LockBit Ransomware Gang in Decline, May Be Compromised, Report

A new report from Jon DiMaggio, Chief Security Strategist at Analyst1, “Ransomware Diaries: Volume 3 – LockBit’s Secrets” exposes LockBit’s activities, their targets, and the challenges they’ve been facing.

  • LockBit’s leadership vanished for two weeks in August 2023. This suggests that the gang may have been compromised or that there was internal conflict.
  • LockBit has been unable to consistently publish victim data. This has led to victims refusing to pay ransoms and affiliates leaving the program.
  • LockBit’s updated infrastructure is not as effective as it claims to be. This is evidenced by the fact that LockBit is still struggling to publish victim data.
  • LockBit’s affiliates are leaving for its competitors. This is because LockBit is not providing the support and resources that affiliates need.
  • LockBit ransomware gang missed its most recent release date. This suggests that the gang is struggling to develop new ransomware variants.
  • LockBit wants to steal ransomware from its rivals. This is a sign that LockBit is desperate and is willing to resort to unethical tactics to stay ahead of the competition.

LockBit, a prominent but infamous ransomware gang that has wreaked havoc across numerous industries, recently vanished from the cybercriminal scene, leaving affiliates and partners in a state of uncertainty. However, their reemergence after a brief hiatus has raised questions about their operational integrity.

A new report from Jon DiMaggio, Chief Security Strategist at Analyst1, “Ransomware Diaries: Volume 3 – LockBit’s Secrets” exposes LockBit’s activities, their targets, and the challenges they’ve been facing.

Dimaggio delved deep into LockBit’s operations and uncovered critical shortcomings within the gang’s modus operandi. In his extensive report, the researcher has highlighted LockBit’s struggles with data publication, deteriorating affiliate partnerships, and a lack of timely support responses. DiMaggio believes LockBit may have been compromised.

In 2022, LockBit reigned as the foremost ransomware group and Ransomware-as-a-Service (RaaS) provider globally. In a shift from traditional ransomware groups, LockBit’s unique approach involves maintaining the ransomware’s functionality, leasing access to it, and assisting affiliates in deploying attacks.

The model has enabled LockBit to foster a wide network of attackers, resulting in diverse tactics, techniques, and procedures employed during ransomware incidents. Affiliates employing the LockBit RaaS model have targeted entities spanning various sectors, including finance, education, healthcare, and government, leaving no industry immune to its malicious grip.

However, Lockbit’s reputation as a ransomware group has taken a serious hit following a series of events that DiMaggio’s exposé of the gang reveals. Earlier this year, they successfully breached and compromised Royal Mail, the United Kingdom’s largest postal service provider, and Maximum Industries.

The gang went on to claim to breach an aerospace manufacturing company with connections to SpaceX. But they failed to publish the data? This, too, after numerous claims that the data will be publicly available if ransomware demands were not met.

LockBit did the same in April 2023 when it announced compromising Darktrace, a British cybersecurity company. The claims were investigated and quickly dismissed by the company, and researchers never saw the claimed data. Instead, publicly available photos of Darktrace founder Poppy Gustafsson were published by the gang.

Photos of Poppy Gustafsson published by LockBit as proof of hack (Screenshot: Hackread.com)

Intriguingly, LockBit has started to rely on empty threats and propaganda to pressure victims into paying the ransom, even though it struggles with publishing victim data consistently due to backend limitations and bandwidth issues. This strategy, coupled with a strong narrative on criminal forums, is an attempt to maintain LockBit’s reputation which frankly, everyone can see through.

Not to mention, instead of the usual roster of legitimate victims, LockBit populated its site with entirely fictitious company names and websites, such as “1.com” and “123.com.” The situation took a funnier twist when LockBit issued a deadline for these fabricated entities to pay a relatively modest $60,000 ransom or face the publication of their nonexistent data.

A threat intelligence company casts doubt on the claims of the LockBit ransomware gang.

The abnormality of the situation became apparent to keen observers. First, the choice of victims itself raised eyebrows – LockBit was demanding an unusually low ransom, inconsistent with their usual greedy demands. Cybersecurity analysts noted that if this had been a genuine case, LockBit would have typically demanded a much larger sum.

LockBit ransomware gang blames victim for DDoS attack on its website

Seeing LockBit’s dramatic antics and failure to live up to expectations, affiliate partners, essential for LockBit’s operations, are increasingly dissatisfied due to the gang’s struggles with data hosting and communication.

The research indicates that many affiliates have left LockBit’s program in favour of its competitors, driven by frustrations with unresolved support queries and the gang’s inability to deliver on its data publication promises.

The gang’s use of the secure communication application Tox has led to a growing issue of prolonged wait times for affiliates seeking support. LockBit’s high volume of attacks and expanding partner network has overwhelmed its communication infrastructure, resulting in frustrated affiliates struggling to obtain timely responses to critical queries.

While LockBit has hinted at the possibility of implementing a ticketing system, challenges in ensuring security and confidentiality remain a significant obstacle.

LockBit’s supposed commitment to innovation is challenged by its inability to release significant ransomware updates. Despite their previous successes with LockBit Red and LockBit Black, recent attempts at an update have fallen short, and the gang was found to be using outdated or stolen ransomware from other criminal groups. 

According to DiMaggio, the once-feared LockBit ransomware gang appears to be grappling with a cascade of issues, from faulty data publishing and strained communication to outdated ransomware variants and attempts to acquire competitors’ technology.

Overall, the report paints a picture of a ransomware gang that is in decline. LockBit is facing a number of challenges, including technical problems, internal conflict, and competition from other ransomware gangs. It is likely that LockBit will continue to lose ground in the coming months.

  1. Cyber Security Firm Mandiant Denies Hacking Claims By LockBit
  2. Accenture claims to fight off LockBit ransomware gang with backup
  3. LockBit ransomware gang claims PayBito crypto exchange as new victim

Related Posts