For years, LockBit was considered the premier ransomware operation, lauded for its professionalism and efficiency, but a significant leak of its 4.0 affiliate panel in May has revealed an operation riddled with disorganization and internal conflicts.
The leak provided unprecedented insight into the inner workings of a ransomware-as-a-service (RaaS) operation, exposing an opportunistic and chaotic ecosystem with over 4,000 chat messages between LockBit affiliates and their victims, thousands of ransomware builds, internal user tags, and extensive cryptowallet data.
A key revelation from the leak was the widespread disregard for LockBit’s own operational rules. Affiliates frequently ignored victims, supplied faulty decryption tools, and circumvented payments to the platform, avoiding its standard 20% cut. In one instance, an affiliate blamed corrupted files on antivirus software and instructed a victim to wait for a correct decryption tool because “the boss is very busy,” eventually ceasing communication altogether.
LockBit’s explicit rule against targeting Russian organizations was also brazenly violated by affiliates. In February, two Russian government entities were attacked, prompting LockBit administrators to intervene, offering free decryptors to the affected organizations. The affiliate responsible was subsequently suspended and tagged with “ru target.”
The financial aspects of LockBit’s operations were equally muddled, with only 19 of the 159 identified Bitcoin wallets receiving funds. While some affiliates may have negotiated outside the LockBit platform to bypass fees, the overall success rate for collecting ransoms was remarkably low. One affiliate successfully extorted over $2 million from a Swiss cloud provider, but most walked away with nothing.
This inherent disorganization does not make ransomware groups less dangerous; rather, it makes them more formidable and challenging to defend against. The absence of consistent structure and operational standards prevents defenders from developing a predictable playbook, complicating incident response planning and eroding the value in paying a ransom.
The affiliate model appears to incentivize recklessness, with a surprising lack of repercussions for affiliates who breached terms of service. This lack of accountability may embolden actors to take greater risks, demand larger ransoms, and move on with minimal consequences, a dynamic that may extend to other RaaS ventures.
Comprehensive preparation is the only rational defense, including robust network segmentation, vigilant monitoring, multifactor authentication, and timely patching of known vulnerabilities. Organizations must also rehearse incident response plans, assuming assistance might not materialize even after a ransom is paid.
The LockBit leak is unlikely to be an isolated incident, and as law enforcement pressure intensifies, increased infighting within ransomware groups is anticipated. This internal strife could provide invaluable data for security researchers, leading to a decline in prominent groups and a proliferation of heterogeneous actors operating in short, unpredictable bursts.
Defenses centered around specific brand names create a false sense of understanding the threat. These names are often disposable identities designed for plausible deniability and short-term financial gain, offering a misleading sense of clarity in a constantly evolving threat landscape.
The LockBit 4.0 leak serves as a critical wake-up call, emphasizing that the ransomware threat is fragmented, opportunistic, and becoming more chaotic. Strategic preparedness is paramount for a successful defense, and organizations that fail to prepare will face heightened uncertainty due to the unpredictable nature of these attackers.
Despite the challenges, diminished accountability for threat actors could lead to less successful RaaS brands, potentially resulting in a reduced set of technical tactics, techniques, and procedures (TTPs) for network defenses to counter. Researchers can provide crucial signals to assess the reliability of a threat actor, minimizing potential losses, and a growing awareness of this ecosystem could render the ransomware business unprofitable.
