LockBit lies about leaking the data, victims still pay

The notorious LockBit gang asks for millions with its ransomware, but fails to leak the data on the internet if not paid, the report says. Struggles in management have recently resulted in the degrading quality of the gang’s operations.

A report by Jon DiMaggio, chief security strategist at Analyst1, reveals that the infamous Russia-linked ransomware gang is having serious problems in management, which is reflected in the degrading quality of their operations.

While LockBit keeps using strong narratives across their communication, what goes unnoticed is that the gang often fails to publish the stolen data, only relying on empty threats and its infamous reputation to convince victims to pay.

Not actually publishing victims’ data

Between late February and the end of June 2023, LockBit claimed that it had released sensitive stolen data from victims who had not yielded to its ransom demands. However, analysis shows that many posts on the gang’s leak site during this timeframe do not actually contain victims’ data.

LockBit streamlines the process of stealing, hosting, and leaking victim data via its admin panel. When affiliates pinpoint the desired data within breached systems, they use this panel to extract it to LockBit's servers.

Negotiations with victims also happen via the panel, as well as eventually publishing the data if the ransom demands are not met. However, since around February 2023, the service encountered issues in publishing large amounts of victims’ data. As a result, LockBit has not consistently published the victim data it has claimed to.

In some cases, there’s a message “FILES ARE PUBLISHED” on the gang’s leak site, but no actual data is attached to the post. LockBit claims that the problem resulted from the load on its storage servers, due to high usage volume by its affiliate partners. The gang says that the problem is now fixed and that it has increased its throughput to handle five times the load it could facilitate previously.

However, the report states that again, in some cases, it’s not the victim’s data that’s being published. Instead, there’s a text file listing the directory names and structure of the victim’s data, not the data itself.

Another piece of evidence that LockBit is not handling things well is the fact that it’s now resorting to third-party file-sharing platforms to post data. Hosting stolen data on its internal infrastructure was one of the benefits that LockBit advertised in order to attract partner affiliates. Third-party file-sharing services are less attractive for criminals because law enforcement, as well as the filesharing service provider itself, can easily take files down, removing access from the general public and criminals alike.

Affiliates leaving for competitors

LockBit operates as a Ransomware-as-a-Service (RaaS) provider. In this illicit business model, the RaaS operator maintains the ransomware malware while managing communication and payments with the victims. Usually, affiliates take care of the distribution of the ransomware, and the ransoms paid are split between the operators and the affiliates.

According to the findings in the report, the disorganization inside LockBit is forcing its affiliates to leave for competitor gangs. Such a turn is unexpected, given that LockBit has previously built its reputation on delivering the highest level of customer service to its partners in crime.

Just like in regular business, partner inquiries are managed through gang communication channels on an encrypted app. However, the high volume of attacks and increased number of partners working with LockBit makes quick and consistent responses to service requests more difficult. According to LockBit, too many people are messaging it daily.

Furthermore, LockBit, as a provider of ransomware, missed its most recent release date in June 2023 to produce an updated ransomware variant. Instead, it relies on outdated, publicly available ransomware, leaked from its former competitor Conti. The situation is harmful for LockBit's partners, as the majority of security companies can detect and stop LockBit ransomware from executing on their systems. The reason could be that the gang has had no developer for an extended period of time. Several affiliates claimed that they were unhappy with the situation, leading them to leave for competitor gangs.

More from Cybernews:

Cl0p dumps all MOVEit victim data on clearnet, threat insiders talk ransom strategy

Poll shows nearly half of Americans support TikTok ban

Edit your favorite influencer’s posts, earn money as you do it

Citrix zero-day hack impacts thousands of NetScaler servers

Musicians can now license and monetize AI singers

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked