Victim of Its Own Ransomware Success: LockBit Has ProblemsInfrastructure Hasn't Sustained Surge in Affiliates, Says Researcher Jon DiMaggio
The LockBit ransomware-as-a-service seems to have become a victim of its own success, says ransomware tracker Jon DiMaggio. Whether the group's challenges will precipitate the decline and fall of the notorious, already relatively long-lived cybercrime operation remains to be seen.
The group's business partners, or affiliates, doubled - from 50 to 100 - over the past year, and "just like a legitimate company, if you grow too fast and too quick, and you don't have the infrastructure to support it, you have problems," said DiMaggio, chief security strategist at Analyst1 and author of a new report detailing LockBit's woes.
After speaking with LockBit's affiliates, DiMaggio said the group's problems include not being able to handle affiliates' customer service requests in a reasonable time frame - as in, before the ransom countdown timer victims see counts down to zero; failing to automatically release data from victims who don't pay, as affiliates expect them to do in exchange for keeping 20% of every ransom paid; and failing to deliver a brand-new, major version on schedule. Instead, the group rebranded a previously leaked Conti locker.
"When you put this all together, LockBit's in trouble," he said. "I hope that 2023 is going to be the last year for LockBit."
In this video interview with Information Security Media Group, DiMaggio also discussed:
- Why affiliates have been deserting LockBit;
- How LockBit's leadership has been attempting to cover up the group's myriad problems;
- What the difficulties mean for future LockBit victims attempting to respond to an attack.
DiMaggio has over 15 years of experience hunting, researching and documenting advanced cyberthreats. As a specialist in enterprise ransomware attacks and nation-state intrusions, he has exposed the criminal cartels behind major ransomware attacks, aided law enforcement agencies in federal indictments of nation-state attacks and shared his work at conferences such as RSA and Black Hat. In 2022, he authored "The Art of Cyberwarfare: An Investigator's Guide to Espionage, Ransomware and Organized Cybercrime," which received the SANS Difference Makers Award for cybersecurity book of the year.
Mathew Schwartz: Hi, I'm Mathew Schwartz, with Information Security Media Group, and it's my pleasure to welcome to the ISMG studios, Jon DiMaggio, chief security strategist at Analyst1, to talk ransomware. Jon, thank you so much for being here today.
Jon DiMaggio: Hi, Mat. Thanks for having me. I'm always excited to come talk to you about chasing bad guys.
Schwartz: It's really interesting to hear your insights on the bad guys. I know that we're going to be talking about one of the most notorious ransomware groups that continues to be in existence, LockBit. And LockBit in the past has attempted to recruit affiliates, business partners, bring them into its orbit, by trumpeting the speed and the technical savvy of its cryptolocking malware. But Jon, I know you've had a look under the hood, and from what you've seen, it sounds like there's less than meets the eye. Victims not getting listed on the data leak site, for example; the code - you've written in your new report - has problems. What's going on with LockBit?
DiMaggio: Yeah, it's really amazing. There's a lot of issues under the hood, and the most amazing part is that no one's really noticed. That just goes to show how strong the propaganda is that LockBit puts out there, both to the general public media and in the criminal community, because for the most part, nobody's noticed this. It's not that they don't list victims, it's that they can't publish their data. They'll threaten victims, and they post this information, and then it says, "all your data is published." But what I found is about 60% of the time, it wasn't, and that was pretty amazing. I was shocked at that.
Schwartz: So definitely, if you've fallen victim to LockBit, previously or in the future, there's a real cautionary note here. As you said, this doesn't seem like common knowledge. I know from looking at various ransomware groups' Tor-based data leak sites, it can be very difficult to figure out what's going on with any given victim. If information is being leaked, even if it is supposedly leaked, it's difficult to even know if it's real or not. They've been found in the past to be making stuff up, right?
DiMaggio: Well, LockBit for the most part, traditionally, have always been good on the board. They've always leaked data and things like that. That's why I know it's a technical issue that they're having, and if you think about it, it's got to be hard to host all this data over Tor. They really blew up when they came out with LockBit 3.0 last year in June of 2022. They've grown so fast and so quick, just like a legitimate company. If you grow too fast and too quick, and you don't have the infrastructure to support it, you have problems. That's just one of several key issues that I found but that's the most impactful. They're posting these victims, they're going to post data, either the data isn't there or at all, or you're seeing it showing up on third-party sites. They're also, these affiliates - their "partners" - are paying them 20% of their profit, and part of that is that the data is hosted, so they don't have to worry about using a legitimate file data-sharing provider who could just take it down, and you've lost access. So, both affiliates and the public didn't know about this. I talked to affiliates directly during this, I talked to LockBit directly during this, LockBit didn't like my questions, affiliates did. I talked to several who left the program and went to competitors because of this. So I know it's not something that I just got wrong, because the guys inside are confirming it for me, but it was pretty amazing.
Schwartz: So when you say LockBit's been growing, do you mean in terms of the number of affiliates that they've managed to successfully recruit? Like you say, ransomware-as-a service program, they've recruited them in exchange for sharing the profits and by sharing the profits, the affiliates are meant to be getting some services, like this victim data, possibly getting automatically listed, I don't know if I have that right, if the ransom isn't paid within a certain timeframe?
DiMaggio: Yeah, so the way it works is there's the backend interface that basically the hacker affiliate uses, and in that they set a timer, essentially, and the victim's information is pulled from their website automatically and it's posted on LockBit's leak site, and when that timer expires, if they have not paid the ransom, all their data is supposed to be made public and leaked. That's the threat. But what I found is, it's often been an empty threat lately and just no one has actually noticed. There are many, many interesting posts where it says that data is leaked where they're not. LockBit tried to quietly address this. He did an infrastructure update that you only know if you're monitoring that on the inside with them. But he did that to address this specific problem, and talks about this specific problem, howeverhe really didn't fix it. He made it a little bit better, and he did some marketing around it to try to hide the fact that the real data wasn't there, but he didn't fix it. And then there's other problems behind the scenes in the system that he uses to communicate with his affiliate partners. There's just too many of them. They've grown; there's over 100 affiliates in the admin panel now at any given time, which - last year at this time - it was around 50. So he's just growing so fast, and his ransomware makes it so easy for them to conduct attacks, that it has really made the volume - how many attacks, how many people are working it - all of it together has just been the perfect storm. The gang itself is struggling to support that infrastructure and those services.
Schwartz: One of the other things you mentioned is not just trying to keep affiliates happy, but victims have also reported that when they are trying to make contact, perhaps to negotiate, they're not able to get through. It's the virtual equivalent of the phone ringing and nobody picking up, by the sound of things.
DiMaggio: So victims are able to communicate with the affiliate that's ransoming them for LockBit. But what they're not able to do is, affiliates and researchers and even media, if they're trying to communicate over Tox, most of the time, the victims will have an easier time communicating with them, as they have a different system that hosts that communication. And that actually pushes alerts, just like you get to your cell phone, when a victim is there, to let you know they're ready. So that part isn't falling apart, it's other aspects of it. But where they are losing is in the communication. It's almost like, if you were service provider and all of your customers needed to talk to you and you had too many customers and not enough people to answer the tickets, you would have a lot of unhappy customers. Well, affiliates are basically the customer. And when they have problems, they're trying to communicate that to LockBit or if they need help with an extortion or there's a problem with a key or whatever it is, and LockBit takes over a week to get … get back to them - well that timer on the ransom is ticking down. And now they're not able to facilitate the full ransom and the transaction. So it's costing them money, and it's a big problem. But more importantly, if you don't pay and they can't post it, you can roll the dice, you've got a good chance of them not leaking your data. Now I get that they probably do have it. But if they can't post it, and they can't host it, and they have to use file-sharing servers, and you have the ability to use law enforcement or other legitimate services to shut that down, that may change your mind if you want to pay them or not. But no one has known about it. So that sort of is the biggest secret that I would call a secret because LockBit has done a lot to cover this up. And he did things like instead of making the data available on some posts, he'll say, "Oh, you can buy it for $100,000." Well there's a big difference from everybody in the world being able to see your data versus someone wanting to pay $100,000 for it. There's a good chance that it's going to sit there and not ever get exposed.
Schwartz: One of the other challenges that I found was fascinating from your report seems to be recruiting and keeping technical talent. It seems like LockBit has had a real challenge getting the development expertise that it requires. Now this dovetails as well with another question, which is LockBit's different colors, which are versions. So could you talk me through where we are in the color coding, and what's been happening on the development front and why that has been problematic for LockBit?
DiMaggio: Absolutely, that's a great question. So they use different colors for internal names. Publicly, they use numbers, internally they use colors. LockBit Black was the original variant of LockBit that you saw that originated in 2020. Then we had LockBit Red, which was June of 2021. That was known as LockBit 2.0 publicly. Each one of these, they update the iteration of ransomware and new features, sometimes it's even mostly new code. Then you had LockBit 3.0 which came out in June of 2022. Now that was their biggest update and that was the one where they really put them on the map because it made it so easy to conduct attacks. Well, we had something interesting happening in March, they introduced what they called LockBit Green, but it wasn't the ransomware. They took a leaked builder from a competitor - Conti - and they basically just altered it to use their ransom note and they made a few small changes to the code but for the most part, it's just their leaked builder. I mean, I've had it on a virtual machine of mine since last February of 2022. It's nothing new to get excited about if you're a criminal. It's the same old thing that's been out there. So I was surprised to see them do that. And their developer had a falling out with the leader of LockBit back in September of 2022. So it makes sense that when we see in March of 2023, when they released this new variant, and it's simply a competitor's leaked ransomware, it sort of confirmed that they're having technical development issues. So now we're really seeing that transcend across their infrastructure and their other resources that they're using as services they provide in their program. But it all comes back to the same issue - is lack of development, whether it's your ransomware developer, whether it's having the proper technical expertise to host your infrastructure over Tor and support all this data. There's also been some issues with their admin panel. They've just had a lot of problems, like I said, that most of the public hasn't been aware of.
Schwartz: So stepping back, it often seems to me like ransomware groups - the successful ones - are almost Harvard Business Review case studies, in how to criminally use technology to make lots and lots of money. Are you able to hazard a guess as to what the underlying problem might be? You've previously characterized the head of LockBit as being an ego-driven CEO, basically. Why is this technical talent so hard, do you think, for them to keep a hold of or recruit, given the potentially massive profits for everybody involved?
DiMaggio: Well, and that's just it. It all comes down to the money. The previous developers have had agreements with LockBit where LockBit hasn't come through and paid them or so they say - that's what they've said. LockBit has not paid them as they were promised - a percentage of the program. For example, releasing a new code for LockBit and saying, "Okay, well, you need to remove your own code, and then I get 10% of the profit." I'm using it as example. If you keep the old code up there, and people are still using that, that's taking money out of your pocket. There's been several things, but the point is that they lost their developer and they missed - so if you notice the dates when I was talking earlier, they were in, except for LockBit Green, which isn't their ransomware, they've always come out in June for their updates, and this is the first year that they didn't do that out of the past several years. So, again, the missing the refresh date, having the issues hosting and leaking data, having issues communicating with their hacker partner affiliates. When you put this all together, LockBit's in trouble.
Schwartz: That's great news, and so I'm wondering, is there anything that network defenders, people such as yourself who are working to combat ransomware can do with this? We can luxuriate in the karma of it all, knowing full well, that probably somebody else will attempt to step forward and take LockBit's place should they fall. But for anybody in this sphere who's infecting networks, infecting systems, hacking into networks, this is great. What do we do with this, if anything?
DiMaggio: Yeah, so the bad part is the guys that are doing the compromises and the breaches, that game is still going well for them, because that's not using the LockBit services, necessarily. So that part is still going well for them. But where we do make a difference though is when you are a victim, and you're looking at $50 million, or like in Royal Mail they asked for $80 million, something crazy like that, you at least now have the opportunity to say, "am I going to be one of the percentage that they can't post my data?" Depending on what that is, even if it makes a difference in 30% of the companies that pay, you're talking of anywhere from hundreds to hundreds of millions of dollars over a year that they could lose based off of that. So it will affect their program, affiliates will continue to leave. While it's not something specific like "oh, we can defend against X," information is power and we can use that against this group - spreading that word, continuing to watch and see these programs and where they're failing. I hope that 2023 is going to be the last year for LockBit. They're in trouble and they're either going to turn it around or they're going to go down but based off of some of the things affiliates have said to me, I think there's more to this than I was able to necessarily prove in my reporting. But I think things are going south for LockBit.
Schwartz: Where there's smoke, there's fire. We see a brand in difficulty and because that brand happens to be ransomware, we can all take away a little bit of joy from that. Well Jon, thank you for your efforts to investigate all this and to share what you've learned for combating not just LockBit but ransomware in general.
DiMaggio: Thank you, Mat, for having me on the show. I love talking about this stuff. So, I appreciate it.
Schwartz: Maybe when we have you back next, we'll be talking about the death of LockBit. We can cross our fingers.
DiMaggio: We can always hope. It's definitely not going to be good news for them moving forward unless there's big changes.
Schwartz: Excellent. Again, I am speaking with Jon DiMaggio of Analyst1, about ransomware, in particular LockBit. I'm Mathew Schwartz with ISMG. Thank you for joining us.