While many ransomware groups come and go, LockBit seems to be the one that persists. First discovered in September 2019 using the name ABCD, and then gaining notoriety as LockBit in April 2020, the group has outlasted many of their competitors. This is in part due to the innovation in the group’s tactics, techniques, and procedures (TTPs), as well as the group’s collective beliefs. An example of this is a decision made in relation to the Russia and Ukraine conflict. While groups such as Conti expressed their support for Russia during their invasion of Ukraine, and was subsequently hacked by a pro-Ukraine individual, LockBit took a different stance. In an official statement, LockBit made their political affiliation clear: “For us it is just business, and we are all apolitical. We are only interested in money for our harmless and useful work.” This has also allowed them to skirt various regulations. By not claiming allegiance to one government, LockBit has not been sanctioned under the United States Office of Foreign Assets Control (OFAC) list. This enables U.S. organizations to legally pay ransoms demanded by LockBit and attracts talent from sanctioned groups, such as EvilCorp, to join the organization as affiliates.
LockBit’s Update to 3.0 - Introducing a Bug Bounty Program
LockBit is known as one of the most innovative ransomware groups today. Recently, the threat group updated their ransomware-as-a-service (RaaS) operation to “LockBit 3.0.” With this update, LockBit has introduced the first bug bounty program that has been established by a ransomware group. LockBit’s program offers rewards ranging from $1,000 to $1 million for "all security researchers, ethical and unethical hackers on the planet" to submit bug reports for various categories. The creation of this bug bounty program allows LockBit to tap into a resource of morally dubious security researchers and hackers to improve their own security. While the group could hire employees to achieve the goals outlined in the bug bounty categories, like most legitimate organizations, it is often easier and cheaper to outsource these efforts.
LockBit Leaks Victim Negotiation Chat Log
Figure 1: The victim's page on LockBit's leak site with the new "Open Chat" button.
Figure 2: Start of publicized ransomware negotiations posted to LockBit's site.
As a part of this update, LockBit is continuing to release new features. On Friday, July 22, 2022, Ankura Cyber Threat Investigations & Expert Services (CTIX) analysts discovered a new technique being utilized by LockBit. In a leak posted on July 19, 2022, LockBit publicized the chat history of ransomware payment negotiations between the threat actors and a victim. In the negotiations, LockBit initially gave a ransom demand of $5 million, which is double what other prominent ransomware groups have recently demanded. Negotiations continued from there, eventually dropping down to $3.75 million and ending at “3,3kk” (likely meaning $3.3 million). The victim did not pay the ransom demanded by LockBit, causing the data, as well as this documented chat history to be posted on their leak site. On July 25, 2022, Twitter user @PogoWasRight reached out to LockBitSupp (LockBit’s support account) to determine if the chat logs were real. The threat actor confirmed it was a real chat log with a victim, stating it is a “new functional” and was intended to be published. In addition, Twitter user @ValeryMarchive discovered the same code used to show the chat log button is present on other victim’s pages. These two factors lead to a strong indication that this pressure tactic will be used again. Previously, ransomware groups have been known to harass and attack researchers and journalists who post their negotiations publicly, making this an extremely unusual move for LockBit.
What Does This New Technique Mean?
The question many will ask is, why the addition of chat logs as a “new functional” for LockBit? Ankura cyber experts assess the new TTP to have several potential applications for LockBit moving forward. Further, the evolution of this TTP may possibly evolve across the ransomware industry considering the current geopolitical environment. The log chat posting by LockBit is unique as most analysts would expect a ransomware threat actor would like to keep their negotiation tactics private. With the release of the LockBit chat log, they have opened the revenue generation aperture significantly. In this instance, the victim organization was a publicly traded company, and several statements made in negotiations would certainly diminish public faith in the organization as well as highlight their inadequacies to their investors and owners. Since the victim company did not pay, the chat log publishing certainly attacks the victim’s credibility and can be seen as a shaming tactic.
As indicated above, other use cases for LockBit releasing chat logs include:
- Increased payment motivation for future victims avoiding discrediting information sharing.
- Open forum feedback from both unethical and ethical hackers as well as security researchers – maturing a “ransomware consortium for ransomware professionals”.
- The evolution of ransomware groups professionalization - developing “ransomware thought leadership” engagements.
The timing of this development as Russia continues to attack Ukraine is notable. Several incident reporting timelines highlight a significant spike in cybercrime activity and coordinated cyber-attacks against Ukraine leading up to Russia’s invasion. As the conflict has progressed, released cyber warfare information has decreased and cybercrime has seemingly undergone a reset. Some organizations have remained neutral, such as LockBit, but others have chosen sides. The significant spike in cyber activity leading up to Russia’s invasion indicates most of the cyber nation state actors and aligned threat groups had a singular focus, Ukraine. The invasion shifted the ransomware market as some organizations opposed Russian affiliates and offered an opportunity for growth and expansion for ransomware “businesses”.
The LockBit chat log posting is a strong representation of ransomware “industry” maturation and adapting to the market vacuum caused by conflict. LockBit has capitalized on the global pandemic, while taking a business approach to ransomware, and now has led the way for the industry with the addition of their new tactics and platform, LockBit 3.0.
Want to stay up to date on the latest cybersecurity threats and trends?
Sign up for the FLASH newsletter, summaries of the most important cybersecurity current events released on Tuesday and Friday of each week.
Interested to learn more about Ankura's services? Contact information for our various teams is listed below:
- Cyber Incident Response: firstname.lastname@example.org or email@example.com
- Cyber Threat Investigations & Expert Services: firstname.lastname@example.org or email@example.com
- Incident Response Data Analytics: firstname.lastname@example.org or email@example.com
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.