With the rollout of its Ransomware-as-a-Service platform, called LockBit 2.0, and the sudden retirement of rival operators Darkside, Avaddon, and R Evil, LockBit has become one of the largest RaaS platforms today. .
Cybercriminal groups that had previously rented ransomware payloads from other groups appear to have flocked to the Lockbit group since the summer of 2021, leading to a surge in attacks that prompted the Australian government to issue an unusual warning to local businesses.
In addition, statistics collected by Recorded Future show that LockBit was by far the most active ransomware group last month in September, accounting for about a third of the victims listed on ransomware leak sites.
LockBit also interviewed Dmitry Smiranets, analyst at Recorded Future and writer for The Record.
The full interview
Dmitry: LockBit accounted for 34% of all ransomware attacks reported in September. What is the secret behind how you conquered this market? Or is this number higher because many of the victims chose not to pay the ransom?
LockBit: We have not yet conquered the market. We are still in the process of developing and improving our software. The secret is very simple: we have an impeccable reputation. We are the only group that has never cheated anyone or changed our brand. Our affiliates trust us. LockBit Blog is just one of the many companies that have refused to pay the ransom. In the last three months, we have attacked over 700 companies.
Mr. Dmitry: There are currently discussions in several countries to require disclosure of ransomware attacks within a few days of them taking place. If the statistics of such attacks improve, your group will stand out as one of the top threats today. Have you thought about limiting your RaaS (Ransomware as a Service) program so that it doesn’t make too much noise?
LockBit: We have no plans to introduce restrictions. Noise or no noise, any mistake in anonymity will be our undoing. We don’t care if a group releases information about an attack, this is purely private business.
Mr. Dmitry: I think the difference with the other groups is the StealBit malware, can you tell us more about it?
LockBit: Encrypting data is not enough. Sometimes it’s much more important to steal valuable information, and to keep that information undisclosed, companies have to pay more than for decryption.StealBit makes stealing information as fast and easy as possible.
Mr. Dmitry: You allow affiliates to talk to victims and get paid directly. Is this model successful?
LockBit: There is no reason not to trust our affiliates. If you want a long-term working relationship, you won’t want to leave us. But the most important thing is to maintain an impeccable reputation; you can’t trick advertisers into stealing ransom money like Avadon, Darkside, and REvil.
Dmitry: Do you think the RaaS business model is sustainable? And how do you see it changing over the next five years?
LockBit: Competition will increase, the level of corporate defense will rise, and the wealth of affiliates will increase.
Dmitry: Has the dissolution of R Evil in the summer of 2021 played a role in the success of LockBit, and how many affiliates have joined the operation since the dissolution of Unknown?
LockBit: The “dissolution” of REvil has had no effect on our success. Starting an affiliate program is easy, but maintaining it is an art form.
Mr. Dmitry: Do you know the real story of what happened to Unknown?
LockBit: No one really knows, but it’s definitely a classic exit scam; I think the same thing happened with Avadon and Darkside. As soon as a large payment comes in, the owner of this partnership program wonders if it’s worth working and risking his life any longer, or if it’s better to exit now and calmly spend the money for the rest of his life. We basically don’t touch our affiliates’ money, so that can’t be the case.
Dmitry: You are very active on the forums. Why did Exploit ban your account?
LockBit: This is for your signature. It’s not very clear how cybercriminals can be banned from certain types of cybercrimes, because in reality everyone on this forum is breaking the law. You will find that it is forbidden to pen-test rich companies for deferred payment, but it is allowed to steal money from the bank cards of millions of individuals. I’m also not sure why accounts of competitors who buy and sell network access or keep looking for pentesters on Exploit forums are not blocked. Perhaps this is some sort of policy. We think this is the work of a competitor and a dishonest way to handle the world’s #1 affiliate program. It’s unfortunate and annoying, but oh well.
Mr. Dmitry: You mentioned that REvil and Hive are attacking the hospital, is that right?
LockBit: We do not attack hospitals. In a few cases, affiliates accidentally encrypted the servers of dentists’ offices and nursing homes. We issued the decryption keys for free.
Mr. Dmitry: After the meeting between the US and Russian presidents in June 2021, everyone is looking for signs of change; attacks, which had temporarily stalled in the summer of 2021, are on the rise; and the US and Russian governments have been talking about the possibility of a new round of attacks. Are these events related, or are affiliates just on a long vacation?
LockBit: It’s just a summer vacation. Like everyone else on the planet, no one wants to work in the summer, especially if they have hundreds of millions of dollars to spend. Presidents’ meetings have no effect. Not everyone who is serious about working lives in the US or Russia. I live in China and I feel perfectly safe there.
Dmitry: Some of the ransomware families are preventing affiliates from attacking US companies and infrastructure. Do you have any special recommendations for partners? What happens if your ad deploys a lock bit on critical infrastructure against your will?
LockBit: Not a single affiliate can go against our will. We only work with trusted people who have a code of honor, so each and every affiliate is responsible for their own words and actions.
Dmitry: In October 2021, representatives from 30 countries met to discuss how to deal with ransomware attacks. Do you have any concerns about this or do you think this is just a political appeal?
LockBit: They’re just trying to scare you.
Dmitry: Law enforcement agencies in several countries are now openly discussing hacking ransomware infrastructure to destroy stolen data and retrieve encryption keys. Are you worried about this? Are your storage systems secure enough?
LockBit: This is one of the most effective ways to deal with us. No one is immune to hacking infrastructure with the help of zero days, and with the NSA’s hardware backdoor, it is possible to access any server on the planet. Therefore, the risk of being hacked is always present. At this point, we are absolutely confident in our security system for storing decryption keys and stolen data, which is unmatched by any of our competitors. In addition, the stolen company data is backed up in multiple backups on servers around the world, as well as encrypted offline backups by trusted people who are paid to store the data.
Dmitry: The U.S. government has announced that it is coming down hard on cryptocurrency services that helped ransomware groups launder money. Do you think this will be a problem for you and the ransomware world in the future? Or are there other ways to launder money?
LockBit: I doubt there are any Chinese who will listen to the US and not accept cryptocurrency from us when they exchange it for cash dollars in Hong Kong.
Mr. Dmitry: Are you ready to provide free decryption keys for companies that did not get funding in October?
LockBit: No company is without money, but there are companies that don’t want to spend money on protecting their network, don’t want to pay salaries to good system administrators, and don’t want to spend money on a ransom. Maybe we’ll decrypt for free for the one company that “couldn’t raise the money”, in which case this company’s data will stay on our blog forever.