LockBit group seems to be a gang of shameless pricks, who are not afraid of public attention. For the last 3 months, they have already given two interviews about their outlaw activities. Is that just a part of their PR campaign, or the display of their vanity? Let’s have a look at what they said this time and figure it out.
About LockBit group in two words
LockBit is a ransomware-as-a-service group, which attacks companies from all over the world. “Post-paid pentesters”, as they call themselves, ask for $45,000 ransom on average, aiming at companies of all sizes. The origins of this cybercriminals group are presumably somewhere in the Commonwealth of Independent States. They pay a lot of attention to their image and constantly repeat that they always do what they promise. And they really do – no victims who paid the whole ransom were scammed, as Conti and Avaddon sometimes do. But this fact doesn’t make them innocent, tho.
Fresh interview with LockBitSupp
LockBit representative, known under the nickname LockBitSupp, agreed to talk to one of the writers of The Record newspaper. That is not the first interview with this group – I did the transcription of another chat earlier. The exact conversation was in Russian. I have prepared the translated version for you, of course, with all the needed comments and selected questions.
Increase in LockBit share in global attacks rating
Question (Q): Lockbit accounted for 34% of all attacks committed in September. What is the secret of such a rapid market conquest? Or the known victims of yours are just the ones who refused to pay the ransom?
Answer (A): LockBit group did not perform any serious campaign to conquer the ransomware market. Currently, we are improving our software – and that will be our basis for conquering the market. Together with the excellent reputation, of course. Both victims and people who decide to work as ransomware affiliates trust us. And yes, all victims you can hear about are just a small part of the companies we attacked. You can see this list in our blog. But the vast majority of companies are about to keep the fact that they were attacked away from the public. We attacked almost 700 companies in the last three months.
NB: LockBit group is already known for its unique ransomware design. Their malware uses the AES+ECC encryption algorithm, which is also used by US law enforcement. Even quantum computers are not able to decrypt this cipher – in contrast to “classic” ciphers like clear AES or RSA. Besides that, they apply multi-threading in the encryption process, which allows them to act extremely fast.
Political questions
Q: A lot of countries are about to apply the mandatory reporting of ransomware attacks. In conjunction with the number of attacks your group performs, LockBit may be considered a major hazard. Isn’t that a reason for limiting your RaaS program? You may attract too much attention to your group.
A: Restrictions are needed only for people who live on a salary. LockBit does not plan to introduce any limitations. Noise will not destroy your anonymity until you make a serious mistake. We don’t care if the company reports the attack case or not – that is out of our business.
Q: Some of the ransomware families attack hospitals and other critical infrastructure. Do you?
A: We do not attack hospitals, and instruct all our new affiliates that it is prohibited. Earlier, there were several cases when nursing homes and dental offices were attacked. We decrypted them for free.
Q: U.S. and Russian presidents had a meeting related to cybercrimes this summer. Everyone was waiting for the changes, but the only change was an increase in attack rates after a short slowdown in summer. Is this trend related to this meeting?
A: That was just a summer vacation. People from all over the world don’t want to work in summer, and they don’t want it even more if they have so much money. The meeting did not bring any effects to serious operators – who live away from the US or Russia. I live in China and feel completely safe.
About REvil member
Q: What happened to UNKNWN [member of REvil group who have suddenly disappeared – author]
A: No one can say for sure, but it looks like a usual exit scam case. The same thing happened to Avaddon and Darkside groups in the past. When the large payment comes, the partner starts to think about the reason for further risking rather than relaxing and spending the money he/she has already got. Such a situation is impossible in our group – we do not touch the money of our affiliates.
Is LockBit afraid of counteraction from law enforcements?
Q: Executive authorities from all over the world are discussing hacking of the ransomware groups’ servers as a way to deal with you and your colleagues. This way they will obtain the decryption keys and erase all stolen data. Will that way of counteraction be effective against you?
A: This way of protection is the most efficient method to protect your company. None of the ransomware groups that are currently active can somehow counteract it, and Lockbit is not an exclusion. It is possible to access any server in the world using the NSA hardware backdoors. We are absolutely sure about the safety of our data, thanks to our security system set for storing decryption keys and stolen information. Moreover, we also have several backups held on the servers in different parts of the world. And we are sure about the safety of these backups, because they are held by trusted parties who receive a certain sum of money for safekeeping them.
Ban on the forums
Q: You are very active on hacker forums. Why did you get banned on the Exploit forum?
A: Because of my signature. It is a pretty hypocritical piggishness from Exploit admins. They ban me, who is a part of a ransomware group that, in fact, are the post-paid pentesters for rich companies. Meanwhile, they allow the people who are employed in stealing money from banking cards to chat freely. This is likely a selective policy, and it is highly likely the way to mischief one of the most successful RaaS groups.
Conclusion
This LockBit member did not uncover any new information about the group. However, he showed the possible trends that have already started in the ransomware market. After the REvil shutdown, LockBit is the only group remaining with such a good reputation. It is obvious that they will exploit it as much as possible.
Darknet forums met this interview with a portion of critics. A lot of users blamed the LockBitSupp for a “stupid PR”, others said that this chat show was more about the PR move of a journalist who took an interview. Nonetheless, LockBit equally attracts affiliates “thanks to our perfect reputation”. I don’t know how that reputation will help them and their partners when it comes to imprisonment, but they are free to boast about it.
According to the cybersecurity vectors applied in the USA and EU, the majority of ransomware families may have problems in future. In my opinion, we will see things like the supposed “exit scam” which UNKNWN performed to the REvil group. A lot of high-level affiliates will just decide to skip their activity and stay in safety, with the already earned sum in their pocket. Will these groups (Avaddon, Dharma, Conti, etc.) dissolve just like REvil? Possibly yes, especially if the FBI will pay a lot of attention to them. And they already committed enough crimes to be worth that attention.