LockBit Interview

The LockBit ransomware group gave an interview to the Russian cybersecurity news agency, Russian Osint. More than 50 minutes of talks opened eyes to different aspects of the LockBit activity, as well as to the secret of their long life on the ransomware market.

This Article Contains:

Who is LockBit?

LockBit is the ransomware gang that appeared in 2019. It is famous for its well-designed ransomware payload, which is delivered by a team of experienced hackers. This group is famous not only for the high efficiency of their attacks, but also for its honesty: they fulfil all promises they make for files decryption and data leaking. They have their own ethical rules: avoid attacking healthcare and governmental organizations and always help with data recovery after the ransom is paid. That does not turn them into a virtue, and doesn’t decrease the potential imprisonment term for their developers, hasten to say.

LockBit banner that appears after the encryption

LockBit interview: what is uncovered

This interview is interesting for everyone who doesn’t spend a lot of time reading the cybersecurity reports and checking the Darknet¹ forums for posts that can shed light on this ransomware group. Significant number of facts that were told by one of the developers in this interview were known by the forum publications and reverse-engineering of the exact malware payload. However, he also voiced some interesting facts about common trends in cybersecurity, as well as about the principles of their group.

Overall cybersecurity level remains unchanged

As interviewee says, companies pay low to no attention to possible ransomware hazards². They keep ignoring the simple security aspects, such as using the secure connections for RDP or VPN, skipping the offers to update the exploitable program solutions from Microsoft, Adobe, VMware and so on. Such recklessness cannot be missed by tricky fraudsters, who can easily make profit on those companies.

What do these crooks think about other ransomware groups?

LockBit does not want to comment on their relations with other groups, as well as doesn’t want to give their opinion on it. The only thing they want to say is that they despise the groups that ignore the rule to avoid attacking the hospitals and universities, as well as taking the ransom money and not giving up the decryption key.

What’s new in LockBit 2.0?

LockBit 2.0 was released in August, 2021, and was not used widely at the beginning of September, when this article was written. As developer says, the new version of their ransomware contains the following updates:

Faster encryption. LockBit has already been known for the extremely fast encryption, but v2.0 makes it even faster.
Another way to store the stolen corporate data. First version contained the stealer virus payload which was not able to save the data it found in the infected network somewhere away from cloud storages. That caused a lot of data losses by cybercriminals: when attacked companies report the cloud storages that their confidential data is stolen and kept on their servers, storage services usually ban the crooks’ account and wipe it up. LockBit 2.0 contains the stealer module that is able to download the data directly to the command server.

LockBit 2.0 logo

Why do locker groups change their names and will this trend keep going?

“There is no reason for the ransomware groups to change their name, if they are honest and have no situations when the ransom is paid, but the decryption key is not sent.”

Interviewee also did a special accent on Avaddon, REvil and DarkSide ransomware groups, which had the aforementioned incidents. LockBit group knows the price of image, so they try to do their best to keep away from ill fame. And yes, they don’t think that ciphering the data of the companies is something that already gives them a bad reputation (and tons of legal actions).

How to avoid being attacked by LockBit?

Hire a full-time Red Team (the group of pentesters who will examine your network for possible vulnerabilities).
Update your software as often as possible. This will help you to prevent the most stupid injections – through the exploits in the programs.
Instruct your staff about the rules of cybersecurity. These rules must be a thing like washing your hands.
Use the appropriate antivirus software. The defence without walls is not possible.

When you are in a blind corner, followed by your enemy, will you fight for life, or retreat?

First, I will likely make an offer which will be very hard to decline. If this offer gives no effect – fight for life. But as practise shows, money wins the evil.

Consider reading: Criterias that ransomware gangs use to choose their target.

Wilbur Woodham

IT Security Expert

It is better to prevent, than repair and repent!

When we talk about the intrusion of unfamiliar programs into your computer's work, the proverb "Forewarned is forearmed" describes the situation as accurately as possible. Gridinsoft Anti-Malware is exactly the tool that is always useful to have in your armory: fast, efficient, up-to-date. It is appropriate to use it as an emergency help at the slightest suspicion of infection.