Lockbit clees shows partners who use print tactics, rarely are paid

Lockbit, one of the most productive ransomware gangs that are operated today, was injured last week and unveiled his inner operations with clarity. The leaked files, which were briefly made accessible in the Tor network via an onion site, rarely gave researchers and security specialists how attract bitteries perform their ransomware-as-a-service operation (RAAS).

The violation corresponds to someone with access to the infrastructure of attracting bits, exposed chat protocols, ransomware -build data sets, configuration files, bitcoin wallet addresses and affiliate identifiers. While ransomware groups usually have the spotlight, this time they themselves became the subject of the analysis.

Rhys Downing, a safety operating center at Ontinue, carried out the incoming review of the leaked data. His work describes the operational methods of the Lockbit partner program, including the creation of payloads, the estimate of ransom requirements and the implementation of negotiations.

The analysis of downing also shows the structured nature of the Lockbit ecosystem and breaks down the group's infrastructure and shows how organized this criminal network has become.

Affiliate program: goals, prices and tactics

One of the most important parts of the leaked data is an internal table that is known as “builds” and records every Ransomware load that has been connected by attract bitbit. Each data record contains details such as affiliate -id, public and private encryption keys, targeted corporate references and declared ransom requirements.

These estimates were entered manually by the attackers themselves before they started the payloads, which revealed insights into their price strategies and the selection of targets. Some ransom requirements were exaggerated to be test data such as “303KKK” (303 million US dollars), but others showed a calculated approach. For example, a partner has logged four builds with a combined explained value of over 168 million US dollars.

Low payout rate

Despite hundreds of ransomware builds and aggressive ransom requirements, only 7 out of 246 victims were recorded with a payment. Interestingly, there was no confirmation of a decryption tool. It remains unclear whether this happened because the data is incomplete or someone deliberately left it.

The numbers make one thing clear that most victims do not pay, and even less see something in return. This corresponds to the latest Powerschool data violation, in which the educational company cybercriminal paid an unnecessary ransom to prevent further failures, only so that the attackers can return with more requirements, this time to teachers and students.

With regard to attracting bit, the leaked database showed that the field marking was higher than zero in just 2.8% of cases for partners for partners. But this is also not a final proof of the payment of ransom.

Chat protocols show a human, hostile side

According to the Ontinue threat report, more than 4,000 chat transcripts between Lockbit partners and victims were leaked through. These messages show a mixture of calculated pressure, emotional manipulation and direct threats. In several cases, connected companies refused for mercy and doubled the ransom prices without warning.

A partner replied to a company that claimed that it was a small company: “Your size is irrelevant. Your data is valuable.”

Another conversation contained a message that promoted Lockbit's partner program in a bizarre recruitment field: “Want a Lamborghini, a Ferrari and lots of ti**y girls? Sign up and start your pentester billionaire journey in 5 minutes with us.”

These conversations show that Lockbits partners are more like intrusive sales employees than Hacker/Cybercriminal Behavior. The tactic varies from psychological pressure to warnings against the inclusion of law enforcement authorities or insurers.

A professional criminal company

What is remarkable in the data is the organizational level. Lockbit uses modular payload builders, affiliate dashboards and a strong backend infrastructure. Affiliates can create configurations to control everything that can encrypt files as to whether the decipher deletes itself after use.

They even directed a bug bounty program on one of their onion locations and offered rewards for weaknesses that are included in their infrastructure.

Law enforcement

The violation has again associated with earlier law enforcement measures. The Operation Cronos, a campaign, which was led by the British National Crime Agency and others under the direction of user names with Lockbits business. Many of these user names were confirmed in this new leak and adapted to the payload data.

Remarkable users contain:

• Ashlin with the highest number of generated payload

• Rich, Melville and Merrick as other highly volume operators

This connection also confirms that the main team of the gang and the high -ranking partners have remained consistent even after earlier efforts by the Takedown.

Simply put, the analysis of the data injury from Ontinue illustrates a few things like the attraction like a franchise. They offer the malware, partners carry out the attacks and everyone takes a ransom.

This leak shows that many partners deal with their attacks such as sales calls, the logging of expected returns, the management of negotiations and, after structured steps, pressure from the victims. But just like a failed attempt to sell something, most of these attempts seem to fall flat.

According to Saeed Abbasi, Manager for Vacavity Research at Qualies, the violation is a valuable source of intelligence for defenders. “Understanding which systems targeted and connected to the companies adapted and connected to which adapted payloads are adapted, security teams can better prioritize the patching, cure overlooked systems and improve basic access controls,” he said.

The use of tor by attracting bit remains an important defense at its end, which makes it difficult to reduce your websites. However, the leak suggests that no system, also none of cybercriminals, is really safe.

The attraction violation has withdrawn the curtain for ransomware operation that affected companies worldwide. It confirms what security experts have suspected for years. Ransomware groups work like companies and companies with affiliate onboarding, infrastructure management and financial planning.