{ "id": "bed75940-1784-45ef-b757-3aade442a269", "created_at": "2026-04-06T01:30:15.259637Z", "updated_at": "2026-04-10T03:35:29.126162Z", "deleted_at": null, "sha1_hash": "6aa435fb6b3f719287cff66ed1bd905855d93579", "title": "LockBit 2.0 Interview with Russian OSINT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1058340, "plain_text": "LockBit 2.0 Interview with Russian OSINT\r\nBy KELA Cyber Team, Ben Kapon, Ben Kapon\r\nPublished: 2021-08-24 · Archived: 2026-04-06 00:39:03 UTC\r\nBy KELA Cyber Team\r\nEdited by Ben Kapon\r\nPublished August 24, 2021\r\nOn August 23, 2021, the YouTube channel Russian OSINT published an interview with the LockBit 2.0\r\nransomware gang in Russian. KELA translated the full interview.\r\nMain points:\r\nLockBit’s representative brags that no other RaaS affiliate program provides the same conditions for\r\naffiliates, including their own stealer for a victim’s data, paying ransoms directly to the affiliates’ wallets,\r\nand more. He claims LockBit 2.0 is the fastest ransomware.\r\nhttps://ke-la.com/lockbit-2-0-interview-with-russian-osint/\r\nPage 1 of 10\n\nAccording to LockBit’s representative companies did not become better at protecting themselves despite\r\nthe wave of ransomware attacks in recent years.\r\nThe ransomware ban on forums did not prevent LockBit from recruiting new affiliates. In fact, it only\r\nhelped them to compete with new RaaS programs since the latter are less recognizable without a presence\r\non the forums.\r\nA victim’s location is not important for LockBit, they care only about the company’s revenue. LockBit\r\nclaims it will not attack healthcare, education, charitable organizations, and social services.\r\nLockBit supposes the supply chain attacks (like the Kaseya attack by REvil) will happen more often in the\r\nnear future. \r\nLockBit supposes that the guiding principle behind companies’ decision whether to pay the ransom or not\r\nis potential loss calculations.\r\nThe COVID-19 pandemic and the migration to remote work have benefited LockBit, making it easier to\r\ninfect targets.\r\nTwo reasons for the prevalence of American and European companies among ransomware victims are, in\r\nLockBit’s opinion, the fact that cyber insurance is more developed in those countries, and that some of the\r\nworld’s wealthiest companies are located there.\r\nWhen asked how to protect from ransomware attacks, LockBit suggests that companies should employ a\r\nfull-time Red Team, regularly update their software, maintain employee awareness of social engineering,\r\nand invest 5-10% of the corporate budget in cybersecurity, depending on the size and complexity of the\r\ncorporate network.\r\nQuestion (Q): What does it mean - LockBit? Do you have a story behind this\r\nname?\r\nAnswer (A): “Lock” is a lock and “Bit” is a unit of measure for the amount of information in computer systems.\r\nQ: Why do you think you continue to work successfully while many other\r\nransomware groups are forced to close their business?\r\nA: Because we enjoy our work and we take anonymity seriously. \r\nQ: Compared to other ransomware - Maze, REvil, Conti, DarkSide - how does\r\nyour product differ from them from a technical point of view?\r\nA: On our blog in the onion network [TOR – KELA] there is a comparison table. We are in the first place in terms\r\nof the encryption speed and the speed of dumping the company data. The distribution and encryption processes are\r\nautomated. Just one [payload – KELA] launch on the domain controller is enough – after the shortest period of\r\ntime, the entire corporate network is encrypted.\r\nQ: The year 2021 has become a real headache for all big companies that have been\r\nattacked by ransomware. What is the reason we have not heard anything like this\r\nin 2019-2020?\r\nhttps://ke-la.com/lockbit-2-0-interview-with-russian-osint/\r\nPage 2 of 10\n\nA: A lot of information in the press, big money – it attracts more and more people to this business. At the same\r\ntime, the risks are growing.\r\nQ: In general, how do you treat other ransomware-as-a-service [operations -\r\nKELA] - neutrally, positively, negatively?\r\nA: We have a negative attitude towards ransomware gangs that encrypt healthcare and educational institutions. We\r\nprefer to attack those who are, like us, “business sharks”.\r\nQ: What LockBit attacks do you think were the loudest ones?\r\nA: A lot of noise around the attack is bad. A silent attack no one knew about is good for the company’s reputation,\r\nand our income.\r\nQ: The Lockbit 2.0 update has recently appeared. What are the most significant\r\nchanges in a new version of the software?\r\nA: We continue to move in our own direction. LockBit, unlike other RaaS, is, first of all, a software complex and\r\nonly then a set of related services. Our mission is to provide a tool that will help to carry out an attack as soon as\r\npossible. The faster the attack is carried out, the less the risk that the attack will be repelled. It also means more\r\ncompanies can be encrypted in one working day. The most significant changes are the increase in encryption\r\nspeed without losing quality and, of course, a stealer [StealBit – KELA] that automatically downloads all\r\nimportant data of a company to the administrative panel. Clients of the affiliate program [affiliates of the RaaS\r\nprogram – KELA] no longer need to mess with servers and cloud storage services, wasting time on the routine job\r\nand subsequently losing data after a first complaint filed to the cloud provider. In addition, now all the company’s\r\ndata is stored in our TOR blog with the ability to download each file separately thanks to a listing [LockBit’s blog\r\nposts now include a live file explorer through which one can see the exact files that were leaked and download\r\neach one separately – KELA]. There is no other affiliate program on the planet with such an arsenal.\r\nQ: What does the organizational structure of LockBit look like? Does it resemble\r\nthe Italian mafia?\r\nA: It is a classic organized crime group, all the participants get their share [of income – KELA]. It doesn’t\r\nresemble the Italian mafia. In real life, it’s better when no one knows what we do, especially relatives. A human\r\nfactor is the weakest point of any criminal group.\r\nQ: Did you notice any changes in the level of companies’ security - now that the\r\nransomware topic is so widely discussed?\r\nA: No. Firstly, companies do not want to spend money on protecting a corporate network and hiring highly paid\r\nspecialists. Secondly, any protection measure can be bypassed.\r\nQ: How much have you earned in recent years in USD?\r\nhttps://ke-la.com/lockbit-2-0-interview-with-russian-osint/\r\nPage 3 of 10\n\nA: Enough for a comfortable life. Money loves silence.\r\nLockBit’s interview on YouTube\r\nA: Security or the convenience of cashing out. Only in our affiliate program, a client communicates with\r\nencrypted companies by himself. We are not intermediaries and we cannot steal money from anyone – unlike what\r\nAvaddon, DarkSide, and REvil did. We do not limit our clients in their choice of currency, it all depends on their\r\npriorities, even Dogecoin [is accepted – KELA]. Payments are carried out exclusively to our clients’ wallets, and\r\nthen they transfer to us 20% of the ransom.\r\nQ: Special services of all the world are actively working to fight with lockers\r\nfollowing the attacks on Kaseya, Colonial Pipeline, JBS. Did you feel such pressure\r\non yourself from law enforcement?\r\nA: We did not. You can only feel the pressure of law enforcement when they have already come to you with an\r\nangle grinder and jumped into your window. It is impossible to pressure us by other methods\r\nQ: REvil earlier declared they are apolitical. What is your attitude to politics? Do\r\nyou have similar views?\r\nA: For us, the unfriendly attitude of the West [towards Russia – KELA] is beneficial. It makes it possible to have\r\nsuch an aggressive business and feel calm operating from the CIS countries. \r\nA: All media are under control and not apolitical. In the West, Russia is represented as the aggressor and the main\r\nenemy. Therefore, for the West it is profitable, at any opportunity, to blame Russia for all sins in order to form a\r\nnegative image about the main enemy. These accusations are not necessarily based on something. The West is\r\nbehaving in the same way towards China. The United States of America were initially a colony of invaders that\r\nexterminated the indigenous population of America and prior to today has been regularly violating human rights.\r\nhttps://ke-la.com/lockbit-2-0-interview-with-russian-osint/\r\nPage 4 of 10\n\nIt is not surprising the Black Lives Matter movement appeared in the US. Also, the US is essentially a printing\r\nmachine [of money – KELA] and thanks to this it behaves as a master of the world. Therefore, you should not pay\r\nattention to what the Western media say. The practice of fouling the trails on purpose exists.\r\nA: The attacks were carried out by some people who felt betrayed by their beloved forums who turned out to be\r\ncowards. After a while, the insult receded and these DDoS attacks were gone too. \r\nA: For us, it is easier because we have a perfect reputation and we are famous all over the world. For new affiliate\r\nprograms, it will be harder to announce themselves and earn a reputation during the information blockade. So, this\r\ntaboo on forums did us a favor. We do not need a large number of adverts because we know how the Indian\r\nfairytale about the [Golden] antelope has ended [an Indian fairytale with anti-greed morale – KELA]. When a\r\ncertain amount of quantity and quality is reached, we close the recruiting process. It is easy to open an affiliate\r\nprogram but it is an art to keep it open.\r\nA greedy Raja drowns in gold in an Indian fairytale about a golden antelope\r\nQ: How do you choose the next target for your attacks? What is the main factor?\r\nDo you have any preferences for the region where your potential target is located?\r\nhttps://ke-la.com/lockbit-2-0-interview-with-russian-osint/\r\nPage 5 of 10\n\nA: The bigger the company’s capitalization is – the better. There are no [other] main factors. If there is a target,\r\nthen it needs to be “worked out” [attacked – KELA]. It does not matter where the target is situated, we attack\r\neveryone. There is no time and desire for preparing for an attack on a specific target because there is always\r\nenough work. Our targets are businesses, capitalists.\r\nQ: Do you have any moral code in terms of choosing targets? For example, not to\r\nattack healthcare or educational organizations.\r\nA: We do not attack healthcare, education, charitable organizations, social services – everything that contributes to\r\nthe development of personality and sensible values from the survival of the species perspective. Healthcare,\r\nmedicine, education, charitable organizations, and social services remain intact.\r\nQ: What victim companies have been paying a ransom more often than others?\r\nWhy in your opinion?\r\nA: The victims who are paying are the ones who do not make backups and poorly protect sensitive information,\r\nregardless of the industry.\r\nQ: Will the lockers go bankrupt if authorities around the world will introduce a\r\nban on paying ransoms at the legislative level for companies in the US, Europe,\r\nCIS, Asia, in the Middle East? Since the money for the maintenance of their\r\ninfrastructure will simply be nowhere to be taken.\r\nA: There will be no such law that will prohibit companies from paying a ransom. Often, the information [that was\r\nstolen] is strategically important. Losing this information is a huge loss for a company, it may cost a leading\r\nposition in the market. It can turn into serious damage to the country’s economy. Authorities won’t make such a\r\nrash step.\r\nQ: Could such events as the Olympic Games in Japan serve as a catalyst for an\r\nincrease of attacks on a certain region, in particular, the hosting country?\r\nA: For companies, it always makes sense to worry about their cyber security, regardless of the Olympic Games.\r\nThe timing doesn’t matter.\r\nQ: What do you think about REvil’s attack on Kaseya? Is it possible to expect a\r\nnew stage in the development of the ransomware business, namely, attacking the\r\nsupply chain? What is the likelihood that this kind of attack will occur more often\r\nin the near future?\r\nA: We think that REvil has an excellent advert who performed this attack. Such affiliates are always very valuable\r\nsince they form the image and authority of the affiliate program. Such attacks for sure will be carried out in the\r\nhttps://ke-la.com/lockbit-2-0-interview-with-russian-osint/\r\nPage 6 of 10\n\nfuture since there is no flawless software. Vulnerabilities are endless and everywhere.\r\nQ: In your opinion, what guides the companies’ decision whether to pay the\r\nransom or not?\r\nA: Potential loss. However, sometimes you stumble on guys with principles. I’ll repeat myself – we are dealing\r\nwith capitalists in the first place, which means they assess the risks, probable benefits, or losses from the deal.\r\nA: Almost always. Our target is to streamline the attacks.\r\nQ: How did the global COVID-19 pandemic - and the mass migration to remote\r\nwork - affect you, and did it change your strategy?\r\nA: [It influenced – KELA] positively, of course. Many employees started working remotely from personal\r\ncomputers, which are easier to infect with a virus and steal account information used to access the companies.\r\nQ: Why are US and EU companies targeted more often by ransomware than\r\nothers? There is an opinion that one of the reasons is the language barrier:\r\ncompanies from countries with more complex languages are attacked less often; is\r\nit the reason?\r\nA: The insurance in this sphere [i.e. insurance in the case of ransomware – KELA] is more developed in the US\r\nand EU, and the largest number of the world’s wealthiest companies is concentrated there.\r\nQ: Sometimes lockers change their names and do a “rebranding”. Will this\r\ntendency persist, in your opinion?\r\nA: It becomes more difficult to enter this business, more money and knowledge are required. It makes no sense to\r\nchange the name if you are honest with your clients and hold your reputation dear. Trust is being earned in a\r\nmatter of years but is lost in a moment – like it was the case with Avaddon, DarkSide, and REvil.\r\nQ: Are you using any OSINT tools or technologies throughout the attacks?\r\nA: All available methods are being used.\r\nQ: In your practice, did you encounter cases, when a group of companies\r\nperformed a sensitive deal, and during those activities, a company paid a little\r\n“protection fee”, so that no one would intrude their systems and affect the deal, for\r\nexample at the moment when a merger decision was being made?\r\nA: This is a fantasy.\r\nhttps://ke-la.com/lockbit-2-0-interview-with-russian-osint/\r\nPage 7 of 10\n\nQ: Probably you have watched my episode with a famous lawyer from New York,\r\nArkady Bukh. In that episode, we spoke about the fact that sometimes\r\ncybercriminals disclose their accomplices, for their own profit and a “green card”.\r\nDo you know any public cases, when partners “sold” their accomplices and handed\r\nover incriminating materials to special services?Q: Probably you have watched my\r\nepisode with a famous lawyer from New York, Arkady Bukh. In that episode, we\r\nspoke about the fact that sometimes cybercriminals disclose their accomplices, for\r\ntheir own profit and a “green card”. Do you know any public cases, when partners\r\n“sold” their accomplices and handed over incriminating materials to special\r\nservices?\r\nA: We don’t know of such cases. If you are caught, don’t get sad, hand over everything you’ve had.\r\nQ: Some time ago, Cisco Talos published an interview with your representative.\r\nWhat reactions and what results did you get from this interview? Did it meet your\r\nexpectations?\r\nA: We have got new affiliates.\r\nQ: What advice can you give to companies, so that they will not become LockBit’s\r\ntarget?\r\nA: Employ a full-time Red Team, regularly update all software, perform preventive talks with a company’s\r\nemployees to thwart social engineering, and most importantly – use the best ransomware-fighting antivirus –\r\nBitDefender.\r\nQ: If you could turn back time, would you be doing the same things you do now?\r\nA: Of course not. I sleep very badly at night. Money can’t buy happiness.\r\nQ: A billion dollars - is it enough to “leave the stage”?\r\nA: We love our job. The money is not the target – the process is the important thing. And of course, fortunate is\r\nnot the one who is rich, but the one who has a loyal wife [quote from a popular Russian crime movie “The\r\nBrother” – KELA].\r\nQ: How would you briefly describe your life’s path?\r\nA: The one of self-realization. You should do the things that you can do the best because you need to realize your\r\npotential – this is a basic necessity for every human.\r\nhttps://ke-la.com/lockbit-2-0-interview-with-russian-osint/\r\nPage 8 of 10\n\nA: There were. Usually, they try to make you click a link using social engineering, but sometimes they send\r\njournalists to perform behavioral analysis and create a possible criminal profile.\r\nQ: In one of my interviews with Wojciech, a Polish offensive OSINT specialist, he\r\nsaid “Ransomware, first and foremost, bets on easy money and obvious access\r\npoints such as RDP, unpatched VPN, and trivial phishing - they all work in a\r\nrelatively similar way. ICS hacking requires specialized knowledge, understanding\r\nof protocols’ work. I highly doubt the possibility of locking critical infrastructures\r\nin some city.” In your opinion, is his claim true?\r\nA: True, but only partially. Those who have specialized knowledge and tools unavailable for many can mask their\r\nattacks, so that it would not be clear whose work it was – a professional or an average hacker.\r\nQ: The chastity belts’ locking story [an end of 2020 ransom demands aimed at\r\nusers of IoT chastity cages - KELA]. What sense do those attacks make, when\r\nsome lockers conduct them? Is this some PR stunt to make yourself known?\r\nA: It’s a ROFL [“rolling on the floor laughing” – KELA].\r\nA: It depends on the pentester’s free time. A good pentester doesn’t have time for negotiations.\r\nA: It’s 100% true. Almost all recovery companies do this.\r\nQ: When you became a dollar millionaire, how much did this feeling change you as\r\na person? What in your worldview has fundamentally changed?\r\nA: It gave me confidence in the future, and also the ability to pay for a very expensive surgery required for my\r\nbrother. Attitude to security and anonymity has fundamentally changed.\r\nQ: Sophos Labs’ experts wrote earlier that LockBit, before encrypting the victim,\r\ncalls GetUserDefaultLangID which determines the default keyboard setting. If\r\nthere are Russian, Ukrainian, Uzbek, Kazakh, Armenian, and other languages\r\nthen the target is not encrypted. Let’s suppose that many companies adopt this\r\npractice, does it mean that companies would not be encrypted anymore?\r\nA: The system’s language is checked, and not the keyboard setting.\r\nA: This claim is invalid because few can write the fastest encryption algorithm in the world; the software always\r\nrequires support and innovation, so technical savviness is extremely important.\r\nhttps://ke-la.com/lockbit-2-0-interview-with-russian-osint/\r\nPage 9 of 10\n\nQ: In your practice, have you seen - from the inside - cases when companies\r\ndeceive their clients, collect more of their information than needed, sell it,\r\nmanipulate clients, and siphon money, using the acquired data? Can you talk\r\nabout such cases?\r\nA: Yes, we did. Usually, such companies pay the ransom significantly faster. I can’t tell the details, because our\r\nreputation is important to us and in case of ransom payment we destroy the company’s data, ensuring complete\r\nconfidentiality of the deal.\r\nQ: Not only in the CIS countries, but possibly in South America, the Middle East,\r\nEurope, and Asia as well, companies invest too little in their cybersecurity. Often,\r\nexecutives do not understand what risk management is, are not ready to allocate\r\nbudgets to train their infosec experts and employees, nor spend money on\r\nprotection of their infrastructure, pay adequate salaries, etc. Here is where many\r\nproblems begin. It’s no surprise that, sometimes, skilled infosec experts switch to\r\nthe “dark side”. If organizations, afraid of the possibility of being attacked by\r\nransomware, will start investing money in their cybersecurity, the lockers’ job will\r\nbecome harder due to stern competition between “blackhat” and “whitehat”\r\nexperts, which will surely make the global infosecurity market bigger. Do you,\r\ngenerally, support this attitude, that companies need to give more attention to their\r\ncybersecurity, invest more money in infosec?\r\nA: I don’t support it. Let them fire everyone – I need the cybersecurity specialists more.\r\nQ: What percentage of the corporate budget should, ideally, be spent on\r\ncybersecurity, so a company could calmly deal with its commercial affairs?\r\nA: It depends on the complexity of the corporate infrastructure and the amount of potential entry points. I think\r\nthat about 5-10% would be enough to make sure that the company will never fall victim to ransomware.\r\nQ: Final question - you have been cornered: would you fight to the death, or\r\nretreat to save your life?\r\nA: You should first make a commercial offer which is very difficult to refuse, and if it won’t help – fight to the\r\ndeath. But as we know, money defeats evil.\r\nSource: https://ke-la.com/lockbit-2-0-interview-with-russian-osint/\r\nhttps://ke-la.com/lockbit-2-0-interview-with-russian-osint/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://ke-la.com/lockbit-2-0-interview-with-russian-osint/" ], "report_names": [ "lockbit-2-0-interview-with-russian-osint" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439015, "ts_updated_at": 1775792129, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6aa435fb6b3f719287cff66ed1bd905855d93579.pdf", "text": "https://archive.orkl.eu/6aa435fb6b3f719287cff66ed1bd905855d93579.txt", "img": "https://archive.orkl.eu/6aa435fb6b3f719287cff66ed1bd905855d93579.jpg" } }