Ransomware Gang LockBit Revises Its Tactics to Get More Blackmail Money

November 20, 2023 by

LockBit, the prolific ransomware gang that has launched attacks recently on Boeing Co. and Industrial Commercial Bank of China Ltd., among others, has revised the way it tries to blackmail victims because it’s disappointed with lower-than-expected ransom payments, according to a report published Thursday by Analyst1.

The Russian-linked group has claimed some of this year’s biggest hacks. Its victims have included the UK’s Royal Mail and Japan’s biggest maritime port. But the syndicate’s financial haul has paled in comparison to some rival gangs, said Anastasia Sentsova, a ransomware cybercrime researcher who authored the report for cyber threat-intelligence firm Analyst1.

LockBit’s leadership “is unhappy with the revenue they see from ransom payouts,” she said. The problem is that rapid growth of the group, which now has more than 100 affiliates, many of whom are young and inexperienced in negotiations, “has led to inconsistent and often low ransom amounts that decreased overall revenue and set an unfavorable tone for future negotiations.”

LockBit, a criminal gang with ties to Russia, specializes in using malicious software known as ransomware to encrypt files on its victims’ computers, then demanding payment to unlock the files. The operation recruits hackers to conduct the ransomware attacks using LockBit’s tools and infrastructure. LockBit gets a cut of any ransom extorted in the attacks.

A meeting between the gang’s main leaders culminated in new rules that went into effect Oct. 1, laying out new tactics for hackers to follow when negotiating with the victims of their ransomware attacks.

The guidance details exactly how much to ask for in payouts, even as “the final decision on a ransom payment amount is still at the affiliate’s discretion, depending on their assessment of the damage inflicted on the victim,” Sentsova wrote in the report.

But attackers were encouraged to stick to recommendations that companies with revenue of as much as $100 million pay 3% to 10% of their total sales, those with up to $1 billion in revenue pay 0.5% to 5%, and those with more than $1 billion in sales pay 0.1% to 3%, the report noted.

“When setting an initial ransom amount, it is suggested to perform an assessment of the probability of payout to determine the amount the victim might be willing to pay,” the group said.

LockBit first appeared on the hacker scene in September 2019. A year later it introduced a data leak site where actors would publish data stolen from their victims, Analyst1 noted in its report. By 2022 it had rebranded itself to LockBit 3.0, establishing an interactive presence on dark web forums and interacting with threat actors and members of the cybersecurity community.

The criminals that use its tools have always taken the lead in choosing their targets and their ransoms, splitting the share of the spoils 80/20 with LockBit. But inconsistencies within those negotiations have frustrated operators, Sentsova noted, which prompted the demand for substantial changes.

Photo: Photographer: Chris Ratcliffe/Bloomberg