In an unexpected turn of events, LockBitSupp, the administrator of the notorious LockBit ransomware group, responded publicly to the Federal Bureau of Investigation (FBI) and international law enforcement's efforts to identify and apprehend him. After bringing back previously seized domains, law enforcement identified Dmitry Yuryevich Khoroshev as the mastermind behind the LockBit operations in an earlier public announcement. This was followed by official sanctions issued by the U.S., U.K., and Australia, accompanied by 26 criminal charges ranging from extortion to hacking, collectively carrying a potential maximum sentence of 185 years imprisonment. The Justice Department has also offered a staggering $10 million reward for information leading to Khoroshev's capture. However, LockBitSupp denied the allegations and attempted to turn the situation into a peculiar contest on the group's remaining leak site.

LockBitSupp Opens Contest to Seek Contact with Individual

The Lockbit admin made a post within the group's leak site about a new contest (contest.omg) in order to encourage individuals to attempt to contact Dmitry Yuryevich Khoroshev. The announcement asserts that the FBI is wrong in its assessment and that the named individual is not LockBitSupp. The announcement seems to try and attribute the alleged identification mistake as a result of an unfortunate cryptocurrency mixing with the ransomware admin's own cryptocurrency funds, which they claim must have attracted the attention of the FBI. Cryptocurrency mixing is activity done to blend different streams of potentially identifiable cryptocurrency to provide further anonymity of transactions. The contest, brazenly invites participants to reach out to the individual believed to be Dmitry Yuryevich Khoroshev and report back on his wellbeing for $1000. The ransomware admin then claimed that the first person to provide evidence such as videos, photos, or screenshots confirming contact with the the "poor guy," as LockBitSupp refers to him, would receive the reward. [caption id="attachment_67621" align="alignnone" width="1055"] Source: X.com (@RedHatPentester)[/caption] Participants were instructed to send their findings through the encrypted messaging platform Tox, using a specific Tox ID provided by LockBitSupp.

LockBitSupp Shares Details of Named Individual

In addition to the contest details, LockBitSupp shared multiple links to LockBit-associated file-sharing services on the dark web, presumably for individuals to archive gathered details and submit as contest entries. They also listed extensive personal details alleged to belong to Dmitry Khoroshev, including email addresses, a Bitcoin wallet address,  passport and tax identification numbers Amid the defiance and contest announcement, LockBitSupp expressed concern for the well-being of the person they claim has been mistakenly identified as them, urging Dmitry Yuryevich Khoroshev, if alive and aware of the announcement, to make contact. This unusual move by LockBitSupp attempts to challenge the statement made by law enforcement agencies and underscores the complex dynamics of the cyber underworld, where hackers taunt their pursuers openly. LockBitSupp emphasized that the contest will remain relevant as long as the announcement is visible on the blog. The admin hinted that there may be similar contests in the future with more substantial rewards, urging followers to stay tuned for updates. The announcement was uploaded and last updated on May 9, 2024, UTC, leaving the public and the cybersecurity community watching closely for further developments. In a recent indictment Khoroshev was identified to behind LockBit's operations and functioned as the group's administrator since September 2019. Khoroshev and the LockBit group was stated to have extorted at least $500 million from victims in 120 countries across the world. Khoroshev was stated to have received around $100m from his part in this activity. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Despite the major collaborative effort by law enforcement agencies resulting in the exposure and sanctioning of Dmitry Yuryevich Khoroshev, the Russian national thought to be at the helm of LockBit's widespread hacking operations, the hacker group shows no signs of ceasing its activities. LockBit has reportedly launched a cyberattack on Wichita, Kansas, targeting state government and various local entities. The news of the Wichita cyberattack emerged on LockBit's previously inactive platforms, which were reactivated after the shutdown of their official website.

Cyberattack on Wichita Post LockBit Leader Arrest

[caption id="attachment_67202" align="alignnone" width="402"] Source: Dark Web[/caption] The Wichita cyberattack targeted the official website (wichita.gov), prompting concerns over the security of critical municipal systems. While the ransomware group has not yet released any compromised data, they have set a deadline of May 15, 2024, for its publication.  The announcement by LockBit ransomware follows closely on the heels of an earlier notification by the city of Wichita regarding a ransomware attack on May 5, 2024, although the responsible ransomware gang was not initially disclosed. Wichita, the largest city in the state of Kansas, serves as the county seat of Sedgwick County and is a populous urban center in the region.  The Cyber Express has reached out to the state government to learn more about this cyberattack on Wichita. However, at the time of writing this, no official statement or response has been received. However, the city of Wichita denoted a ransomware attack that targeted various government and private organizations within the city. 

Security Update from Wichita: Ransomware Group Remains Unnamed!

According to a press release by the city of Wichita, the recent posts from the state's Cyber Security Incident Update indicate ongoing efforts by the city's information technology department and security partners to address the cyberattack.  “Many City systems are down as security experts determine the source and extent of the incident. There is no timetable for when systems could be coming back online. We appreciate your patience as we work through this incident as quickly and as thoroughly as possible”, reads the official press release.  In the meantime, various city services and amenities have been impacted by the cyber incident, prompting adjustments to normal operations. Water systems remain secure and functional, with provisions in place for those experiencing difficulties paying bills or facing water shut-offs.  Transit services, city vendors, park and recreation facilities, licensing procedures, and municipal court operations have all been affected to varying degrees, necessitating alternative arrangements such as cash payments and in-person transactions. Similarly, services provided by cultural institutions, resource centers, planning departments, and housing and community services are also subject to modifications and delays as the city works to address the cyberattack. The city's airport and library services have experienced disruptions to Wi-Fi access and digital infrastructure, although essential operations continue with minimal impact on services provided to the public. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the cyberattack on Wichita or any new updates from the government.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.