The $10 Million Question
The FBI doesn’t offer $10 million rewards for petty criminals. That bounty is reserved for terrorists, cartel leaders, and the most dangerous threats to national security.
In 2024, that list includes a ransomware gang called LockBit.
The group has attacked over 2,000 organizations worldwide, extracted more than $120 million in ransom payments, and caused billions in damages. Their victims include hospitals, schools, government agencies, and critical infrastructure.
The FBI wants them badly enough to pay $10 million for information leading to their arrest.
Take the 2-Minute Cybersecurity Assessment: https://centrexit.com/cyber-security-readiness-assessment/
How LockBit Became the World’s Most Wanted
LockBit emerged in 2019 and quickly became the most prolific ransomware operation in the world. Their business model is brutally efficient:
Ransomware-as-a-Service. LockBit doesn’t conduct every attack themselves. They provide the ransomware, the infrastructure, and the negotiation services. “Affiliates” do the actual hacking and split the profits. It’s a franchise model for cybercrime.
Speed matters. LockBit’s ransomware encrypts files faster than competitors. That matters because faster encryption means less chance of detection and interruption. By the time someone notices something’s wrong, the damage is done.
Double extortion. They don’t just encrypt your files—they steal them first. If you won’t pay to decrypt, maybe you’ll pay to prevent your data from being published. They run a leak site where they publicly shame victims and release stolen data.
Professional operations. LockBit runs like a business. They have a bug bounty program offering $1 million to anyone who can identify their leadership. They issue press releases. They provide “customer service” to victims negotiating payments.
The Takedown That Didn’t Stick
In February 2024, law enforcement agencies from ten countries announced Operation Cronos, a major takedown of LockBit infrastructure. They seized servers, arrested affiliates, and even took over the group’s leak site to post taunting messages.
For a few days, it looked like LockBit was finished.
They weren’t. Within days, LockBit had new infrastructure online and was back to attacking victims. Their leader, known by the alias “LockBitSupp,” posted defiant messages mocking law enforcement.
The $10 million bounty is still active because the core leadership remains free.
Why This Matters to Your Organization
You might think ransomware gangs target big fish—major corporations, government agencies, critical infrastructure. They do. But they also target healthcare clinics, school districts, small manufacturers, law firms, accounting practices, and nonprofits.
LockBit affiliates don’t necessarily choose targets strategically. They look for vulnerable organizations—any organization—and exploit them. Your size doesn’t protect you. Your industry doesn’t protect you. Only your security posture protects you.
How LockBit Gets In
Understanding how these attacks happen is the first step to preventing them:
Phishing emails. Still the most common entry point. One employee clicks one bad link, and the attackers have a foothold.
Stolen credentials. Passwords from previous breaches get reused. Credentials bought on dark web marketplaces provide instant access.
Unpatched vulnerabilities. Known security flaws that haven’t been fixed. Attackers scan the internet for vulnerable systems constantly.
Remote access exploitation. VPNs, remote desktop services, and other remote access tools with weak security or known vulnerabilities.
Supply chain access. Compromising a vendor or partner who has legitimate access to your network.
What Makes Organizations Resilient
The organizations that survive ransomware attacks—or avoid them entirely—share common characteristics:
They assume breach will happen. Instead of just trying to prevent attacks, they prepare to survive them. Backups, incident response plans, communication strategies.
They maintain offline backups. Ransomware specifically targets backup systems. If your backups are connected to your network, they’ll be encrypted too. Offline, tested backups are the difference between a bad week and a business-ending event.
They segment their networks. If attackers get into one area, they shouldn’t have easy access to everything. Segmentation limits blast radius.
They keep systems updated. Most ransomware exploits known vulnerabilities with available patches. Regular, prompt patching eliminates the easy entry points.
They train their people. Since phishing is the most common entry point, employees who can recognize and report suspicious emails provide a critical defense layer.
The Reality of the Threat
LockBit is the most prominent ransomware gang, but they’re not the only one. If LockBit disappeared tomorrow, others would fill the gap. The ransomware-as-a-service model has proven too profitable to abandon.
The question isn’t whether ransomware groups will try to attack your organization. The question is whether you’ll be prepared when they do.
The FBI is offering $10 million to stop LockBit. You don’t need $10 million. You need good security practices, tested backups, and a plan for when things go wrong.
Take Our 2-Minute Security Assessment
centrexIT helps San Diego organizations build ransomware resilience before they become targets. If you’re not sure how your organization would survive a LockBit attack, let’s find out together.
Take the 2-Minute Cybersecurity Assessment: https://centrexit.com/cyber-security-readiness-assessment/
Sources
U.S. Department of State — “Reward for Information: LockBit Ransomware as a Service (RaaS)” — Confirms the $10 million reward and details on LockBit’s 2,000+ attacks and $144 million in ransom payments. state.gov
U.S. Department of Justice — “U.S. Charges Russian National with Developing and Operating LockBit Ransomware” (May 7, 2024) — Announces indictment of Dmitry Yuryevich Khoroshev and confirms LockBit targeted more than 2,000 victims, stealing over $500 million.
UK National Crime Agency — “LockBit leader unmasked and sanctioned” (May 2024) — Details on Operation Cronos, the February 2024 international takedown, and data showing 7,000+ attacks between June 2022 and February 2024. nationalcrimeagency.gov.uk
FBI / CISA — Joint Cybersecurity Advisory on LockBit ransomware — Confirms LockBit as the most deployed ransomware variant globally in 2022-2023.