According to a fascinating report by Jon DiMaggio of Analyst1, who spent a year undercover gathering intelligence on the LockBit group, the ransomware gang is trying to cover up “the fact it often cannot consistently publish stolen data.”
And that’s obviously a problem for a cybercriminal gang which is using the threat of publishing exfiltrated data as its primary lever for extorting a ransom from its victims.
DiMaggio claims that the problem “is due to limitations in [LockBit’s] backend infrastructure and available bandwidth.”
“LockBit recently updated its infrastructure to address these deficiencies. However, this is a gimmick to make it appear that it corrected the previously mentioned problem with posting victim data. It claims victims’ “FILES ARE PUBLISHED”. Often, this is a lie and a ploy to cover up the fact that LockBit cannot consistently host and publish large amounts of victim data through its admin panel, as promised to its affiliate partners. Further, over the past six months, LockBit has presented empty threats it failed to act upon after many victims refused to pay. Yet, somehow, no one has noticed.”
I guess if you steal a huge amount of data from many companies you have to ensure that you have the storage space and server infrastructure to leak it to the world.
As a result of these and other issues (DiMaggio says a deadline to release an updated version of the ransomware has been missed, for instance), the group’s reputation has been tarnished and some of LockBit’s top affiliates have left for other ransomware groups in recent months.
My guess is that companies might be a lot less inclined to pay a ransom if they believed it was less likely that their stolen data was actually going to be published…
It will be interesting to see if LockBit can address its infrastructure issue – perhaps by offering the data it has stolen from victimised companies via torrents instead.