Blog

What Does LockBit Want? Decrypting an Interview With the Ransomware Collective

On August 23, Russian OSINT, a Russian-language YouTube and Telegram channel focused on hacking, cybersecurity, and open-source intelligence released an interview with the operators of LockBit ransomware. Altogether, the interview provides an important window into the mentality of the ransomware operators, including their motivation, perceptions of money, law enforcement, and the U.S. media as well as how they go about attracting new talent and selecting targets.

August 31, 2021

LockBit on LockBit

On August 23, Russian OSINT, a Russian-language YouTube and Telegram channel focused on hacking, cybersecurity, and open-source intelligence released an interview with the operators of LockBit ransomware. Altogether, the interview provides an important window into the mentality of the ransomware operators, including their motivation, perceptions of money, law enforcement, and the U.S. media as well as how they go about attracting new talent and selecting targets.

LockBit Attacks: Tracking Its Ransomware Targets

Following recent turnover in significant ransomware groups, many of which were brought down by law enforcement officials, LockBit stands out not only for their longevity but also for its recent attack on Accenture and a new “LockBit 2.0” service. As of this writing, LockBit has publicly claimed 150 victims, according to Flashpoint research.

Graphical Overview of LockBit Ransomware Attacks by Industry and Company Size
Above: Flashpoint graphical analysis of LockBit ransomware attacks, covering industry and company size.
Graphical Overview of LockBit Ransomware Attacks by Industry
Above: Flashpoint breakdown of LockBit ransomware targets—by industry.
World Map of LockBit Ransomware Attacks by Country
Above: Flashpoint map of 150 LockBit ransomware attacks—by country.

Highlights From LockBit’s Russian OSINT Interview

On the pressure from law enforcement

LockBit:…We did not feel the pressure of the security forces. The pressure of the security forces can be felt only when they have already come to you with a warrant and jumped into your window. It is impossible to put pressure on us with other methods…”

Flashpoint Analysis

In the past year, Flashpoint analysts have observed several ransomware groups that were shut down or temporarily interrupted through law enforcement operations, including Clop (Cl0p), Egregor, and Netwalker. Other groups like Avaddon, Babuk, DarkSide, REvil, and most recently Ragnarok, as well as Iranian groups Fonix and Ziggy have allegedly shuttered their operations in part over law enforcement concerns. 

Given the turnover, takedowns, and planned shutdowns of ransomware groups following large cyber attacks like Kaseya, Colonial Pipeline, and JBS, you would think that LockBit would feel some heat. Even though intelligence operations are not publicly advertised because they could jeopardize ongoing investigations, the results are clear. Though they did not publicly announce a takedown of their infrastructure, the Department of Justice confirmed the recovery of $2.3 million in Bitcoin following the Colonial Pipeline ransom.

On the the law’s potential impact on its business 

“There will be no law that prohibits companies to pay a ransom. Information is often strategically important. Having lost [data to decryption], this means loss for a company or at least the leading position in the market. This will cause serious damage to the country’s economy. The authorities will not take such a drastic step… In the U.S., insurance in this area is very well developed and it is here that most of the richest world companies are concentrated.”

Flashpoint Analysis

LockBit highlights some very interesting points, including the multi-stakeholder approach to internet security. Blocking ransomers from cryptocurrencies has been difficult, though collaboration with foreign governments and establishing standards may help to disrupt adversaries ability to cash out. Ransomers cash in on illicit services in order to launder cash, requiring increasing creativity from defenders to identify and obstruct their services through cooperation with the public and private sector. 

LockBit on its perceptions of the U.S. and the paradox of Western media

“The non-friendly relations of the West are beneficial for us. It allows us to conduct such an aggressive business and feel calm being in the countries of the former USSR…

“…All media are controlled and not apolitical. Russia is presented in the West as an aggressor and the main enemy. Therefore, it is beneficial for the West, at any opportunity, to accuse Russia of all sins in order to form a negative opinion about the main enemy, and it is absolutely not necessary that these accusations be substantiated. Towards China the West behaves the same way.”

Flashpoint Analysis

LockBit exhibits the general attitude of most Russian-speaking cyber criminals, as observed through interviews, and online chatter. It is in their best interest to ensure that this relationship is sustained, as it provides cover, protection, and a basis to attack US companies. Following the Kaseya ransomware attack, President Biden called Russian President Vladimir Putin and warned that future attacks may be treated as a national security threat, not merely cybercrime. In June, the two leaders met face-to-face at a summit in Geneva where ransomware was also a topic of conversation. 

LockBit on how it attracts new talent despite advertising limitations on popular forums

Flashpoint Analysis

Interestingly, LockBit was one of the first to advertise on a new closed forum called RAMP, where ransomware is permitted. Although major ransomware groups have stopped advertising on XSS and Exploit, LockBit and REvil, have maintained their accounts on XSS and Exploit, and continue to actively log in to and/or post on both forums about diverse topics.

On Why LockBit’s Targets are Disproportionately Based in the U.S., UK, and Canada 

“The larger the company’s revenue, the better. There are no decisive factors, if there is a goal  then it needs to be worked out. The location of the tar
get does not matter, we attack everyone who comes to hand.  There is no time and desire to prepare for an attack on a specific target, as there is always enough work without this. Our priority sector for attacks is business capitalists.”

Flashpoint Analysis

On whether a billion dollars would be enough to leave the stage

“We love our job. Money is not the goal. The process is important. And of course, a happy person is not the one who has acquired a lot, but the one who has a faithful wife….

… I sleep very badly at night. Money can’t buy happiness.” 

Flashpoint Analysis

LockBit also claims in the interview that “money can’t buy happiness,” which questions their underlying motivations. Perhaps their attacks are part of a Neo-Soviet, Anti-Imperialism ideology where they are targeting capitalist conglomerates. Otherwise, it may be hard justifying an Anti-Capitalist stance if they are also doing it for the money. 

Track Ransomware Activity With Flashpoint