top of page
  • Writer's pictureSarah Anderson

Ransomware Groups - More Organized Than You Think

A critical eye examining LockBit’s Ransomware as a Service organization and its growth since the January 2020 announcement of LockBit 2.0 might see the beginnings of a nefarious business soon to equal Amazon-level power. Except more dangerous than Amazon’s market dominance in retail is the reality that criminal cyber elements threaten all market sectors (not just retail).

In January 2020, the Russian-born LockBit organization announced its 2.0 affiliate program, bragging that it was offering the fastest encryption software in the world, able to erase all logs noting its process, and enabled with a data stealing app called StealBit.

In March 2022, LockBit ransomware advertised LockBit 3.0, which included a triple-layered extortion tactic. The first level of extortion came from the ransom demand, the second from the threat to leak the victim’s stolen data, and the third by the launch of a denial-of-service attack (rendering a network inoperable by rapidly flooding it with activity). A fourth layer of extortion is then lawfully imposed by government agencies and court systems, once news of the data leak is widespread.

Much like any other (legitimate) conglomerates, LockBit has a website, a blog, designated public relations personnel, an affiliate program, profit-sharing, and operating procedures. LockBit negotiates individually with its affiliates, requires each affiliate to meet minimum capability and behavioral standards (be able to access the victim’s core server) and is believed to keep 20-40% of the affiliates’ profits for use of its platform.

With its loyalty to Russia and any country hesitant to join NATO, LockBit will not allow its affiliates to attack networks operating in languages often spoken in these countries: Syria, Azerbaijani, Georgia, Kazakhstan, Moldova, Turkmenistan, and Uzbekistan. Aside from national loyalties, LockBit’s affiliates are also prohibited from victimizing children’s hospitals, recently apologizing to Toronto, Canada’s SickKids hospital and issuing the treatment center a free decryptor:

“We formally apologize for the attack on and give back the decryptor for free, the partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate program.”

Insurance carriers, which meticulously study market projections and profit analytics, are expanding exceptions to coverage for groups just like LockBit, who carry allegiance to foreign adversaries of the United States. While cyber insurance was “easy money” for carriers in 2012, Zurich’s CEO recently called cyber-attacks “uninsurable.”

Failing to ensure basic cyber hygiene in 2023 may be equivocated in terms of stupidity to taking a hiking trip through the North Korean mountains carrying a stadium-sized American Flag. Although getting started feels like stepping on a scale the morning after Thanksgiving, the requisite actions are not complicated: hire a consultant to evaluate your business’s current posture, recommend and prioritize improvements, adjust internal budgets, and begin implementing remedial security measures according to financial resources. The U.S. Government and certain states are so terrified of its private sector’s lack of preparedness they are giving away free security software and vulnerability assessments to accelerate private industry’s focus on cybersecurity.

If it helps, think of organized ransomware groups as market competition, hedging your business’ cybersecurity investment on your real competitor’s failure to secure its networks before you.

26 views0 comments


Post: Blog2_Post
bottom of page