All Things Newz
Law \ Legal

LockBit Implements New Technique By Leaking Victim Negotiations – Security


While many ransomware groups come and go, LockBit seems to be
the one that persists. First discovered in September 2019 using the
name ABCD, and then gaining notoriety as LockBit in April 2020, the
group has outlasted many of their competitors.1 This is
in part due to the innovation in the group’s tactics,
techniques, and procedures (TTPs), as well as the group’s
collective beliefs. An example of this is a decision made in
relation to the Russia and Ukraine conflict. While groups such as
Conti expressed their support for Russia during their invasion of
Ukraine, and was subsequently hacked by a pro-Ukraine individual,
LockBit took a different stance. In an official statement, LockBit
made their political affiliation clear: “For us it is just
business, and we are all apolitical. We are only interested in
money for our harmless and useful work.”2 This has
also allowed them to skirt various regulations. By not claiming
allegiance to one government, LockBit has not been sanctioned under
the United States Office of Foreign Assets Control (OFAC)
list.3 This enables U.S. organizations to legally pay
ransoms demanded by LockBit and attracts talent from sanctioned
groups, such as EvilCorp, to join the organization as
affiliates.4

LockBit’s Update to 3.0 – Introducing a Bug Bounty
Program

LockBit is known as one of the most innovative ransomware groups
today. Recently, the threat group updated their
ransomware-as-a-service (RaaS) operation to “LockBit
3.0.” With this update, LockBit has introduced the first bug
bounty program that has been established by a ransomware
group.5 LockBit’s program offers rewards ranging
from $1,000 to $1 million for “all security researchers,
ethical and unethical hackers on the planet” to submit bug
reports for various categories. The creation of this bug bounty
program allows LockBit to tap into a resource of morally dubious
security researchers and hackers to improve their own security.
While the group could hire employees to achieve the goals outlined
in the bug bounty categories, like most legitimate organizations,
it is often easier and cheaper to outsource these efforts.

LockBit Leaks Victim Negotiation Chat Log

1216308a.jpg

Figure 1: The
victim’s page on LockBit’s leak site with the new
“Open Chat” button.

1216308b.jpg

Figure 2: Start of publicized
ransomware negotiations posted to LockBit’s site.

As a part of this update, LockBit is continuing to release new
features. On Friday, July 22, 2022, Ankura Cyber Threat
Investigations & Expert Services (CTIX) analysts discovered a
new technique being utilized by LockBit.6 In a leak
posted on July 19, 2022, LockBit publicized the chat history of
ransomware payment negotiations between the threat actors and a
victim. In the negotiations, LockBit initially gave a ransom demand
of $5 million, which is double what other prominent ransomware
groups have recently demanded.7 Negotiations continued
from there, eventually dropping down to $3.75 million and ending at
“3,3kk” (likely meaning $3.3 million). The victim did not
pay the ransom demanded by LockBit, causing the data, as well as
this documented chat history to be posted on their leak site. On
July 25, 2022, Twitter user @PogoWasRight reached out to
LockBitSupp (LockBit’s support account) to determine if the
chat logs were real. The threat actor confirmed it was a real chat
log with a victim, stating it is a “new functional” and
was intended to be published. In addition, Twitter user
@ValeryMarchive discovered the same code used to show the chat log
button is present on other victim’s pages.8 These
two factors lead to a strong indication that this pressure tactic
will be used again. Previously, ransomware groups have been known
to harass and attack researchers and journalists who post their
negotiations publicly, making this an extremely unusual move for
LockBit.

What Does This New Technique Mean?

The question many will ask is, why the addition of chat logs as
a “new functional” for LockBit? Ankura cyber experts
assess the new TTP to have several potential applications for
LockBit moving forward. Further, the evolution of this TTP may
possibly evolve across the ransomware industry considering the
current geopolitical environment. The log chat posting by LockBit
is unique as most analysts would expect a ransomware threat actor
would like to keep their negotiation tactics private. With the
release of the LockBit chat log, they have opened the revenue
generation aperture significantly. In this instance, the victim
organization was a publicly traded company, and several statements
made in negotiations would certainly diminish public faith in the
organization as well as highlight their inadequacies to their
investors and owners. Since the victim company did not pay, the
chat log publishing certainly attacks the victim’s credibility
and can be seen as a shaming tactic.

As indicated above, other use cases for LockBit releasing chat
logs include:

  • Increased payment motivation for future victims avoiding
    discrediting information sharing.

  • Open forum feedback from both unethical and ethical hackers as
    well as security researchers – maturing a “ransomware
    consortium for ransomware professionals”.

  • The evolution of ransomware groups professionalization -
    developing “ransomware thought leadership”
    engagements.

The timing of this development as Russia continues to attack
Ukraine is notable. Several incident reporting timelines highlight
a significant spike in cybercrime activity and coordinated
cyber-attacks against Ukraine leading up to Russia’s
invasion.9 As the conflict has progressed, released
cyber warfare information has decreased and cybercrime has
seemingly undergone a reset.10 Some organizations have
remained neutral, such as LockBit, but others have chosen sides.
The significant spike in cyber activity leading up to Russia’s
invasion indicates most of the cyber nation state actors and
aligned threat groups had a singular focus, Ukraine.11
The invasion shifted the ransomware market as some organizations
opposed Russian affiliates and offered an opportunity for growth
and expansion for ransomware “businesses”.

The LockBit chat log posting is a strong representation of
ransomware “industry” maturation and adapting to the
market vacuum caused by conflict. LockBit has capitalized on the
global pandemic, while taking a business approach to ransomware,
and now has led the way for the industry with the addition of their
new tactics and platform, LockBit 3.0.

Footnotes

1.
https://arstechnica.com/information-technology/2020/05/lockbit-the-new-ransomware-for-hire-a-sad-and-cautionary-tale/

2.
https://twitter.com/ddd1ms/status/1498012695035011079

3. https://sanctionssearch.ofac.treas.gov/

4.
https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions

5.
https://www.bleepingcomputer.com/news/security/lockbit-30-introduces-the-first-ransomware-bug-bounty-program/

6.
https://twitter.com/Ian_Costa18/status/1550557785842229248

7.
https://resecurity.com/blog/article/blackcat-aka-alphv-ransomware-is-increasing-stakes-up-to-25m-in-demands

8.
https://twitter.com/ValeryMarchive/status/1551909806801391622

9.
https://www.europarl.europa.eu/RegData/etudes/BRIE/2022/733549/EPRS_BRI(2022)733549_EN.pdf

10.
https://www.forbes.com/sites/chuckbrooks/2022/06/03/alarming-cyber-statistics-for-mid-year-2022-that-you-need-to-know/?sh=4adddab37864

11.
https://www.csis.org/analysis/cyber-war-and-ukraine

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.





Source link

Related posts

Tax Court In Brief | Soler v Commissioner | Innocent Spouse Relief Under 6015(b) And (f) Denied – Tax Authorities

The Crypto Winter Of Discontent Gets Colder With First Of Its Kind Insider Trading Charges – Fin Tech

Talking About Resilience, Gratitude, And Appreciation (Podcast) – Family Law