Russian-speaking ransomware mobsters LockBit is resorting to outlandish publicity stunts, including paying people to get their brand tattooed on them and offering million-dollar bounties for information that can publicly identify their leaders.
That’s the take in a new intelligence advisory co-authored and circulated by the Australian Signals Directorate’s public outreach arm, the Australian Cyber Security Centre, along with similar Five Eyes agencies as well as Germany and France.
As allied cyber and signals intelligence agencies increasingly collaborate to harden targets against ransomware infiltration and execution, the combined picture now emerging is of a maturing profit-share business model for extorting victims using rented and evolving tools to break into systems.
Dubbed “Understanding Ransomware Threat Actors: LockBit” the report’s actionable utility is a fulsome technical drill down into mitigations and hardening, but it also provides a clear window into how grey zone operators (like state-tolerated criminal enterprises) ply their trade.
“Lockbit is one of the most prolific and disruptive ransomware variants, having been used by cybercriminals against multiple sectors and organisations worldwide, including in Australia,” the head of the Australian Cyber Security Centre, Abigail Bradshaw, said.
“With ransomware variants constantly evolving, this advice can help organisations strengthen and defend their networks.”
While the Ransomware-as-a-Service (RaaS) model is not particularly new, it is persistent.
The US Cybersecurity and Infrastructure Security Agency-stamped report observes that in 2022 “LockBit was the most deployed ransomware variant across the world and continues to be prolific in 2023” making it highly pestilent as well as damaging.
One of the reasons for LockBit’s success is its distribution model that uses “unconnected affiliates” that are recruited globally using a variety of showboating tactics and bait to market the ransomware tools, with the ransom often paid by the victim to the affiliate rather than the toolmaker, who in turn takes a cut.
“Some of the methods LockBit has used to successfully attract affiliates include, but are not limited to … assuring payment by allowing affiliates to receive ransom payments before sending a cut to the core group; this practice stands in stark contrast to other RaaS groups who pay themselves first and then disburse the affiliates’ cut,” the report says.
It is a marked shift from the previously ruthless and sometimes internecine tactics of RaaS shops that typically would only allow the loot, often crypto, to route to them, routinely doing over both their collaborators and victims.
These days sustainability and scale seem to be the order of the day for LockBit, with the playing field for the hackerati irrevocably changed as a result of the invasion of Ukraine that splintered previously loose alliances, saw established crews turn in on each other, and thousands of volunteers flock to various grey operations like patriotic hacking.
But you still have to get the brand name out there in front of competitors, and the report notes that LockBit has taken to “disparaging other RaaS groups in online forums.”
It also says the LockBit has been “engaging in publicity-generating activities stunts, such as paying people to get LockBit tattoos and putting a $1 million bounty on information related to the real-world identity of LockBit’s lead who goes by the persona “LockBitSupp.”
Then there’s LockBit for Dummies. The report notes that part of the get-rich-quick pitch is an improved user experience that’s included “developing and maintaining a simplified, point-and-click interface for its ransomware, making it accessible to those with a lower degree of technical skill.”
The report cites LockBit as being attributable to “8% of total reported Australian ransomware incidents.”
LockBit was most recently spotted plying its trade in Australia on April 21, 2023, the report says.
Notably, there’s a very firm line in terms of whether or not to stump up the ransom, with all seven of the cyber authorities holding to the line that rewarding extortion with payments only furthers extortion.
“The authoring organizations do not encourage paying ransom, as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities,” the report says.
Even if a ransom is paid, cyber agencies still want to know who’s been hit they say.
“Regardless of whether you or your organization have decided to pay the ransom, the authoring organizations urge you to promptly report ransomware incidents to your country’s respective authorities,” the report says.
Getting hit can be a double whammy too. The report says LockBit victims are often first threatened with encryption and then with the leaking of stolen information and data
“Since 2021, LockBit affiliates have employed double extortion by first encrypting victim data and then exfiltrating that data while threatening to post that stolen data on leak sites. Because LockBit only reveals the names and leaked data of victims who refuse to pay the primary ransom to decrypt their data, some LockBit victims may never be named or have their exfiltrated data posted on leak sites,” the report says.
“As a result, the leak sites reveal a portion of LockBit affiliates’ total victims. For these reasons, the leak sites are not a reliable indicator of when LockBit ransomware attacks occurred. The date of data publication on the leak sites may be months after LockBit affiliates actually executed ransomware attacks.”
Read the ACSC’s updated LockBit 3.0 advisory issued June 15, 2023.
Denying hackers a pay day will break the ransomware business model