Ransomware Gang LockBit Revises Its Tactics to Get More Blackmail Money

Ransomware Gang LockBit Revises Its Tactics to Get More Blackmail Money
Hands and keyboard.

LockBit, the prolific ransomware gang that has launched attacks recently on Boeing Co. and Industrial Commercial Bank of China Ltd., among others, has revised the way it tries to blackmail victims because it’s disappointed with lower-than-expected ransom payments, according to a report published Thursday by Analyst1.

The Russian-linked group has claimed some of this year’s biggest hacks. Its victims have included the UK’s Royal Mail and Japan’s biggest maritime port. But the syndicate’s financial haul has paled in comparison to some rival gangs, said Anastasia Sentsova, a ransomware cybercrime researcher who authored the report for cyber threat-intelligence firm Analyst1.

LockBit’s leadership “is unhappy with the revenue they see from ransom payouts,” she said. The problem is that rapid growth of the group, which now has more than 100 affiliates, many of whom are young and inexperienced in negotiations, “has led to inconsistent and often low ransom amounts that decreased overall revenue and set an unfavorable tone for future negotiations.”

LockBit, a criminal gang with ties to Russia, specializes in using malicious software known as ransomware to encrypt files on its victims’ computers, then demanding payment to unlock the files. The operation recruits hackers to conduct the ransomware attacks using LockBit’s tools and infrastructure. LockBit gets a cut of any ransom extorted in the attacks.

A meeting between the gang’s main leaders culminated in new rules that went into effect Oct. 1, laying out new tactics for hackers to follow when negotiating with the victims of their ransomware attacks.

The guidance details exactly how much to ask for in payouts, even as “the final decision on a ransom payment amount is still at the affiliate’s discretion, depending on their assessment of the damage inflicted on the victim,” Sentsova wrote in the report.

But attackers were encouraged to stick to recommendations that companies with revenue of as much as $100 million pay 3% to 10% of their total sales, those with up to $1 billion in revenue pay 0.5% to 5%, and those with more than $1 billion in sales pay 0.1% to 3%, the report noted.

“When setting an initial ransom amount, it is suggested to perform an assessment of the probability of payout to determine the amount the victim might be willing to pay,” the group said.

LockBit first appeared on the hacker scene in September 2019. A year later it introduced a data leak site where actors would publish data stolen from their victims, Analyst1 noted in its report. By 2022 it had rebranded itself to LockBit 3.0, establishing an interactive presence on dark web forums and interacting with threat actors and members of the cybersecurity community.

The criminals that use its tools have always taken the lead in choosing their targets and their ransoms, splitting the share of the spoils 80/20 with LockBit. But inconsistencies within those negotiations have frustrated operators, Sentsova noted, which prompted the demand for substantial changes.


Comments - Please in order to comment.

Please peer review 3 community comments before your comment can be posted

MavericKids vol 3

How can a child learn to read if they don't have a book?

81% of South African children aged 10 can't read for meaning. You can help by pre-ordering a copy of MavericKids.

For every copy sold we will donate a copy to Gift of The Givers for children in need of reading support.

A South African Hero: You

There’s a 99.8% chance that this isn’t for you. Only 0.2% of our readers have responded to this call for action.

Those 0.2% of our readers are our hidden heroes, who are fuelling our work and impacting the lives of every South African in doing so. They’re the people who contribute to keep Daily Maverick free for all, including you.

The equation is quite simple: the more members we have, the more reporting and investigations we can do, and the greater the impact on the country.

Be part of that 0.2%. Be a Maverick. Be a Maverick Insider.

Support Daily Maverick→
Payment options