Lockbit hack exposes negotiations

Ransomware as a Service

Active since 2019, LockBit is a cybercriminal group that operates on a Ransomware-as-a-Service (RaaS) model, allowing affiliates to deploy its malware in exchange for a share of the ransom payments. The group has been responsible for numerous high-profile attacks, targeting organizations across various sectors globally.

LockBit has been behind major attacks on entities like the UK’s Royal Mail, the Italian Internal Revenue Service, and major hospital networks in the U.S. Its malware is particularly dangerous due to its speed, encryption capabilities, and use of double extortion - demanding ransom not only to unlock files but also to prevent leaked data from being published. In the United States alone, LockBit was used in approximately 1,700 ransomware attacks between January 2020 and May 2023, with $91 million paid in ransom to hackers.

Breach

The breach is a substantial blow to LockBit's credibility and operational security, coming just months after Operation Cronos, a coordinated law enforcement action that temporarily disrupted LockBit’s infrastructure in February 2024. Although the group managed to rebuild and resume operations after that takedown, its reputation had suffered significant damage. Security researchers observed that many of LockBit’s recent claims of new victims were actually recycled incidents, either from its own previous attacks or taken from the activities of other ransomware groups - suggesting a decline in its real operational capacity.

The exposure of internal communications and affiliate information following this week’s breach could lead to increased law enforcement actions against the group and its partners. Furthermore, the leak provides valuable insights into the group's negotiation tactics and operational structure, which could aid in developing more effective countermeasures against such ransomware attacks.