Euro Security Watch with Mathew J. Schwartz

Fraud Management & Cybercrime , Ransomware

Profit at Any Cost: Why Ransomware Gangs Such as LockBit Lie

And They’ll Continue to Do So Until Authorities Better Disrupt Them - But How?
Profit at Any Cost: Why Ransomware Gangs Such as LockBit Lie
Royal Mail says Brits shouldn’t use it to send international letter or parcels abroad during a "severe service disruption" caused by ransomware. (Image: Mathew Schwartz)

Ransomware groups continue to try and lie their way out of having any accountability for their dangerous and morally bankrupt behavior.

See Also: Realities of Choosing a Response Provider

The latest example features Britain's national postal service getting victimized by LockBit and the gang spinning half-truths and lies to try and deflect blame for the attack (see: LockBit Tries to Distance Itself From Royal Mail Attack).

Here are the facts: "Royal Mail is experiencing severe service disruption to our international export services following a cyber incident," the postal service says in a Monday update. "We are temporarily unable to dispatch items to overseas destinations."

Here's the ransomware criminal spin: LockBit spokesman LockBitSupp initially claimed his ransomware-as-a-service operation wasn't behind the attack on Royal Mail.

He instead suggested that someone ran the attack using a version of the LockBit builder that leaked last September. That was despite the attacker using working links that led back to negotiation and portal pages run by - wait for it - LockBit.

LockBitSupp's already shaky denial collapsed after he admitted in a Russian cybercrime forum post on Saturday that one of his group's top 10 most profitable affiliates was indeed behind the attack.

Affiliates are vetted business partners of ransomware groups. LockBit provides its affiliates with regularly updated crypto-locking malware to be used to infect fresh victims. In return, LockBit keeps at least 25% of every ransom paid, based on individual agreements reached with each affiliate.

But who could blame LockBit for not knowing what its affiliates might be doing? "The work is stressful," LockBitSupp claims, what with "endless targets, hundreds of operators and … no time to monitor all of it when they could just sit and watch the news,'" according to another one of his cybercrime forum posts, spotted by Azim Khodjibaev, a security researcher at Cisco Talos.

As the anti-ransomware group MalwareHunterTeam tweets, the about-face makes LockBitSupp look like a clown. But so what, since LockBitSupp isn't changing the ransomware script of offering to delete the stolen data and furnish victims with a working decryptor in exchange for an extortion payment.

In essence, a criminal admitted to yet another felonious undertaking and used the opportunity to continue the group's attempt to extort the victim.

Half-Truths and Lies

LockBitSupp's doublespeak episode is a reminder about how ransomware gangs regularly lie and spin the truth to improve their revenue. This includes any and all claims having to do with:

  • Deleting data: Experts continue to urge victims to never pay for promises to delete data, not least because they've never seen incontrovertible proof that any group has actually done this. Instead, they're likely selling interesting stolen information three ways from Sunday.
  • Free decryptors: Some groups claim to not attack healthcare or critical infrastructure organizations. What they mean, however, is that if they hit such an organization and it becomes politically inconvenient, they might furnish a free decryptor. By that point, extensive and costly damage has already been done.
  • Affiliates: Ransomware groups love to blame affiliates for inconvenient hits, while neglecting to mention that the affiliates are in effect contractors incentivized to run attacks on their behalf.
  • Decryptors: Groups sometimes provide decryptors that will restore files, or at least some files. Security experts recommend that victims exploring paying for a decryptor work with their cyber insurer or a reputable ransomware incident response firm to review intelligence about any given gang's track record before they enter into negotiations or opt to pay.

Whether Western law enforcement agencies redouble efforts to identify LockBit affiliates and disrupt infrastructure remains to be seen, but it's a safe bet, given the disruptions unleashed on the likes of REvil, aka Sodinokibi, and other groups.

In response, last year ransomware watchers reported that more ransomware-wielding attackers appeared to be opting to go solo rather than face the risk of working with big-name brands such as LockBit or BlackCat (see: Ransomware Ecosystem: Big-Name Brands Becoming a Liability).

Individuals operating from within Russia don't appear to face major risks, provided they don't attack Russians. The same isn't true for affiliates based outside the country.

Last November, Canadian police arrested an alleged LockBit affiliate in Ontario. The dual Russian-Canadian national faces extradition to the United States, where he's been charged with conspiracy to commit computer intrusion.

Seeking Disruption

Clearly, more needs to be done to disrupt the ransomware business model. The volume of known ransomware attacks in 2022 appeared to be little changed from 2021, Emsisoft reports. Last year in the U.S., the cybersecurity firm counted attacks against "106 local governments, 44 universities and colleges, 45 school districts operating 1,981 schools, and 25 healthcare providers operating 290 hospitals."

Numerous efforts are underway, including 30 countries globally working on a counter-ransomware initiative. But these anti-ransomware programs are "moving at the pace of very busy, overloaded governments" dealing with the aftereffects of the COVID-19 pandemic, Russia's war in Ukraine and the economic downturn, says cybersecurity veteran Jen Ellis (see: Combating Ransomware Attacks: Which Strategies Hold Promise?).

The good news, she says, is that "they're still looking at things that can be done to try and advance the agenda around ransomware and make lives harder for attackers."

Also needed is a concerted effort to destigmatize these attacks and get victims to make them public so criminals can't operate in the shadows, Ellis says. The more details come to light, the greater the ability of defenders to counter them and law enforcement or intelligence agencies to capitalize on mistakes attackers make and disrupt the business model, as well as its mouthy practitioners.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.