LockBit uses Starlink to avoid detection

LockBit ransomware syndicate has intimate ties with other major cybercrime groups, employs smear campaigns to stay on top, and subscribes to Starlink internet connection to avoid detection.

The notorious ransomware gang LockBit fiercely competes with other prominent crime syndicates for talent, playing it dirty if necessary, a recent report from threat intelligence firm Analyst1 shows.

The notoriety of competition is exacerbated by the fact that most of the prominent ransomware cartels are made up of people who interact with and likely know each other.

According to Jon DiMaggio, Chief Security Strategist and Analyst1, people behind LockBit, Conti, and its successor BlackBasta, DarkSide and its successors BlackMatter and BlackCat/ALPHV frequently interact and even share resources.

“They work separately but know one another and could work together if they want to. Fortunately, their egos usually get in the way of teaming up and working together from an operational aspect,” DiMaggio told Cybernews.

Poached developer

According to the report, the LockBitSupp persona, a nickname used by the gang’s leader on dark web criminal forums, knows the identities of the key members of DarkSide, BlackMatter, and BlackCat ransomware gangs and has close ties with the key people behind the original REvil gang.

Based on months of underground research, the report claims that LockBit confirmed the same core people ran DarkSide, BlackMatter, and BlackCat ransomware gangs. Similar claims were made regarding the links between the leadership of BlackBasta and the former Conti gang.

“While the security community already made these connections through technical means, LockBit’s interpretation is derived from human relationships with the members who make up these gangs, making it a more significant association,” claims the report.

However, knowing each other doesn’t eliminate competition. For example, the report claims that LockBit’s third-generation malware was created by the same developer behind DarkSide/BlackMatter/BlackCat ransomware and some of the malware for the infamous Fin7 cybercriminal group.

“Being forced to work for the Russian government is something LockBit’s leadership is concerned about if they ever get caught. But they also believe that option is better than prison.”

DiMaggio said.

Lucrative target

Interestingly enough, LockBit had a fallout with the malware developer, going as far as to threaten to release personal information on the individual and his family. The conflict eventually led to someone leaking the LockBit ransomware builder’s source code.

DiMaggio thinks that law enforcement and government should concentrate on identifying the disgruntled malware developer as he is exceptionally well embedded in the Russian ransomware and organized cybercrime community.

After all, it is likely the same individual created malware DarkSide used to hack Colonial Pipeline and third-generation ransomware LockBit used to attack thousands of victims. Unless the developer decided to leave Russia, it’s unlikely he’d be arrested. However, there’s a trove of information the individual could provide.

“He could potentially be a wealth of information that leads to the identity and inside details of several of the most notorious cybercrime groups. While they probably can’t arrest him, they can spy on him. And that may yield lots of valuable information,” Dimaggio said.

LockBit developer
High-level relationships between criminal gangs. Image by Analyst1.

Russian connection

While Russian authorities generally allow cybercriminals to operate within its borders, as long as cybercriminals don’t target Russian organizations, involuntarily working for the government is always an option.

“Being forced to work for the Russian government is something LockBit’s leadership is concerned about if they ever get caught. But they also believe that option is better than prison,” DiMaggio said.

However, the researcher believes that LockBit has successfully avoided identification by the Russian government. While several ransomware groups likely were recruited to support the Russian secret service, FSB, LockBit tries to steer away from government affiliation.

The reason behind the reluctance is a business one. Conti’s allegiance to the Russian government at the onset of Russia’s war in Ukraine last year alienated many of the Ukrainian affiliates that worked for the group. Conti leaks soon followed, leading to the demise of Conti and the rise of LockBit.

Starlink mobile
Image by Shutterstock.

Bondian evasion

LockBit’s growing profile has forced the gang’s leaders to consider what’s awaiting them upon capture. To assure affiliates their data won’t get into the hands of authorities in case the leader gets arrested, the LockBit’s head said he keeps his Pretty Good Privacy (PGP) secret key and multi-signature wallet on a hidden flash drive.

“The wallet requires passwords, which in a previous conversation, he stated, were 50 characters in length and randomly generated. It also requires a key file, which he states is on another flash drive that he keeps around his neck made from red wool,” reads the report.

Following the scenarios of action-packed Hollywood movies, the gang’s leader says he uses wool specifically so that he could rip off the flash drive from his neck and follow it if threatened with arrest.

Interestingly, LockBitSupp also said he uses SpaceX’s Starlink constellation connection to hide his IP address better. The logic is that a satellite network is much broader, making it more difficult to track him down if the authorities identified the network access.

“LockBit does an excellent job of protecting their anonymity, or at least they have up to this point. I don’t know if the Russian government would force LockBit to work for them, but they certainly would benefit from it if they did,” DiMaggio said.

More from Cybernews:

Social marketplace exposes nearly half a million users

Nvidia introduces deepfake eye contact effect

Israel bans spyware exports to Bangladesh, sells tech anyway

TikTok slapped with $5.4m fine for cookies policy

Royal Mail was hit by Russia-linked ransomware group LockBit

Subscribe to our newsletter


Cyber Security Company
prefix 1 year ago
It’s really interesting to think about all the cybercrime that occurs underground. Very informative read. Thank you for posting.
Leave a Reply

Your email address will not be published. Required fields are markedmarked