When targeting their victims, ransomware affiliates analyze cyber insurance policies to calibrate ransom demands and demonstrate industrial and regional biases. They are not loyal to their ransomware service operator, and often fail to restore files, even when paid, LockBit leak reveals.
-
Ransomware gangs analyze your cyber insurance policy to set ransom demands, research shows.
-
Most affiliates can't decrypt files even after you pay the ransom.
-
One $2.3 million payment funds entire ransomware operations for monthsRetryClaude can make mistakes.
Beneath the highly sophisticated facade of the ransomware gang hide varying technical skills among operators, biases influencing targeting, a lack of consistent execution, and opportunism-driven actions.
Cybernews previously reported that Lockbit, the former flagman of the ransomware scene, was hacked and had its data dumped.
Michele Campobasso, a security researcher at Forescout Research – Vedere Labs, analyzed the leaked data, which unveiled seven key insights into the mindset of the threat actors within ransomware-as-a-service ecosystems.
Affiliates often are ‘newbies’
Lockbit had opened 73 affiliate accounts, and each user was assigned one of the tags: “newbie”, “pentester”, “verified”, “scammer”, and “target ru” (used only once). Accounts can also be marked as “paused”, likely due to inactivity or violations.
This also reflected widely varying skills, tactics, and targets. Only five affiliates had a “verified” tag, indicating a higher level of trust in the LocBit ranks.
One of the newbie affiliates, named BaleyBeach, targeted two financial institutions, then aggressively demanded high ransom payments, likely based on an analysis of the victim’s cyber insurance coverage.
“Threats included limiting visibility of stolen data until payment was made, or until the data was published. Both cases were unresolved at the time of the leak,” the researcher writes.
Meanwhile, more professional affiliate “Cristopher” targeted three Asian companies and maintained a cooperative tone despite language barriers. Christopher successfully concluded two of the negotiations.
Another insight is that affiliates are not consistent. Across the 20 incidents, in five cases, affiliates did not publish data even when negotiations failed. This suggests that attackers do not chase low-value or non-responsive targets, likely constrained by limited time and resources and low likelihood of return on efforts.
“In several cases, affiliates did not publish stolen data, even after victims ceased communication and no ransom was paid. This behavior suggests either strategic disinterest or a degree of discretion toward low-value or unresponsive targets,” the researcher writes.
Affiliates fail to restore data, even if they want to
An eye-opening insight is that many affiliates are not capable of restoring the encrypted files even when ransoms are paid.
“Ransomware affiliates do not always provide functional decryptors, and in some cases offer little to no post-payment support,” the researcher writes.
In one case, a Chinese manufacturer paid the negotiated ransom of $6,000, received a decryptor, but was unable to recover many files. After contacting the affiliate on March 30th for assistance, the company was told “we are very busy” and that “the boss often responds after 3-5 days.”
“Some affiliates are either unable or unwilling to provide reliable decryption or support, undermining trust in their own extortion model,”
the researcher concludes.
Subsequent inquiries were ignored for a while. Two weeks later, the affiliate shifted the blame to the victim’s “security systems, including your anti-virus software [which] interfered with the encryption process, thereby making your files undecryptable”. The manufacturer's follow-up messages, filled with frustration and distress, were unanswered.
The same affiliate, “Iofikdis,” was accused of lacking credibility in another case when negotiating with a consultancy supporting a victim.
“Some affiliates are either unable or unwilling to provide reliable decryption or support, undermining trust in their own extortion model,” the researcher concludes.
Loyalty is optional
The operator of ransomware does not have a lot of control over its minions. The Lockbit leak reveals that affiliates exhibit unpredictable behavior, breach operational protocols, and switch operators.
“Affiliates do not always remain loyal to a single Ransomware-as-a-Service provider and may even attempt to bypass platform controls — including revenue sharing obligations,” the Forescout report reads.
In one case, an affiliate explained the reason for switching as the ransomware being “not perfect.” In two analyzed cases, affiliates obscured evidence of payment agreements by moving the conversations with victims off-platform, likely to avoid paying LockBit its 20% cut.
Like many Russian ransomware strains, LockBit explicitly forbids affiliates from attacking organizations in Russia and the Commonwealth of Independent States (CIS). However, the researcher found four instances in the leaked database involving .ru domains.
One of the affiliates continued to demand a $50,000 ransom from a construction company, which immediately identified itself as part of the “Russian administration.” The attacker said they had “new rules.”
At some point, the LockBit administrator took over the chat and provided free decryptors.
“Ransomware affiliates operating under LockBit 4.0 demonstrated that even a small number of successful attacks can generate substantial financial returns, both for the affiliates and for the LockBit administrators,”
researchers said.
“Ultimately, the decryptor did not work. The admin blamed the affiliate, suggesting they may have intentionally corrupted the encrypted files to sabotage LockBit’s reputation. The conversation ended here,” the report reads.
After the incident, Lockbit suspended this affiliate account, as well as another affiliate who also attacked a Russian entity.
The targeting of victims demonstrates a significant geographic and sector bias. Affiliates often choose regions and sectors where they expect to negotiate higher returns or “are motivated by ideological preferences.”
A single ransom brings a fortune
The unfortunate truth is that affiliates only need to score once to get six-figure profits and continue their activities.
“Ransomware affiliates operating under LockBit 4.0 demonstrated that even a small number of successful attacks can generate substantial financial returns, both for the affiliates and for the LockBit administrators.”
The researcher found 159 BTC addresses associated with victims, of which only 19 received funds. Eighteen of those only received a single transaction.
One address received two transactions, one of which was the highest single ransom payment observed in the leaked dataset: 4.22 BTC, or approximately $433,000. However, this only represents 20% of Lockbit’s commission—a victim transferred around $2.3 million in total.
The LockBit leak offers a rare window into ransomware gang operations. Forescout warns that any organization, regardless of size or sector, may eventually become a target, given the diversity of affiliates and targeting strategies.
What is also clear is that companies that pay the ransom have no guarantees of data recovery or silence.
Read the full report here.
Your email address will not be published. Required fields are markedmarked