-crime groups like Evil Corp, FIN7, and Wizard Spider (aka TrickBot).

PRODAFT在对LockBit操作的分析中表示，他们发现了超过28个合作伙伴，其中一些与其他俄罗斯电子犯罪团体如Evil Corp、FIN7和Wizard Spider（又称TrickBot）有关联。

These connections are also evidenced by the fact that the gang operated as a "nesting doll" with three distinct layers, giving an outward perception of an established RaaS scheme compromising dozens of affiliates while stealthily borrowing highly skilled pen testers from other ransomware groups by forging personal alliances.

这些联系也表明，该团伙作为一个“套娃”运营，有三个明确的层级，给人一种建立起几十个合作伙伴的既定RaaS计划的外观，同时从其他勒索软件团队秘密借用高技能渗透测试人员，通过建立个人联盟。

The smokescreen materialized in the form of what's called a Ghost Group model, according to RedSense researchers Yelisey Bohuslavskiy and Marley Smith, with LockBitSupp serving "as a mere distraction for actual operations."

根据RedSense研究人员Yelisey Bohuslavskiy和Marley Smith的说法，这种烟雾弹实现了所谓的幽灵团体模式，LockBitSupp仅仅是“用来转移注意力的幌子”。

"A Ghost Group is a group that has very high capabilities but transfers them to another brand by allowing the other group to outsource operations to them," they said. "The clearest version of this is Zeon, who has been outsourcing their skills to LockBit and Akira."

他们表示：“幽灵团体是一个拥有非常高能力的团体，通过允许另一个团体将运营外包给他们，将自己的技能转移到另一个品牌。”

The group is estimated to have made more than $120 million in illicit profits in its multi-year run, emerging as the most active ransomware actor in history.

据估计，该团伙在其多年的运营中获利超过1.2亿美元，成为历史上活动最频繁的勒索软件行为者。

"Given that confirmed attacks by LockBit over their four years in operation total well over 2,000, this suggests that their impact globally is in the region of multi-billions of dollars," the U.K. National Crime Agency (NCA) said.

英国国家犯罪局（NCA）表示：“考虑到LockBit在四年的运营中确诊的攻击总数远超过2,000次，这表明他们在全球范围内的影响可能达到数十亿美元。”

Needless to say, Operation Cronos has likely caused irreparable damage to the criminal outfit's ability to continue with ransomware activities, at least under its current brand.

毫无疑问，Cronos行动可能已经给这个犯罪团伙继续进行勒索软件活动造成了无法弥补的损害，至少在其当前品牌下。

"The rebuilding of the infrastructure is very unlikely; LockBit's leadership is very technically incapable," RedSense said. "People to whom they delegated their infrastructural development have long left LockBit, as seen by the primitivism of their infra."

RedSense表示：“基础设施的重建是非常不可能的；LockBit的领导人在技术上非常无能。”“他们将其基础设施开发委托给其他人员已经离开了LockBit，可以从他们的基础设施的原始性中看出。”

"[Initial access brokers], which were the main source of LockBit's venture, will not trust their access to a group after a takedown, as they want their access to be turned into cash."

“初步访问经纪人，是LockBit冒险主要来源，不会在一次清除后信任他们的访问权限给一个团体，因为他们希望他们的访问权限变现。”

原文始发于微信公众号（知机安全）：当局声称LockBit管理员“LockBitSupp”已与执法部门接触