LockBit’s dirty little secret: ransomware gang is failing to publish victims’ data

9 months ago AndyC

According to a fascinating report by Jon DiMaggio of Analyst1, who spent a year undercover gathering intelligence on the LockBit group, the ransomware gang is trying to cover up “the fact it often cannot consistently publish stolen data.

And that’s obviously a problem for a cybercriminal gang which is using the threat of publishing exfiltrated data as its primary lever for extorting a ransom from its victims.

DiMaggio claims that the problem “is due to limitations in [LockBit’s] backend infrastructure and available bandwidth.”

“LockBit recently updated its infrastructure to address these deficiencies. However, this is a gimmick to make it appear that it corrected the previously mentioned problem with posting victim data. It claims victims’ “FILES ARE PUBLISHED”. Often, this is a lie and a ploy to cover up the fact that LockBit cannot consistently host and publish large amounts of victim data through its admin panel, as promised to its affiliate partners. Further, over the past six months, LockBit has presented empty threats it failed to act upon after many victims refused to pay. Yet, somehow, no one has noticed.”

I guess if you steal a huge amount of data from many companies you have to ensure that you have the storage space and server infrastructure to leak it to the world.

As a result of these and other issues (DiMaggio says a deadline to release an updated version of the ranasomware has been missed, for instance), the group’s reputation has been tarnished and some of LockBit’s top affiliates have left for other ransomware groups in recent months.

My guess is that companies might be a lot less inclined to pay a ransom if they believed it was less likely that their stolen data was actually going to be published…

Sign up to our free newsletter.
Security news, advice, and tips.

It will be interesting to see if LockBit can address its infrastructure issue – perhaps by offering the data it has stolen from victimised companies via torrents instead.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy.
Follow him on Twitter, Mastodon, Bluesky, or drop him an email.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts