LockBit's Double Cross: Ransom Paid, Data Remains Locked Away

 

In exchange for the payment of a ransom, LockBit ransomware blocks access to the computer systems of its users. With LockBit, all computers on a network can be encrypted by encrypting them, confirming that the target is valuable, spreading the infection, and vetting potential targets. 

Enterprises and other organizations use many types of ransomware to carry out highly targeted and self-piloted cyberattacks. The cybersecurity landscape, which is always changing, is a dangerously competitive one. Adversaries lurk in the shadows and are eager to exploit vulnerabilities and disrupt the operations of organizations. 

There are many threats out there, but LockBit is one of the most formidable, as it has a dark history of evolution, and has been known to target large enterprises across various industries. Key Characteristics of LockBit During the selection of its targets, Lockbit meticulously assesses their financial capacity, as well as their potential disruptions, before choosing the best ones. 

Consequently, there is a concentration on several large businesses across healthcare, education, financial institutions, and government entities as a result of these factors. The automated vetting process can help in selecting targets and making sure they meet a certain set of criteria so that the vetting process can be used. 

There is one surprising aspect of Lockbit's strategic avoidance plan, which leads us to believe that the firm does not target organizations inside Russia and other Commonwealth countries for the same reason. The Lockbit ransomware service operates on what is known as the Ransomware as a Service (RaaS) business model, an operational model that allows affiliates to license the ransomware at a fee, and then they share the ransom payment between themselves and Lockbit as a whole. 

According to Graeme Biggar, the director general of Britain's National Crime Agency (NCA), LockBit was the most prolific and harmful ransomware group operating over the last four years. The group targeted thousands of organizations around the world with its ransomware. An extortion payment was required to obtain the decryption key and to delete the data after the criminal enterprise encrypted the devices on the victim’s computer network and/or stole data from the devices, and demanded that it be paid for the decryption key. 

In recent years, officials have consistently advised against making extortion payments of this type. According to them, such payments not only fund the criminal ecosystem, but there is no guarantee that the decryption key will function due to sloppy coding, and the criminals should not be trusted merely by the promise they will delete victim data. 

It has been revealed by the NCA-led operation that some of LockBit's data belonged to victims who had paid ransom to the threat actors. This last fact has been emphasized by the NCA-led investigation. It was stated in the NCA report that, despite what the criminals have promised, paying a ransom does not guarantee that data will be deleted, even if the ransom is paid. 

Aside from the information gathered from the takedown, the agency also plans to release additional information about the gang's finances and the administrator LockbitSupp, over the remainder of the week based on the intelligence it gained from the takedown.