The most likely way the FBI will associate specific keys with specific victims — assuming that particular victim contacts the authorities — is that “the FBI will generate a script that will run all 7,000-plus keys” against the victim’s still-locked files, Levine said. There’s also a possibility that LockBit was reusing keys, he said.

A reason to call the FBI

The biggest benefit of the FBI announcement, Levine said, is that it gives CISOs a concrete reason to contact the FBI. A problem that many enterprises have when they are hit with any kind of cyberattack is that they don’t have a current direct FBI contact — including mobile number. Critically, law enforcement contacts need to be established for every geographic where the enterprise has servers. In an emergency, the last thing an enterprise wants to do is start reaching out to a federal switchboard.

“This is just another great example of how law enforcement can add real value in responding to an incident,” Levine said. “But it’s very important that organizations develop a personal relationship with an existing FBI cyber agent prior to the incident. Otherwise, organizations may be spending a lot of time tapping their toes to light jazz during an endless hold.”