Fraud Management & Cybercrime , Ransomware
Stages of LockBit Grief: Anger, Denial, Faking Resurrection?
Is LockBit a Kremlin Sock Puppet?Is Moscow using the Russian-speaking LockBit ransomware group as a tool to disrupt American democracy?
See Also: Cybersecurity Awareness Engagement Toolkit: Elevate Your Security Culture
Ransomware groups' reputation is that they wield their crypto-locking malware purely for money. They obtained $1.1 billion in cryptocurrency from victims last year in return for attackers' promises to provide a decryptor or delete stolen data.
While no publicly available evidence directly ties LockBit to the Russian government, Moscow has built a reputation for using whatever might be at its disposal in a multifaceted campaign to sow division across the West. What are the chances that one of the world's most prolific and trash-talking ransomware groups has escaped authorities' attention or demands?
"If I were a betting man, I'd put money on the Russian state using LockBit as a means of disruption," said cybercrime expert Alan Woodward, a visiting professor of computer science at England's University of Surrey. "Unlike North Korea, they're not going to launch ransomware for money - they are more interested in disrupting important infrastructure."
The coalition of law enforcement agencies that infiltrated and disrupted the LockBit operation on Feb. 19 later said of the group's leadership persona LockBitSupp that he wasn't American, prior to his past claims, and also that he "has engaged with law enforcement." One reading of that statement: LockBit has been working with or for Russian authorities.
Days after Western law enforcement agencies reported that "as of today, LockBit are locked out," LockBitSupp posted a long, rambling statement in which he claimed that the FBI had timed its takedown to prevent the group from dumping data stolen from Fulton County, Georgia, where a jury is poised to hear an election subversion case against former President Donald Trump and 18 co-defendants.
Parts of LockBitSupp's statement, including pokes at domestic U.S. flashpoints, read like Russian government propaganda talking points. "The stolen documents contain a lot of interesting things and Donald Trump's court cases that could affect the upcoming U.S. election. Personally I will vote for Trump because the situation on the border with Mexico is some kind of nightmare, Biden should retire, he is a puppet," the missive states.
Despite threats to dump Fulton County data on Thursday, a countdown timer to the putative publication of stolen county records disappeared from the group's relaunched data leak site prior to Thursday morning, for unstated reasons.
This isn't the first time LockBit has failed to deliver on its promises or that questions about the group's ties to the Russian state have emerged. In mid-2022, two initial access brokers reported cutting ties with LockBit, claiming LockBitSupp had been replaced by "a security apparatus appointee," said Yelisey Bohuslavskiy, chief research officer at RedSense. Other signs, he said, also point to LockBitSupp having been "a Russian security apparatus implant since 2021."
If so, this shouldn't be a surprise. Past efforts, especially by the GRU military intelligence agency, have featured plenty of fake personae, including in hack-and-leak operations. Experts also suspect Moscow is funding, if not running, multiple self-proclaimed "hacktivist" groups who trumpet their denial-of-service attacks against Ukraine and its allies.
"In general, the Russian state and their proxies will take any opportunities to spread disinformation and try to influence our democracy," University of Surrey's Woodward said. Still, finding evidence for such arrangements is a challenge. Moscow has "plausible deniability," since "their use of useful idiots to further their preferred rhetoric" means that many pro-Russian actors parrot Kremlin talking points without actually being obligated to do so. "We might suspect Russia, but we can't prove it beyond a reasonable doubt."
Fake It 'Til You Make It?
Rhetorically speaking, LockBitSupp has been attempting to turn the tables back on his disruptors since an international group of law enforcement joined under the banner of Operation Cronos to infiltrate the ransomware operation and seize its servers (see: Arrests and Indictments in LockBit Crackdown).
Embarrassingly for LockBit, authorities said they'd amassed copious intelligence on affiliates and private Tox chat messages between them and LockBit's administrators. They obtained and released free decryptors for a slew of victims. The U.S. also named and indicted two Russians based in Russia, and officials announced arrests in Poland and Ukraine.
Law enforcement further gave LockBit a taste of its own medicine when it trolled the group by replacing its data leak site with a look-alike version. Instead of revealing information about victims, the cops dished out details on the group and its affiliates and reported recovering stolen data from victims who'd paid for it to be deleted.
LockBit has already claimed to have restored operations by posting fresh victims, which RedSense's Bohuslavskiy described as LockBit "faking its return," in part by re-listing on its new data-leak site old victims, which the group subsequently deleted. "We are 99% sure the rest of their 'new victims' are also fake claims - old data for new breaches," RedSense said via X, formerly known as Twitter.*
Bohuslavskiy said much about LockBit isn't what it appears. In particular, he said that since at least last year, while the group claimed to be a ransomware-as-a-service operation working with affiliates, in reality it was directly paying "ghost groups" - outside experts largely drawn from the Zeon ransomware group - to launch attacks under its banner. He predicted that the disruption will drive these external "pentesters" to switch to a less notorious ransomware group, such as Akira.
Even if LockBit eventually winds down, the leadership may continue to pretend it's a going concern - in an attempt to snare every last potential victim and assuage its ego. The former, at least, is what experts saw with the Conti group after its disastrous decision to publicly back Russia's February 2022 invasion of Ukraine. As a result, many of the group's victims declined to pay any ransom.
While Conti subsequently splintered, the group's leadership continued claiming fresh victims to make it appear to remain functional - and to distance it from spinoffs.
What might LockBit's next bout of subterfuge - or an all-out reboot - look like?
A new report from Analyst1 says: "We expect LockBitSupp will encourage its affiliates to prey on high-profile targets, including Fortune 500 companies, hospitals, government and other organizations that will allow the gang to profit and make headlines, which it desperately needs to restore its once untarnished criminal brand."
Then again, talk is cheap, especially for ransomware groups, and perhaps doubly so if Russian intelligence might be using them for plausible deniability.
*Update March 1, 2024 14:48 UTC: This story has been updated to include new details.