LockBit Resurfaces with Attack on Pharmaceutical Company, Leader Vows to “Continue Working Until Death”

Just when it seemed like authorities had finally curbed the activities of the notorious LockBit ransomware group, the cyber underworld proves once again to be relentlessly resilient. LockBit, previously the world’s largest organization operating in the “ransomware-as-a-service” (RaaS) model, was taken down by international law enforcement last month. The gang has now resurfaced with a new attack on a pharmaceutical company.

Crinetics Pharmaceuticals was added to LockBit’s new leak site this week with a $4 million ransom demand and a deadline set for March 23.

Crinetics did not comply with LockBit’s requirements to not speak to the press, giving an interview to the Recorded Future News about the cybersecurity incident. This prompted the gang to publish an updated response. LockBit extended the deadline to March 26, alleging that Crinetics offered a $1.8M settlement that they turned down.The ransomware group threatened to release the stolen data publicly, report the company to the SEC, and share stolen data with animal rights groups. LockBit concluded the update with a recommendation for a hair stylist in Colorado.

The prolific ransomware group announced more victims last week, claiming to have compromised a string of organizations, including El Ezaby Pharmacy, the South African Government Pensions Administration Agency (GPAA), HDS Trading Corp, Rush Energy Services, and Earnest Health Hospitals for the third time, among others.

Last week a previously-captured LockBit affiliate, a Russian-Canadian national named Mikhail Vasiliev, was sentenced to nearly four years in jail in Canada and ordered to pay back more than $860,000 in restitution. Two other LockBit threat actors were arrested in Poland and the Ukraine when international law enforcement thoroughly dismantled the group’s infrastructure and seized its cryptocurrency accounts, but LockBit’s leadership appears to be back in business.

LockBit Gives Rare Interview, Reveals an Unyielding Quest for Infamy#

In a rare interview with LockBit’s leader, who goes by the name of LockBitSupp, the Recorded Future News confirmed on their Click Here podcast that law enforcement gained access to future versions of the LockBit ransomware.

“It doesn't affect business in any way,” LockBitSupp said. “I take this as additional advertising and an opportunity to show everyone the strength of my character. I cannot be intimidated. What doesn't kill you makes you stronger.”

The interview was conducted over an encrypted messaging app and translated from Russian. When asked if LockBitSupp needed to rebuild trust with affiliates following the take down, the gang leader said, “Partners, proven over the years, have joined me and continue to work. I don’t need to restore their trust because there is no reason not to trust me.”

Following the law enforcement disruption, RaaS groups ramped up recruiting, advertising favorable profit sharing splits, as the two of the most prolific groups, LockBit and ALPHV, have recently suffered damages to their credibility.

“I see that my opponents are trying to take advantage of the situation, but they will not succeed because I am too strong for my opponents,” LockBitSupp told the Recorded Future News.

“Previously, the only worthy competitor as I saw it was AlphV/BlackCat. But now they are gone, and so now I don’t see a single worthy competitor.”

The UK’s NCA (National Crime Agency) reported that LockBit’s total money stolen from July 2022 to February 2024, could be in excess of $1,000,000,000 and that the impact of the group’s attacks was “in the region of multi-billions of dollars.”

LockBit’s attacks have touched a wide range of industries and services, including the Royal Mail in the United Kingdom, Boeing, a Chicago children’s hospital, governments, schools, emergency services, and, most notably, the ICBC (Industrial and Commercial Bank of China).

When asked what the next five years holds for the ransomware group, LockBitSupp revealed an indefatigable ambition for destruction, highlighting the challenges of combating cybercriminals who are motivated by factors beyond financial gain:

I plan to continue working until my death. I don’t have a goal for a year or for five years. My only goal in life is to attack one million companies around the world and go down in human history as the most destructive affiliate program. Once I reach one million businesses on my blog, I will retire forever.

Unlike many smaller groups that haven’t been able to rebound following law enforcement disruption, LockBit’s leadership made it clear that they are married to the game.

“Look, the FBI is not omnipotent; they just found a weak spot and struck,” LockBitSupp said. “The battle was lost, but the war hasn’t been. I will continue to work as long as my heart beats.”