Blog
What Does LockBit Want? Decrypting an Interview With the Ransomware Collective
On August 23, Russian OSINT, a Russian-language YouTube and Telegram channel focused on hacking, cybersecurity, and open-source intelligence released an interview with the operators of LockBit ransomware. Altogether, the interview provides an important window into the mentality of the ransomware operators, including their motivation, perceptions of money, law enforcement, and the U.S. media as well as how they go about attracting new talent and selecting targets.
Table Of Contents
LockBit on LockBit
On August 23, Russian OSINT, a Russian-language YouTube and Telegram channel focused on hacking, cybersecurity, and open-source intelligence released an interview with the operators of LockBit ransomware. Altogether, the interview provides an important window into the mentality of the ransomware operators, including their motivation, perceptions of money, law enforcement, and the U.S. media as well as how they go about attracting new talent and selecting targets.
LockBit Attacks: Tracking Its Ransomware Targets
Following recent turnover in significant ransomware groups, many of which were brought down by law enforcement officials, LockBit stands out not only for their longevity but also for its recent attack on Accenture and a new “LockBit 2.0” service. As of this writing, LockBit has publicly claimed 150 victims, according to Flashpoint research.
Highlights From LockBit’s Russian OSINT Interview
On the pressure from law enforcement
LockBit: “…We did not feel the pressure of the security forces. The pressure of the security forces can be felt only when they have already come to you with a warrant and jumped into your window. It is impossible to put pressure on us with other methods…”
Flashpoint Analysis
In the past year, Flashpoint analysts have observed several ransomware groups that were shut down or temporarily interrupted through law enforcement operations, including Clop (Cl0p), Egregor, and Netwalker. Other groups like Avaddon, Babuk, DarkSide, REvil, and most recently Ragnarok, as well as Iranian groups Fonix and Ziggy have allegedly shuttered their operations in part over law enforcement concerns.
Given the turnover, takedowns, and planned shutdowns of ransomware groups following large cyber attacks like Kaseya, Colonial Pipeline, and JBS, you would think that LockBit would feel some heat. Even though intelligence operations are not publicly advertised because they could jeopardize ongoing investigations, the results are clear. Though they did not publicly announce a takedown of their infrastructure, the Department of Justice confirmed the recovery of $2.3 million in Bitcoin following the Colonial Pipeline ransom.
On the the law’s potential impact on its business
“There will be no law that prohibits companies to pay a ransom. Information is often strategically important. Having lost [data to decryption], this means loss for a company or at least the leading position in the market. This will cause serious damage to the country’s economy. The authorities will not take such a drastic step… In the U.S., insurance in this area is very well developed and it is here that most of the richest world companies are concentrated.”
Flashpoint Analysis
LockBit highlights some very interesting points, including the multi-stakeholder approach to internet security. Blocking ransomers from cryptocurrencies has been difficult, though collaboration with foreign governments and establishing standards may help to disrupt adversaries ability to cash out. Ransomers cash in on illicit services in order to launder cash, requiring increasing creativity from defenders to identify and obstruct their services through cooperation with the public and private sector.
LockBit on its perceptions of the U.S. and the paradox of Western media
“The non-friendly relations of the West are beneficial for us. It allows us to conduct such an aggressive business and feel calm being in the countries of the former USSR…
“…All media are controlled and not apolitical. Russia is presented in the West as an aggressor and the main enemy. Therefore, it is beneficial for the West, at any opportunity, to accuse Russia of all sins in order to form a negative opinion about the main enemy, and it is absolutely not necessary that these accusations be substantiated. Towards China the West behaves the same way.”
Flashpoint Analysis
LockBit exhibits the general attitude of most Russian-speaking cyber criminals, as observed through interviews, and online chatter. It is in their best interest to ensure that this relationship is sustained, as it provides cover, protection, and a basis to attack US companies. Following the Kaseya ransomware attack, President Biden called Russian President Vladimir Putin and warned that future attacks may be treated as a national security threat, not merely cybercrime. In June, the two leaders met face-to-face at a summit in Geneva where ransomware was also a topic of conversation.
LockBit on how it attracts new talent despite advertising limitations on popular forums
“It is easier for us because of our stellar reputation and our partner program is well-known all over the world. It will be difficult for new partner programs to establish themselves and gain any reputation due to the existing informational blockade. The ban of ransomware on forums was actually beneficial to us. We don’t need many people to reach out to us because we know how the famous Indian fairytale about the Golden Antelope ends. When a certain quantity and quality is reached, we close the recruitment; it is easy to open an affiliate program, but not letting it close is actually an art.”
Flashpoint Analysis
Interestingly, LockBit was one of the first to advertise on a new closed forum called RAMP, where ransomware is permitted. Although major ransomware groups have stopped advertising on XSS and Exploit, LockBit and REvil, have maintained their accounts on XSS and Exploit, and continue to actively log in to and/or post on both forums about diverse topics.
On Why LockBit’s Targets are Disproportionately Based in the U.S., UK, and Canada
“The larger the company’s revenue, the better. There are no decisive factors, if there is a goal then it needs to be worked out. The location of the tar
get does not matter, we attack everyone who comes to hand. There is no time and desire to prepare for an attack on a specific target, as there is always enough work without this. Our priority sector for attacks is business capitalists.”
Flashpoint Analysis
While LockBit has claimed that location is not important, other ransomware groups like BlackMatter have claimed they are looking for network access in Five Eyes countries. As previously highlighted, the relationship with the US is being leveraged to their advantage. The location of the victim is not important, as long as it is not Russia or any other CIS country.
On whether a billion dollars would be enough to leave the stage
“We love our job. Money is not the goal. The process is important. And of course, a happy person is not the one who has acquired a lot, but the one who has a faithful wife….
… I sleep very badly at night. Money can’t buy happiness.”
Flashpoint Analysis
LockBit also claims in the interview that “money can’t buy happiness,” which questions their underlying motivations. Perhaps their attacks are part of a Neo-Soviet, Anti-Imperialism ideology where they are targeting capitalist conglomerates. Otherwise, it may be hard justifying an Anti-Capitalist stance if they are also doing it for the money.
Track Ransomware Activity With Flashpoint
Data and analysis for this article was discovered directly through analyst research in the Flashpoint platform (pictured below). Sign up for a free trial and see firsthand how Flashpoint can help your organization access critical information and insight into ransomware actors and their tactics, techniques and procedures (TTPs).