{ "id": "a5078920-6026-4b8a-a307-be76523180a1", "created_at": "2026-04-06T00:13:13.275018Z", "updated_at": "2026-04-10T03:37:33.083402Z", "deleted_at": null, "sha1_hash": "6e5c42318f536dc6931929ec95020fcff206919e", "title": "Ransomware Diaries: Volume 1 | Analyst1", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 13068632, "plain_text": "Ransomware Diaries: Volume 1 | Analyst1\r\nBy Jon DiMaggio\r\nPublished: 2023-01-16 · Archived: 2026-04-05 18:58:42 UTC\r\nI gotta story to tell…\r\nThe LockBit ransomware gang is one of the most notorious organized cybercrime syndicates that exists today. The\r\ngang is behind attacks targeting private-sector corporations and other high-profile industries worldwide. News and\r\nmedia outlets have documented many LockBit attacks, while security vendors offer technical assessments\r\nexplaining how each occurred. Although these provide insight into the attacks, I wanted to know more about the\r\nhuman side of the operation to learn about the insights, motivations, and behaviors of the individuals on the other\r\nside of the keyboard. To prepare for this project, I spent months developing several online personas and\r\nestablished their credibility over time to gain access to the gang’s operation.\r\nThe LockBit ransomware gang is one of the most notorious organized cybercrime syndicates that exists\r\ntoday.\r\nOver the months, I spent my time on criminal forums and private chat groups used by ransomware criminals and\r\ngained inside knowledge about the LockBit gang itself. I identified the accounts and infrastructure used by the\r\ngang and the criminals they interacted with. I could see the tools and resources used to manage and conduct\r\nattacks from the adversary’s perspective. More importantly, I learned about the opinions, personal habits,\r\nmotivations, and insecurities of the human criminals behind the operation. Then, I took many of the public events\r\nand high-profile attacks to include theories previously made about the LockBit gang and tried to capture the side\r\nof this very interesting story.\r\nNext, I will walk through the entire lifecycle of LockBit activity from September 2019 until January 2022. I will\r\ndetail the gang’s criminal operation and add LockBit’s version of events to tell the story, as it has not been detailed\r\nbefore. In conducting this research and analysis, I found several mistakes made in attributing the early activities of\r\nthe LockBit gang, which I will discuss. Finally, I will provide a complete intelligence assessment focused on my\r\nfindings, open-source information, technical data, and human intelligence gained while profiling LockBit itself.\r\nIf you are not interested in the larger story, you may want to skip to the “Unmasking Lockbit” section near the end\r\nof this report for a summary of unique findings derived from the human intelligence I gained from my interactions\r\nwith Lockbit. However, the screenshots and details surrounding each conversation are included throughout the\r\nbody of the report itself in the order in which they took place.\r\nBefore I begin, here are a few things I learned about LockBit and its operation over the course of my\r\nresearch:\r\nThe Prequel\r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 1 of 54\n\nLittle information exists about the LockBit gang before September 2019, when their operation began. As with any\r\nskill or trade, becoming proficient in what you do requires practice and experience. For example, I know\r\nransomware groups like DarkSide and REvil began as affiliates supporting more mature Ransomware as a Service\r\n(RaaS) programs before branching out independently. Similarly, the criminals behind the LockBit gang likely\r\nstarted their illicit careers before the LockBit operation began.  \r\nToday, an information gap exists, making it difficult to clarify what led these criminals to begin the LockBit\r\noperation. Still, one theory exists. Some security vendors believe LockBit is associated with now defunct\r\nransomware known as Gogalocker and Megacortex.4,5,6 These ransomware operations began in January 2019,7,8\r\nsix months before we first saw LockBit ransomware in the wild. The security vendor based the attribution on the\r\nfollowing evidence: \r\nTargeting: Similar victims \r\nTool-use: The use of PowerShell to execute commands and run scripts \r\nSelf-spreading mechanism: The use of Address Resolution Protocol (ARP) tables to identify victim hosts\r\nand the use of the Server Message Block (SMB) protocol to identify and spread the ransomware across\r\nshared resources/networked devices throughout victim environments.9 \r\nAs an analyst, I have issues with the supporting evidence used to make this attribution. \r\nPrevious Attribution? \r\nYou don’t always need to conduct attribution, but when you do, it needs to be unbiased and developed from solid\r\nevidence. When done incorrectly, it creates a snowball effect, misleading future analysis built on false attribution.\r\nI was intrigued when I first read the attribution linking LockBit to Gogalocker and Megacortex because I have\r\ndone extensive research on all three and previously presented on Gogalocker at the 2020 RSA Conference.10,11 I\r\nwitnessed firsthand the targeting, tools, and ransomware behaviors that other security vendors would eventually\r\nuse to associate the activity with one another. Before we continue, let’s vet the attribution used to associate\r\nLockBit with other ransomware variants since it’s essential to understand where LockBit may have originated.  \r\nFirst, let’s discuss the attribution based on how the ransomware spreads. Today, many ransomware variants use\r\nARP tables to discover victim hosts and SMB to spread across shared network resources within the environment.\r\nIn 2019, however, human attackers usually conducted ransomware propagation, manually working within the\r\ncompromised victim environment. At that time, it was less common to use self-propagation techniques. This is\r\nlikely why the security vendor made the attribution, but in reality, even then, this technique was not unique. \r\nWorms and viruses had used this same technique to self-propagate long before these ransomware variants existed.\r\nFurther, older ransomware like Wannacry took advantage of similar protocols for host discovery and self-spreading. In contrast, it is not a one-for-one comparison, but the protocols, methods, and development ideas\r\nbehind it have existed for a long time. The use of PowerShell, also used as attribution evidence, is seen in every\r\nransomware attack I have investigated. It’s a tool present on every Windows operating system. These methods and\r\nresources are common, making them weak for attribution purposes.  \r\nLast, the vendors stated that the targeting seen in the attacks supported their attribution. When I first read this, I\r\nthought the security vendors intended to communicate the similarities in targeting originated from the specific\r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 2 of 54\n\ncode or methods used within the ransomware binary itself to target operating system files. This could be a more\r\nsubstantial technical point for attribution if novel. However, it seems the attribution stems from a more general\r\nsense describing the broader overlap in victim targeting. \r\nIn terms of ransomware attacks, victims are almost always targets of opportunity, not design. Remember, the\r\nattacker wants to get paid and seeks access to any victim they deem profitable enough to pay the ransom. Further,\r\nmany Russian-based ransomware gangs, like LockBit, have strong relationships with other gangs, who sometimes\r\nshare resources and even victim data.12 So, using targets and industries seen across multiple ransomware\r\noperations is generally not convincing enough to support strong attribution. Additionally, in November 2021,\r\nEuropol arrested twelve men for supporting the Gogalocker ransomware operation.13 Not one of the men arrested\r\nclaimed to have any association with LockBit. If they had, they likely would have used the information as a\r\nbargaining chip to minimize the sentence they were facing. For these reasons, I believe the attribution made\r\nbetween LockBit, Gogalocker, and Megacortex was made in error.  \r\nPART I: All Your Important Files Are Encrypted!\r\nThe LockBit gang began its operation in September 2019 and was first known as “ABCD ransomware.” The\r\nsecurity community dubbed it “.abcd” because the ransomware payload appended the characters “.abcd” to each\r\nfile it encrypted. However, the ABCD ransomware was far less sophisticated than later-developed LockBit\r\nvariants. Nevertheless, while slow, simple, and less advanced, the attacker succeeded at compromising and\r\ninfecting victims. At the time, the operation did not have the infrastructure to host chat-based negotiations as it\r\ndoes today. Instead, the ransom note instructed victims to contact them by email, as seen in  Figure 1  below.\r\n15\r\n \r\nFigure 1: Early ransom note delivered with .abcd ransomware \r\nOver the first six months of activity, LockBit primarily extorted victims in the United States, Germany, France,\r\nand China.16 However, since they did not use a victim data leak or name and shame site at the time, we only know\r\nof victims who publicly reported an incident, leaving us with a limited view of the attack volume. To learn more\r\nabout the early operation, I identified victims who posted to support forums seeking help after being infected with\r\n“.abcd” ransomware in late 2019. The first was a small firm with 17 computer systems within its enterprise, and\r\nthe second with just four systems. \r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 3 of 54\n\nFigure 2: LockBit victims seeking help after their systems were encrypted by ABCD ransomware\r\n17\r\n \r\nBoth victims confirmed that the attacker used the known .abcd-related email addresses seen in Figure 1 to\r\nnegotiate the ransom payment. During the negotiation, the adversary demanded three bitcoin (BTC) for the key\r\nnecessary to decrypt victim files. After several days of not paying the ransom, the criminal dropped the price to .5\r\nBTC, which one of the two victims paid. After payment, LockBit provided the decryptor, and the victim recovered\r\nall of their data. With only four systems in total, the second victim decided to rebuild their environment. While the\r\nvictim used only four systems to run their business, they stated, the attacker also encrypted their backups and their\r\nDropbox account, resulting in a loss of customer data. \r\nWhile this is only two victims, based on available information, the attacker asked most victims for a payment of\r\nbetween one and three bitcoin. At that time (June-December 2019), the cost of one bitcoin fluctuated between\r\n$7,000 and $11,000 USD,18 making the maximum demand around $30,000. This was far less than the\r\nmultimillion-dollar ransom LockBit demands today. \r\nAfter several days of not paying the ransom, the criminal dropped the price to .5 BTC, which one of the\r\ntwo victims paid.\r\nRaaS Program\r\nSeveral months after the ransomware operation began, the adversary behind the attacks made changes to their\r\nname and branding. Personally, I don’t like the name “.abcd ransomware.” Apparently, LockBit did not either\r\nbecause, after only several months of activity, the adversary behind the attacks decided to change its name.\r\nUltimately, they updated their code, altering its behavior to now append “.lockbit” to each file, and began to\r\nreference the name “LockBit” within the ransom note, completely doing away with the .abcd reference.\r\nAdditionally, the adversary began using their own infrastructure to support victim negotiation. This is how the\r\nname LockBit came to exist and is the branding the crime syndicate behind the operation still goes by today.\r\nFigure 3 displays the original ransom note (left) from November 2019 depicting the “.abcd” ransomware and the\r\nupdated LockBit updated ransom note (right) from February 2020 showing the change using the LockBit name\r\nand infrastructure.\r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 4 of 54\n\nFigure 3: Ransom notes depicting changes incorporating the name LockBit \r\nNote that during the first five months of the operation, LockBit conducted attacks themselves without the support\r\nof hacker affiliates. While the adversary keeps 100% of profits made in a closed program, there are fewer attacks\r\nthan in a RaaS program in which many affiliates take part in the operation for a share of the ransom profit.\r\nHowever, LockBit revamped its business model to grow and scale and began its RaaS program in January\r\n2020.19 \r\nThe new RaaS campaign had several attractive features to tempt affiliates to join the operation. The LockBit gang\r\nclaimed their ransomware payload had fast encryption capabilities and could self-propagate within a victim\r\nenvironment. As mentioned, at the time, most RaaS operations required the affiliate to manually enumerate and\r\nspread ransomware, which often took days to weeks to complete. Evidence to support the claim came in April\r\n2020, when LockBit compromised a victim organization through its web server.\r\n20,21\r\n LockBit gained access by\r\nexploiting unpatched, vulnerable VPN software.  \r\nNow, with access to the internal network, LockBit brute-forced an administrative account to acquire the\r\ncredentials necessary to deploy ransomware and infect the first host, patient zero. Next, to identify other hosts in\r\nthe target environment, patient zero performs an ARP request to obtain the Mac addresses of connected hosts and\r\ntheir associated IP addresses listed in the ARP table, allowing patient zero to connect to each system. To connect\r\nwith other known systems beyond those in its local subnet, patient zero uses the SMB protocol to identify\r\nnetworked devices and shared network resources, such as file servers, domain controllers, and other high-value\r\ntarget systems. This should sound familiar because it is the technique I discussed earlier, which security vendors\r\nused for attribution. \r\nWith the knowledge and connectivity to reach most hosts throughout the environment, patient zero tells all\r\nsystems to execute a single command. The command instructs the hosts to connect to an external attacker-controlled website. Then based on the victim’s browser and operating system values, it downloads one of two .png\r\nimage files from the site, delivering the ransom payload throughout the victim’s environment. From start to finish,\r\nthe attack took only several hours to gain privileged access, enumerate the network, and deploy the ransom\r\npayload. At the time, it was one of the fastest ransomware infections observed. \r\nIronically, this dated tactic used to propagate the ransomware gave LockBit the upper hand over many of its\r\ncompetitors. When it worked, this feature provided the attacker with two advantages. First, they do not have to\r\nspend the time and resources working to discover and infect systems with the ransom payload. Second, the\r\nadversary can increase their attack volume. Now, they can conduct several attacks over the time it took to\r\nimplement a single attack. However, for the attack to work at this speed, the adversary needs to gain access and\r\nadmin rights quickly, and is only effective if the target’s defenses cannot detect the activity or the ransom payload.\r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 5 of 54\n\nThis was just one attack, and while most breaches don’t run this smoothly, it showed us what was coming.\r\nLockBit’s end goal was to create fast, efficient automated ransomware attacks that require little technical hacking\r\nexperience.  \r\nDuring the first year of RaaS activity, other victims and security researchers posted details about similar attacks.\r\nWhile all relied on the same ransomware payload, some attacks included other tools and resources. For example,\r\nin at least one incident, LockBit used a publicly available keylogger to capture the keystrokes of the target users.22\r\nThe gang also used a custom screensaver, which locked out the legitimate user and required an attacker-specified\r\npassword to regain access to the desktop.  \r\nThe Summer Paper Contest! \r\nIn the early days, LockBit was not well known. They were one of many ransomware gangs attempting to gain\r\nrecognition in a community of organized criminals. The individual leading LockBit needed a way to communicate\r\nand market the LockBit brand. The problem was LockBit could not post ransomware ads using traditional\r\nmarketing and social media platforms. Even if it could, that would not reach the criminal demographic relevant to\r\na ransomware gang. However, underground criminal forums and markets are full of criminals LockBit wished to\r\nattract to support its operation and generate revenue for the gang. For these reasons, senior members of the gang\r\ncreated the LockBitSupp persona. LockBitSupp, short for LockBit Support, began interacting and posting on the\r\nforums, participating in conversations, and socializing with other criminals. Still, the persona was unknown and\r\nhad little criminal credibility at that time. \r\nTo change this, LockBit ventured beyond the borders of the traditional ransomware community and donated\r\nmoney to sponsor a “Summer Paper Contest” on a Russian hacking forum in June 2020. To win the contest,\r\napplicants would conduct research and write a paper on various hacking topics, shown in Figure 4.  \r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 6 of 54\n\nFigure 4: LockBit sponsors hacking article contest \r\nMembers of the forum community could then read and vote for the paper they liked most. Authors of the top five\r\npapers received a monetary prize ranging from $1,000 to $5,000. Then, from the top five, LockBit selected the\r\npaper they liked best for an additional prize. This is one of several examples demonstrating how LockBit differs\r\nfrom most ransomware attackers we have seen to date.\r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 7 of 54\n\nWhile atypical, this helped LockBit grow its reputation within the criminal underground. Threat detection and\r\nresponse are insufficient for an effective response. The abundance of intelligence gathered from diverse sources\r\nand applications makes it difficult to establish connections and make informed decisions.\r\nRansom Cartel: I’m gonna make him an offer he can’t refuse \r\nAlso in June 2020, LockBit and four other ransomware gangs began to announce a new partnership to form the\r\nworld’s first ransomware cartel. Forming a cartel would benefit its associated gangs, who would have greater\r\nresources, funding/revenue, and present an increased threat to targeted organizations than a single ransomware\r\ngang, making this a scary scenario. The five gangs that formed the cartel can be seen in Figure 5 below: \r\nFigure 5: Ransom Cartel from 2021 (Spider names from CrowdStrike) \r\nCartel Analysis\r\nAfter I initially heard the claim, I analyzed all the relevant data at the time. I found the groups did share resources,\r\nsuch as victim data and infrastructure, and collaborated with one another. For example, the LockBit gang, among\r\nothers, shared stolen victim data with Twisted Spider, who ran Maze \u0026 Egregor ransomware operations.23 Twisted\r\nSpider posted LockBit’s victim data to their leak site to further pressure and extort the victim. Data and\r\ninfrastructure were not the only things the gangs shared with each other. They also shared their tactics. For\r\nexample, Twisted Spider is the first ransomware gang to steal sensitive data and use it for a second extortion\r\ndemand. LockBit was one of the early adopters of this tactic and incorporated it into their own attacks. LockBit\r\nalso is one of the first gangs to encrypt the master boot record, in addition to system data, which several other\r\ncartel gangs incorporated into their attacks. LockBit even took design aspects from code development originally\r\nseen in Twisted Spider’s Egregor ransomware, such as unique anti-analysis techniques integrated into their\r\npayload.24 \r\nDespite claims of forming a cartel, things are not always as they appear. After conducting extensive analysis, I\r\nfound that the five ransomware gangs invented the cartel as propaganda to boost their criminal credibility and gain\r\nname recognition. You see, to be an actual cartel, there must be two primary components: leadership and money.\r\nThe pretend cartel had neither. While the cartel gangs made a lot of money, there was no revenue-sharing model\r\nbetween them. Instead, each kept the money they extorted and shared only the revenue within their operation.  \r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 8 of 54\n\nTwisted Spider was the cartel’s voice giving the image that it was the central leader directing the gangs within.\r\nThey frequently made statements, published press releases, and talked to outlets, such as Bleeping Computer,\r\nabout the cartel. However, despite their mafioso dreams, it was not the “Pablo Escobar” of ransomware. Instead,\r\nthey were in between a clown and a cheerleader, desperately seeking the media’s attention. Despite all their\r\nclaims, I found no evidence to support that any other gangs took direction from Twisted Spider or anyone else.  \r\nIn short, there was no cartel. However, the fact that these criminal organizations worked and collaborated is\r\nsignificant. This was when I first realized how small the ransomware community really is. Many ransomware\r\ncriminals operate and work with one another.\r\n25\r\n You can read the full story and my analysis on the ransom cartel in\r\nAnalyst1’s white paper “Ransom Mafia,” which you can find here.\r\n26\r\n \r\nConsumer Reviews Matter — The Wexford Complaint \r\nYou can see that reputation was important to the LockBit gang based on their participation in criminal forums and\r\nthe cartel. However, as a new RaaS provider, LockBit struggled to gain the momentum and popularity it sought\r\nover its first year of operation. To be a successful RaaS provider, LockBit needed to attract the top affiliates who\r\nwould conduct attacks leading to ransom payouts. However, several other more established ransomware gangs,\r\nsuch as REvil and Twisted Spider, existed at the time that also ran RaaS operations. LockBit marketed their RaaS\r\nacross criminal forums to establish themselves and strived to be one of the most respected and known criminal\r\ngangs.  \r\nAffiliates rely on criminal forums and markets to obtain reviews of other criminals and their service offerings.\r\nThey use the information the same way you would a consumer reviews site, such as Yelp or Google reviews, to\r\ndetermine the reputation of a business. Also similar, it only takes a few bad reviews to tarnish your reputation.\r\nLockBit certainly understood the importance of having a solid reputation, but it should have judged the\r\nsignificance of addressing criticism and complaints on the forums. You see, in the Russian criminal ecosystem,\r\ncriminals use an organized arbitration process to address issues and grievances between one another.\r\n27\r\n \r\nIn September 2020, an individual using the alias “Wexford” filed an arbitration claim against LockBit on an\r\nunderground Russian forum.28 In the claim, seen in Figure 6, Wexford stated that he had been working as an\r\naffiliate for the LockBit operation for several months, and none of his victims paid the ransom. \r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 9 of 54\n\nFigure 6: Wexford complaint posted on an underground criminal forum \r\nWexford claimed that due to the development error, the ransomware failed to encrypt the files on networked hosts\r\nbut instead appended the “.lockbit” extension to the filename, leaving the data untouched. Now, the victim could\r\nsimply rename the files on networked systems and remove the .lockbit extension, allowing the victim to restore\r\ntheir data without paying the ransom.  \r\nI renamed the file, removed the LockBit extension, and the file opened.” — Wexford \r\nWexford spent four months breaking into victim environments, deploying faulty ransomware that failed to encrypt\r\nthe victim’s data. As a direct result, none of the victims paid the ransom, leaving him with nothing to show for his\r\nwork. Making matters worse, LockBit refused to accept responsibility and told Wexford he should have tested the\r\npayload and notified them about the issue sooner. Other affiliates responded that their victims also often\r\ndisappeared without paying and now understood why. LockBit eventually fixed the bug, but the fact that it existed\r\nand its refusal to accept responsibility certainly tarnished its reputation within the criminal community.  \r\nPART II: Extreme Makeover — LockBit Edition! \r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 10 of 54\n\nAfter the arbitration case with Wexford, LockBit knew it needed to do better if it wanted to become one of the top\r\nransomware syndicates. Over the next six months, LockBit worked on a new project, internally referred to as\r\n“LockBit Red,” and publicly known as “LockBit 2.0.”\r\nIn September 2020, I saw a forum post (Figure 7) created by LockBit to hire someone who could help automate\r\ntasks using the Active Directory Group Policy. At the time, I thought LockBit was looking for someone to help\r\ncompromise a specific organization by exploiting some aspect of Group Policy to deliver ransomware within their\r\nenvironment. However, I later realized LockBit needed development help to add functionality to its ransomware.\r\nUsing group policy to terminate security services and deploy ransomware was one of the new capabilities found in\r\nLockBit Red.  \r\nFigure 7: LockBit post to hire support for the LockBit Red project \r\nWhile the project would not be launched publicly until June 2021, the gang began beta-testing with select\r\naffiliates in April 2021. The new ransomware update included the addition of many capabilities and features.\r\nLockBit claimed its ransomware had an updated encryption capability, making it faster than the previous version,\r\nwhich allowed it to encrypt victim data quicker than its competitors. To simplify operations, LockBit also\r\ndesigned an updated admin panel, accessed via Tor, allowing affiliate partners to conduct and control their attacks\r\nfrom one easy-to-use graphical interface. LockBit Red included many attractive hack tools and attack resources,\r\nsuch as port and vulnerability scanners, the ability to clear and delete logs, terminate security services, remove\r\nshadow copies that could allow users to restore data, and much more. The gang also introduced chat functionality\r\ninto its interface, with the ability to send the attacker push notifications when a victim responds to negotiate the\r\nransom demand. Figure 8 displays an ad posted by LockBit to market both its updated ransomware and affiliate\r\nprogram: \r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 11 of 54\n\nFigure 8: LockBit affiliate recruitment ad \r\nLockBit also included a feature, first seen used by Wizard Spider (Conti \u0026 Ryuk ransomware), a few months\r\nearlier, that leveraged a Wake-on-Lan feature that allowed attackers to boot systems powered off at the time of the\r\nattack. I know LockBit is associated with Wizard Spider as part of the cartel. Still, I don’t know if they copied the\r\ntechnique or had help integrating the feature into LockBit Red. Regardless, this feature is essential to the attacker,\r\nas it ensures that any systems in the victim environment that was not in an “on” state could be infected and\r\nencrypted. For example, before this feature existed, if a victim had servers storing backup data and was powered\r\ndown at the time of infection, the attacker could not deploy the ransom payload to the offline server. Then, after\r\nthe attack, the victim could boot the server and use it to restore data without paying a ransom. Now, with this\r\nfeature, the adversary can ensure it infects all available systems in the target environment. \r\nLockBit Red included many features attractive to affiliates. However, LockBit’s payment model was the most\r\nsignificant benefit to its partner affiliates. In most RaaS operations, the core gang controls the money and receives\r\nthe victims’ payments directly. Then, after receiving the ransom payment, the core gang pays a percentage to the\r\naffiliate. Some RaaS providers, such as REvil, took advantage of the situation and did not always pay the\r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 12 of 54\n\naffiliates, leaving them with nothing to show for their time and work. LockBit is one of the first to offer an\r\nalternative payment model in which the affiliate controls the money. This model elevates the issue of not being\r\npaid and likely drew many affiliates to work with LockBit. Additionally, LockBit has to launder only its own\r\nmoney, making it a cleaner process with less overhead and risk involved.  \r\nSteal this report! \r\nStealing and threatening to sell or release a victim organization’s sensitive data is often more damaging than\r\nencrypting their systems with ransomware. The data theft extortion tactic is lucrative for criminals but requires\r\nadditional work and resources. For example, criminals must either know which data is most sensitive or steal a lot\r\nof it to ensure they have the most critical information. Transferring large amounts of data is noisy and often\r\ndetected; this can be a problem for an adversary who wants to execute the attack quickly and efficiently while\r\nremaining undetected in the victim’s environment. While LockBit’s ransomware payload is one of the fastest data\r\nencryptors, it initially relied on legitimate publicly available tools, such as Rclone, to steal and exfiltrate data\r\nwhich was cumbersome and added time to the attack.29 \r\nTo address the issue, LockBit developed its own data exfiltration tool called “StealBit,” which is available to all\r\naffiliates supporting their program and is faster than Rclone. StealBit also includes built-in defense evasion\r\ntechniques and can delete itself after use.30 LockBit made StealBit available to affiliates directly from the admin\r\npanel used to manage their ransomware attacks. This minor detail is important because it provides the attacker\r\nwith a central management console that incorporates many attack features within a single graphical interface. This\r\nreduces the overhead and complexity of conducting ransomware attacks. Later, in April 2022, while conducting\r\nresearch for this paper, I received screenshots directly from LockBit showing the attacker’s view of the StealBit\r\nmanagement console. While some of the features in this screenshot were not available in 2021, it provides context\r\ninto how easy LockBit has made it to steal data from its victims.  \r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 13 of 54\n\nFigure 9: StealBit attacker management console \r\nNow, the LockBit affiliate can simply point and click to deploy its ransom payload and manage StealBit to\r\nidentify and exfiltrate victim data throughout their environment. Further, LockBit designed StealBit with many\r\neasy-to-use features, such as targeting and copying specific file types and applications.31 If the affiliate does not\r\nknow what data they should steal, StealBit can copy entire folders and directories, regardless of the type of data\r\nwithin it. Once copied, the attacker still needs to exfiltrate the data outside the victim’s environment. Previously,\r\nthis was a problem for LockBit since it had to rely on legitimate online data storage and distribution services and\r\nwebsites. Often, the victim or law enforcement would contact the data storage service provider, and LockBit\r\nwould lose access to the data they worked so hard to steal. To alleviate the issue, LockBit began uploading data to\r\nits own data leak site, eliminating the need to rely on third-party services. \r\n“Help Wanted, Apply Within”\r\nDespite all its features and user-friendly integrations, the significant aspect of LockBit’s makeover was its effort to\r\nmarket and build its brand. In reality, LockBit Red was simply an update to the ransomware services offered\r\nthrough the RaaS. However, with its release, the LockBit gang conducted a strong marketing campaign to get\r\npeople talking about them. With the new update and associated propaganda, criminals, security researchers, and\r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 14 of 54\n\nthe news media posted content about the gang and its operation. When it was all said and done, the gang\r\nsignificantly increased its criminal credibility and attracted new experienced affiliate hackers to help drive their\r\ncriminal enterprise.\r\nAccess Brokers\r\nOne problem all ransomware attackers must address is gaining access to a target’s environment. Historically,\r\nransomware gangs needed to conduct the initial breach themselves or rely on affiliate hackers. Additionally, the\r\ninitial access phase of the attack is one of the most cumbersome and time-consuming phases. Criminals saw this\r\nas an opportunity to make money and began a new criminal business model acting as “access brokers,” who\r\nwould obtain and sell access directly into victim environments.\r\nAccess brokers spend their time conducting stealthy attacks to bypass an organization’s security defenses and gain\r\naccess to their internal network and systems. The hard part of this type of attack is not the initial breach. You see,\r\nmany tools and resources exist, making this task easier than you might think. However, gaining admission without\r\nanyone noticing and maintaining entry is far more difficult. Due to this, access brokers can charge a hefty fee for\r\ntheir services.\r\nInsider Threat\r\nWhile purchasing access saved time, the cost came directly from LockBit’s bottom line, eating into profit. As part\r\nof their LockBit Red campaign, LockBit devised a new tactic to reduce cost. Rather than pay access brokers,\r\nLockBit attempted to directly recruit employees of the potential target organization to provide inside access to\r\ntheir environments for a monetary reward.32 If successful, LockBit could reduce costs while bypassing much of\r\nthe time and effort necessary to compromise targets. Additionally, by using an insider, LockBit could decrease the\r\nchance of identification since an insider could provide legitimate credentials and entry to the organization’s\r\ninfrastructure.\r\nHow to NOT handle a ransomware attack \r\nLockBit’s insider threat campaign appeared to pay off in July 2021. With the new software, infrastructure, and\r\nsupporting staff, LockBit conducted an attack against one of the largest global IT consulting companies,\r\nAccenture.\r\n33,34\r\n To facilitate the operation, LockBit claimed to gain access to Accenture’s environment with the\r\nhelp of an insider,\r\n35\r\n resulting in the theft of 6TB of data.36 Shortly after, news of the attack began to circulate.\r\nInitially, Accenture was slow to acknowledge the breach, and when it did, the firm said it was an isolated incident\r\nand did not expose customer data. There was one problem, however. LockBit posted the stolen data, which\r\nAccenture claimed did not exist, to their auction site, threatening to sell it to other criminals or leak it online if the\r\nconsulting firm did not pay a $50 million ransom. Making the situation worse, in an interview with Bleeping\r\nComputer, LockBit claimed the stolen data included information it could use to gain access to other Accenture\r\ncustomers.37. The gang also claimed they had already used information taken from the stolen data to breach an\r\nairport that utilized Accenture’s software.38 LockBit and Accenture had very different stories. \r\nSomeone was not telling the truth.  \r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 15 of 54\n\nOne month later, in August, two airlines, one in Egypt and another in Bangkok, fell to ransomware attacks\r\nconducted by the LockBit gang. Both were customers of Accenture. Nothing is worse than lying about a breach\r\nleading to the theft of your customer’s data. In reality, LockBit likely oversold the magnitude of the attack, and\r\nAccenture significantly downplayed what took place. Months later, Accenture would despairingly provide\r\nadditional details submerged within their Annual 10-K report required by the US Securities and Exchange\r\nCommission (SEC).39 In the report, buried under financial performance data, Accenture admitted the breach took\r\nplace, and that data was stolen and leaked, which could impact their customer base moving forward.  \r\n“To date, these incidents have not had a material impact on our or our clients’ operations; however, there is no\r\nassurance that such impacts will not be material in the future, and such incidents have in the past and may in\r\nthe future have the impacts discussed below.”40 — Accenture\r\nFalling victim to a ransomware attack is not something an organization should be ashamed of. With today’s\r\nadvanced and creative attackers, almost anyone can become a victim. However, how you handle the incident says\r\na lot about your organization and its culture. Nothing is worse than denying an incident only to have the attacker\r\npost contradicting evidence publicly. In this incident, Accenture walks a fine line where they don’t tell the\r\ncomplete truth, but they also don’t outright lie about what happened. Instead, they provide vague details about the\r\nincident and then launch a PR campaign to control the story to make the loss appear less significant. In these\r\nsituations, the stockholders and the victim organizations’ customers lose the most. \r\nIn October 2021, LockBit introduced a new variant of their ransomware. Previously, ransomware could encrypt\r\nonly data on Microsoft Windows-based systems. This posed a problem for attackers in large corporate\r\nenvironments running other systems, such as Linux-based platforms that run virtual systems. The new variant was\r\nthe first version of LockBit ransomware developed as a Linux encryptor purposed to compromise VMware ESXi\r\nvirtualization platforms. LockBit officially named the release “LockBit Linux-ESXi Locker version 1.0.”41,42 \r\nThe following month, November 2021, BlackMatter, another prominent RaaS provider linked to the former\r\nDarkSide ransomware gang, announced it was shutting down its operation. At that time, BlackMatter had a\r\nstrong working relationship with LockBit and pushed its affiliates to transition to LockBit’s operation in\r\npreparation for BlackMatter’s closure. Further, BlackMatter directed its most recent victims to LockBit’s chat\r\nportal to continue the negotiation process.43 With victim data and seasoned affiliates transitioning over to\r\nLockBit’s operation, the gang certainly benefited from BlackMatter’s downfall. Additionally, while unknown at\r\nthe time, LockBit recruited one of BlackMatter’s most vital resources: its developer.\r\n44\r\n \r\nThe Smear Campaign \r\nIn addition to BlackMatter’s exit, the notorious ransomware gang REvil also briefly ceased operations in the latter\r\nhalf of 2021 and then returned at a limited capacity, leaving many affiliates looking for employment. REvil had\r\nbeen the top ransomware gang within the RaaS community for some time before its downfall. When REvil’s\r\nissues began, LockBit strategically launched a smear campaign across one of the most popular criminal forums.\r\nLockBit directly challenged REvil on several issues. LockBit could have presented these comments and questions\r\nto REvil directly in a private conversation but instead chose to challenge REvil in front of the entire criminal\r\ncommunity. I believe LockBit engaged REvil to tarnish its reputation in front of other ransomware criminals. This\r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 16 of 54\n\nis an important part of this story because it shows the strategic steps LockBit took to climb to the top. LockBit\r\ntook a move straight out of the Russian government’s playbook and spun its false narrative around legitimate\r\ninformation to discredit its competition. Next, let’s take a closer look at LockBit’s slander campaign against some\r\nof its competing criminal gangs between August 2021 and January 2022.  \r\nThe Baby Killer Incident \r\nI think it’s fair to say most criminals are not known for their ethics. Still, even for criminals, certain crimes are\r\nviewed poorly, such as crimes that harm children. LockBit especially understood this, and when a ransomware\r\nattack on a US hospital resulted in the death of a baby,\r\n45\r\n it seized the opportunity to discredit its competitors. On a\r\npopular criminal forum, a user posted a link to a legitimate news article detailing the infant’s death, which can be\r\nseen in Figure 10. \r\nFigure 10: LockBit claiming REvil is associated with a ransomware attack that resulted in the death\r\nof a baby \r\nIn the post, LockBit insinuated REvil or Hive was behind the ransomware attack. It is a good story and easy to\r\npoint the finger since both REvil and Hive have previously attacked hospitals, making the accusation plausible.\r\nHowever, there is no evidence or claim that either gang had anything to do with the attack. Neither the news\r\nreports nor the official court documents mention REvil or Hive ransomware.  \r\nHowever, they do state that the attack took place using Ryuk ransomware, which Wizard Spider controls. Further,\r\ndespite LockBit’s claims, it also targets healthcare organizations, but LockBit left that part out. It annoys me that\r\nLockBit frequently tells the media and criminal community that it does not target healthcare-related organizations\r\nlike hospitals. Their data auction site has many examples which contradict its claims.\r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 17 of 54\n\nLockBit, no one likes a hypocrite.  \r\nHas anyone seen my keys? \r\nThe baby killer posts were just one part of a larger smear campaign. Another occurred after the major attack\r\nagainst Kaseya, an MSP software provider, which resulted in over 1,500 companies becoming infected with REvil\r\nransomware.46 Many of the victims involved in the attack avoided ransom payments and decrypted their data for\r\nfree after allegedly receiving the decryption key directly from the FBI.47 LockBit asked REvil how the FBI\r\nobtained decryption keys related to the Kaseya MSP incident. REvil responded that someone hacked their server\r\nand stole the keys necessary to decrypt victim data. LockBit then provided its scenario, insinuating that REvil,\r\nwho used the alias 0_neday on the criminal forum, was not only lying but that they were compromised and\r\ncooperating with the FBI and referred to REvil as “snitches.” \r\nFigure 11: One of several posts challenging REvil and questioning their decisions and loyalties \r\nWhile I believe the US government did hack REvil to obtain the decryption keys, I do not believe REvil\r\ncooperated or had any association with the FBI. Why would they? REvil had nothing to gain by doing so and, at\r\nthe time, had little to fear in regard to arrest.  \r\nSlide into Your DMs \r\nIn another post, which took place shortly after several REvil members were arrested in Russia, LockBit posted a\r\nprivate conversation between themselves and a senior leader of REvil. The conversation included details of\r\nconcerns about the United States and its campaign to bring down REvil members. LockBit tried to use this as\r\nevidence that REvil worked and cooperated with the FBI. Figure 12 is the introduction LockBit posted to the\r\nforum, which accompanied the leaked private conversation.\r\nFigure 12: LockBit post of a private conversation between them and REvil \r\nThe private conversation LockBit posted is too long to show here, but it did not prove Lockbit’s claim. Again, this\r\nis another example in which LockBit released sensitive information and added its own self-supporting narrative.\r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 18 of 54\n\nThere is no way to validate how much of what LockBit claims is accurate; however, the continued propaganda\r\nreleased over 2021 and in the beginning of 2022 certainly worked in LockBit’s favor. I chose to focus on REvil\r\nand Hive in these examples, but LockBit uses the “smear campaign” tactic often against any ransomware gang\r\nthey feel threatens its dominance in the criminal community. This type of betrayal is rarely done among other\r\nransomware criminals and highlights Lockbits insecurities. For this reason, I believe LockBit’s motivation is\r\nnot only financial but also personal. LockBit had already acquired great financial wealth but still felt the need to\r\nspend the time and energy posting misinformation and complaining about their competition.  \r\nPART III: Nothing can stop me now!  \r\nWith new malware, resources, and infrastructure, LockBit’s RaaS was one of the more attractive options to\r\naffiliates than many of its peer ransomware gangs. Still, one gang, who operated the Conti ransomware RaaS,\r\nseemed untouchable, even to LockBit. With their new branding and ransomware resources, LockBit grew its\r\noperation, yet the top-tier affiliates at the time supported the Conti ransomware operation responsible for many\r\nhigh-profile attacks.  \r\nAs 2022 began, the REvil gang’s demise continued, resulting in the arrests of many of its members.48 Still, despite\r\nall LockBit’s efforts, Conti continued to rise to the top, becoming the most dominant gang in the underground\r\nransomware ecosystem. However, in February 2022, an opportunity unexpectedly presented itself. Russia began\r\nmilitary operations to invade Ukraine and overthrow its government. The war posed a problem for ransomware\r\ngangs, which relied heavily on their affiliate partners. Many top affiliates lived and worked in Ukraine, executing\r\nransomware attacks in which they partnered with Russian-based ransomware gangs. Conti must have forgotten\r\nthis because shortly after the war began, the gang posted the following pro-Russia message to their website: \r\n“The Conti Team is officially announcing a full support of Russian government. If anybody will decide to\r\norganize a cyberattack or any war activities against Russia, we are going to use our all possible resources to\r\nstrike back at the critical infrastructure of an enemy.” — Conti Ransomware Gang \r\nPosting this message was idiotic. I still have difficulty believing Conti did not realize the backlash this would\r\ncause. Surely, if I knew many of the world’s best cyber hackers who support ransomware were Ukrainian, Conti\r\nalso had to know. I’m not sure if they were really that stupid or were more concerned about the Russian\r\ngovernment’s perception of Conti’s cooperation with Ukrainian nationals. Whatever the reason, affiliates,\r\ncybersecurity researchers, and even LockBit took notice. LockBit quickly leveraged Conti’s mistake and posted\r\nthe following message to its own site’s “press release” section, announcing they had no political agenda and were\r\nall about the money. \r\n“For us, it is just business, and we are all apolitical. We are only interested in money for our harmless and\r\nuseful work.” — LockBit Ransomware Gang49 \r\nTaking a neutral stance was smart. The Conti gang alienated itself from many of its partners by making a divisive\r\npolitical statement and putting itself in the crosshairs of every pro-Ukraine hacker on the planet. It did not take\r\nlong to see the effects of the backlash. On February 27, 2022, a security researcher from Ukraine leaked Conti’s\r\ninternal data surrounding its operation. The researcher obtained the data from Conti’s internal servers.50 The\r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 19 of 54\n\nimpact of the leaks certainly affected Conti’s operation.51\r\n The leaked data included chat logs between Conti’s\r\ncriminal employees, operational documents, and source code for their ransomware builder, encryptor, and\r\ndecryptor.\r\n52\r\n All of this contributed to their operation ending in mid-May 2022.  \r\nThe Black Album \r\nConti may have felt pressure to close its operation due to these circumstances. Additionally, it received much\r\nattention after it took down most of Costa Rica’s government with a massive ransomware attack in 2022 just\r\nbefore their exit. When Conti left, it went out on top, with years of attacks and an enormous operation that\r\nemployed many criminals who partnered or worked with the gang. LockBit’s time had come, and the gang needed\r\nto find a way to rise to the top or find itself surpassed by one of its many criminal competitors. How would\r\nLockBit accomplish this?  \r\nThe answer came the following month, in June 2022, when LockBit officially announced another major release of\r\ntheir ransomware, which they referred to internally as LockBit Black (publicly known as LockBit 3.0). I\r\noriginally heard about LockBit Black in April 2022 when the gang first began to beta-test it with a small number\r\nof affiliates. At the time, the leader of LockBit and I were taking part in “Trafficked,” an investigative TV show\r\nthat focused on cybercrime (can’t make this stuff up!). The episode will air in early 2023, but surprisingly, during\r\nthe interview, LockBit shared screenshots of the updated management console. Additionally, he discussed many of\r\nLockBit Black’s new features. Figure 13 displays the LockBit Black management console as the attacker would\r\nsee it when managing a LockBit ransomware attack.\r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 20 of 54\n\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 21 of 54\n\nFigure 13: LockBit Black management console \r\nOften, criminal gangs use their ransomware and resources to conduct attacks and provide small updates as\r\nnecessary to stay ahead of security vendors. However, LockBit is not one of them. Unfortunately, ransomware and\r\nresource development are areas in which LockBit excels. As shown in Figure 13, LockBit Black improved on\r\nLockBit Red and added several new features, making it even easier for criminals to conduct attacks.  \r\nAdditionally, LockBit added several other components to its program, such as additional mirror sites to enhance\r\nits infrastructure, making it harder for law enforcement or government agencies to interrupt its operation. LockBit\r\nalso started a “bug bounty program,” offering researchers a monetary reward if we could identify vulnerabilities or\r\ndevelopment errors in its ransomware. This was especially important after Microsoft’s DART team identified a\r\nflaw in LockBit ransomware, which they referred to as “buggy code.” The bug allowed Microsoft to restore\r\nencrypted data associated with MSSQL database files.53 LockBit’s bug bounty program description, as seen on its\r\nwebsite, is shown in Figure 14. \r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 22 of 54\n\nFigure 14: Bug bounty program details posted to LockBit’s website \r\nLike LockBit Red, LockBit Black opened with a new recruitment effort, which conveniently began near the time\r\nConti shut down its operation. The affiliate recruitment campaign was a success. Within a month of opening its\r\nnewly updated ransomware program, LockBit had conducted its highest volume of attacks, far surpassing its\r\ncompetition, making it the most active ransomware operation in the world, finally. \r\nLockBit did not just take first place, statistically; it dominated the ransomware scene. One month after the new\r\nprogram began in July, LockBit conducted 61 attacks.54 That’s nearly two attacks a day. I don’t have metrics on\r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 23 of 54\n\nthe ransom amounts paid that month, but with such a high volume of activity, LockBit likely had the most\r\nlucrative operation. The next closest group, BlackBasta, which is believed to be an evolution of the Conti gang,\r\nconducted 35 attacks.55 In my opinion, LockBit’s payment model, putting the affiliate in control of collecting and\r\ndistributing ransom payments in addition to their “easy to use” feature-rich ransomware management panel, was\r\nthe key to its success. Other additions to its program included an updated ransom note, wallpaper, and\r\ninfrastructure. Additionally, LockBit added Zcash as a payment option for its victims. \r\nA Behind-the-Scenes Look into the Making of “The Black Album”\r\nThis is where things got interesting. To tell this part of LockBit’s story, I need to explain the background of several\r\nother ransomware gangs. In August 2020,56 the REvil ransomware gang helped one of their affiliates, at the time,\r\nstand up their own ransomware operation, known as DarkSide. The DarkSide ransomware gang is famous for\r\ncommitting one of the dumbest attacks of all time against the Colonial Pipeline.57 After the attack, when gas\r\nstopped flowing across the east coast of the United States, the US government engaged many of its cyber\r\nresources to address the attack and the criminals behind it. As a result, in May 2021, DarkSide closed its\r\noperation, leaving some of its criminal partners unpaid for their work.  \r\nDarkSide was the target of both the US government and now criminal hackers to whom it owed money. Both are\r\nreasons DarkSide tried to go unnoticed when they began new ransomware operations only two months after\r\nretirement in July 2021. To go unnoticed, the gang rebranded itself as “BlackMatter” and used a new ransomware\r\npayload to conduct attacks. \r\nFor this reason, when BlackMatter began operations in July 2021, the individuals behind it hid that they were\r\noriginally the Darkside gang. However, researchers quickly identified the use of the same code routines seen in\r\nboth DarkSide and BlackMatter ransomware, indicating a link existed between the two.58 As news traveled\r\ncriminals posted to forums and markets discussing the connection and their distrust of the gang. Finally, in early\r\nNovember, things became too hot to handle for BlackMatter who posted a cryptic message on its site stating that\r\nauthorities were closing in and some members were no longer available.  \r\n“Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no\r\nlonger available after the latest news) — project is closed.” — BlackMatter59  \r\nStill, DarkSide/BlackMatter was not done yet. Once again, just two weeks after retiring the BlackMatter\r\noperation, the gang developed new ransomware and started another RaaS program, called BlackCat (aka Alphv).60\r\nLater, in an interview, a member of BlackCat would confirm the association, though it downplayed how many\r\nmembers of the original DarkSide gang remained.61 \r\nThe point is that all three gangs, DarkSide, BlackMatter, and BlackCat, are the same individuals who rebranded\r\ntheir operations under new names and ransomware. For a group of hackers behind such large-scale attacks, they\r\nare not very creative in coming up with new names that are intended to fool the security community. Personally, I\r\nam waiting to see what name they use next. If anyone from the gang is reading this, I would like to nominate the\r\nname “DarkMatter”. No one will ever guess the association! \r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 24 of 54\n\nWhile the Darkside backstory is interesting, you are probably wondering what this has to do with LockBit.\r\nRemember from earlier, when BlackMatter shut down operations, it pushed its affiliates to work with LockBit,\r\ndemonstrating the two gangs had a good relationship up to this point. However, all good things must come to an\r\nend, and in mid-November 2021, LockBit successfully recruited one of the primary developers who supported\r\nransomware development for both DarkSide and BlackMatter ransomware operations.  \r\nThe leadership within BlackMatter felt LockBit poached their developer, which it did, causing bad blood between\r\nthe gangs. This became apparent in conversations between the two within the criminal forum seen in Figure 15. \r\nFigure 15: Conversation with BlackCat/Alphv (BlackMatter/DarkSide) about LockBit’s relationship\r\nwith their former developer \r\nOver the next six months, the former BlackMatter developer worked for LockBit to create its new ransomware\r\nvariant, LockBit Black (3.0). As discussed, the gang officially released LockBit Black in June 2022, and\r\nresearchers and security organizations quickly began to dissect and analyze its payload. The initial analysis\r\nshowed several overlaps and similarities between it and BlackMatter ransomware.62 Keep in mind that the\r\ndeveloper’s defection to LockBit was publicly unknown at the time. Due to this, many other researchers and I\r\nbelieved that LockBit purchased BlackMatter’s source code and used it in the development of LockBit Black.  \r\nHowever, according to LockBit, that is not correct. For reasons I don’t really understand, LockBit became upset\r\nover the claim that it purchased BlackMatter source code to develop its own ransomware. LockBit went on a rant,\r\nthreatening the developer and insulting BlackMatter/DarkSide/BlackCat on a criminal forum. In the argument,\r\nLockBit threatened the developer indirectly, insinuating he could release information about the developer’s past,\r\nhis current location, and even information about his wife. LockBit also accused the developer of being lazy and an\r\nabuser of alcohol and drugs: \r\nFigure 16: LockBit threatens BlackMatter developer \r\nHowever, LockBit screwed up. The problem with lying is that you must keep your story straight. In an interview\r\nseveral months before this conversation took place, the cybersecurity outlet Red Hot Cyber (RHC) asked about the\r\nLockBit 3.0 project. LockBit responded: \r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 25 of 54\n\n“The source codes of DarkSide/BlackMatter windows locker were bought and significantly\r\nimproved.” \r\nSo, which is it, LockBit? Did you buy the code or did you get it for free? What’s more interesting to me is that\r\nLockBit feels the need to lie about the topic. At the end of the day, who cares? There are a few possible\r\nexplanations. First, LockBit lies so often it can’t keep its story straight. Second, there are several individuals\r\nbehind the LockBitSupp persona. Or third, LockBitSupp does not think what it says on the dark web will be\r\nknown or leaked in the public domain. \r\nIn reality, the BlackMatter developer became tired of his original ransomware gang’s constant cycle of starting\r\nand stopping operations, as well as running from the US government, and wanted to work under a more stable,\r\nconsistent brand: LockBit ransomware.63 If only he had known the amount of drama he would have to deal with\r\nfrom LockBit. He would have thought twice about joining the gang if he knew LockBit would post information\r\nand harass him and his previous employer all over the criminal forums. Compared to listening to LockBitSupp all\r\nday, I bet that quiet prison cell is looking pretty good at this point!  \r\nLockBit made one other comment, which is important to disclose. It claimed the developer formerly worked for\r\nthe cybercrime group known as Fin7, which is a group behind many high-profile banking and financial-crime-related attacks.64\r\n More importantly, if true, this also provides a common link between LockBit, DarkSide,\r\nBlackMatter, BlackCat and Fin7. Further, while outside the scope of this report, Fin7 has also been linked to the\r\nBlackBasta ransomware gang, which, if you recall, what I mentioned, has a strong context to the former Conti\r\ngang.65 Again, the ransomware community is much smaller than most people think.  \r\nFigure 17: LockBit post linking its developer to Fin7 \r\nLockBit also claimed the developer used his personal banking information to receive payment for work he did\r\nwhile working under Fin7. This is vague but would indicate that a financial trail exists which could be used to\r\nreveal the developer’s actual identity and provide evidence of his involvement in the attacks. However, finding\r\nthat needle in the haystack would be quite difficult.  \r\nBelow is a high-level association diagram showing the basic connections between various criminal gangs\r\ndiscussed in this section in relation to LockBit: \r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 26 of 54\n\nFigure 18: High-level relationships between criminal gangs (do not use for attribution!) \r\nIt’s important to note that the links and associations I have discussed in this section were to show the behind-the-scenes activity that went into the making of LockBit Black. The associations and activities involving these gangs\r\noriginate from claims made directly by senior members who run these criminal operations. Many of the claims\r\nmade can be backed with technical evidence found in each ransomware variant’s code or functionality.\r\nPlease do not make attribution based on LockBit or other security vendors’ findings.\r\nMake attribution based on your own research backed by data and evidence to support your findings. My intent is\r\nto tell you the story, originally told by the criminals themselves, from their point of view. Solid attribution with\r\nevidence should be used if you choose to repurpose this information for your official attribution.  \r\nThe Mandiant PR Stunt \r\nIn June 2022, the global cybersecurity company Mandiant really, really pissed off LockBit. In a strange turn of\r\nevents, LockBit named Mandiant as a victim on their data auction site. However, soon, it became clear the breach\r\nwas not authentic. LockBit had not actually compromised or stolen any of Mandiant’s data. As a researcher who\r\nfollows the gang closely, I felt this tactic seemed out of character for LockBit. You see, at the time of this writing,\r\nLockBit has 1,243 victims listed on their website. Remember, this is not even close to a representation of total\r\nvictims since LockBit removed previous victim data from their site when they shut down LockBit Red and began\r\nLockbit Black. Still, since launching LockBit Black in June 2022, the crime syndicate has compromised over\r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 27 of 54\n\n1,200 victims. In all these attacks, I have not seen another example where LockBit lied about a victim. Usually, the\r\ngang is concerned with its image and reputation. So, why would LockBit lie about Mandiant? The answer is\r\ncomplicated. \r\nYou see, before LockBit’s post, Mandiant released a public blog detailing ransomware activity it calls\r\nUNC2165.66 The group UNC2165 is a cluster of ransomware activity they associate with the ransomware gang\r\nEvilCorp. Apparently, Mandiant identified EvilCorp conducting ransomware attacks in which they used Lockbit’s\r\nransomware to encrypt their victim’s data.  \r\nLet me explain why this is an issue. In August 2021, I wrote a research paper titled “Nation-State Ransomware.”67\r\nIn that report, I mention various links between Russian-based ransomware gangs and the Russian government.\r\nOne of the links involves an attack against a US defense contractor, which was initially discovered by Prodaft, a\r\ncybersecurity company.\r\n68\r\n Prodaft detailed the overlap between the EvilCorp ransomware gang and Silverfish, a\r\nRussian government-associated espionage group, which I expand on in my research.69 This is part of the reason\r\nLockBit was concerned about the association Mandiant made. EvilCorp’s association with the Russian\r\ngovernment attracts greater attention than a lone criminal group. \r\nMaking matters worse, in 2018, the US Treasury imposed financial sanctions against EvilCorp, including any\r\nindividual or entity associated with the gang. The sanctions made it difficult, if not impossible, for a US company\r\nto legally pay a ransom demand when the attack is associated with EvilCorp. This was LockBit’s largest concern,\r\nas their entire operation could be jeopardized if the United States categorized them as an EvilCorp partner. The\r\nirony in this story, based on statements made directly from LockBit on a criminal forum, is that the gang did not\r\nwillingly partner with EvilCorp. Instead, EvilCorp gained access to LockBit’s ransomware payload and began to\r\nuse it without LockBit’s consent. LockBit did not willingly agree to the partnership, nor did they want to do\r\nbusiness with EvilCorp. Personally, I believe LockBit on this topic, mainly because they have previously tried to\r\ndistance themselves from political and government-affiliated organizations. Second, this is not the first time\r\nEvilCorp has posed as another ransomware gang to avoid sanctions placed against them.70 Third, LockBit has\r\nlittle to gain and a lot to lose by partnering with EvilCorp. It turned out the entire thing was a PR stunt to make a\r\npoint that things are not always as they appear. Mandiant was not a LockBit victim, and LockBit was not an\r\nEvilCorp partner.  \r\nThe 0-Day \r\nI have researched a lot of ransomware attacks over the years, and it is extremely rare that I see a cybercriminal use\r\na true, non-disclosed 0-day. However, LockBit is a unique adversary and executed an attack in July, where they\r\nexploited a previously unknown vulnerability found on some versions of Microsoft Exchange servers. In the\r\nattack, LockBit gained access to two exchange servers running Windows Server 2016 Standard.71 The exploit\r\nallowed LockBit attackers to gain remote access into the victim’s environment with escalated privileges, where\r\nthey stole data and encrypted systems.72 Using a 0-day demonstrates the capability and access to resources\r\nunavailable to most attackers. However, LockBit generates a lot of revenue from extorting its victims and\r\ncertainly has the capital to buy or pay others to discover unknown software flaws that it can repurpose for its\r\ncriminal operations.  \r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 28 of 54\n\nDELETE_ENTRUSTCOM_MOTHERFUCKERS \r\nOver the summer of 2022, LockBit continued its attacks and listed several other high-profile organizations as\r\nvictims. Unfortunately, unlike Mandiant, the other companies LockBit named as victims were not part of a PR\r\nstunt. LockBit conducted attacks against one of the world’s largest technology manufacturers, Foxconn, and the\r\nsecurity technology company Entrust, among many others. Figure 19 shows a portion of the companies on\r\nLockBit’s data auction site, as seen in mid-August 2022. \r\nFigure 19: LockBit data auction leak site — August 2022 \r\nAfter LockBit breached Entrust, it claimed to steal over 300 GB of its internal data.73 However, unlike most\r\ncompanies, Entrust aggressively responded when LockBit threatened to leak their data. Remember, LockBit\r\nprefers to leak victim data from its own infrastructure, which they control. So, when it threatened to post the\r\nEntrust data it stole, Entrust responded with a denial of service attack, crippling LockBit’s infrastructure. For\r\nseveral days, LockBit’s data auction site could not be reached. The victim chat portal, hosted on the same server,\r\nwas also down. Now, LockBit looked foolish and was losing money. They finally got a taste of their own\r\nmedicine. Well played, Entrust! \r\nEntrust’s response clearly frustrated LockBit. on August 23, 2022, LockBit made the below statement about the\r\nsituation: \r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 29 of 54\n\nFigure 20: LockBit response to Entrust DDoS attack as seen on a Russian forum used by\r\ncybercriminals \r\nStill, I applaud Entrust’s effort and response. Publicly, Entrust acknowledged and notified its customers of the\r\nbreach.74 Unlike Accenture, Entrust was transparent about the attack. Many people will likely disagree, but I think\r\nthe DDoS attack was a brilliant response. For one, it’s almost impossible to prove who is behind it from a legal\r\nperspective. More importantly, Entrust accomplished something no other victim has achieved. For several days,\r\nthey brought LockBit’s operation to a halt and delayed the exposure of their data. The DDoS attack cost LockBit\r\ntime and money necessary to stabilize its infrastructure. Further, they refused to pay the ransom, leaving LockBit\r\nand its partners unpaid for their time and work. While there are no winners in a ransomware attack, Entrust sent a\r\nstrong message to LockBit that day, which can be seen in the DDoS attack data itself, shown in Figure 21.  \r\nFigure 21: Entrust/LockBit DDoS attack data75  \r\nThe lesson here is if you target Entrust, Entrust will target you! \r\nWhile the response was admirable and certainly sent a message to LockBit, there was a downside. LockBit saw\r\nthe impact of the attack on their own operation and decided to add DDoS attacks to their attack playbook. Despite\r\nLockBit’s threats, it has used DDoS as a third form of extortion very sparingly. Remember, LockBit is not\r\nconducting the attacks; their affiliate partners are. Affiliates are not going to conduct a DDoS unless they need to.\r\nLockBit wants the tactic used to make a point, but affiliates simply want to get paid.  \r\nWhile LockBit credited Entrust for giving them the idea, this was simply a ploy to blame them for the attack\r\ntechnique. You see, SunCrypt, another ransomware gang, used the DDoS tactic as a form of extortion back in\r\n2020, when the two criminal organizations played nice with one another as part of the pretend cartel.76 \r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 30 of 54\n\nStill, I learned something about LockBit when it fell victim to Entrust’s DDoS attack. Apparently, they are not\r\nvery good at distributing data outside of their own infrastructure. You see, when LockBit realized they were now\r\nthe victim of a DDoS attack and its infrastructure was down, it threw the equivalent of an online tantrum,\r\nthreatening Entrust, and then began to post links where it publicly posted its data.  \r\nHere is a timeline of events:\r\nJune 18, 2022 — Entrust attack first reported publicly77\r\nJune 19, 2022 — LockBit posts the negotiation chat log to their data leak site, making the private\r\nconversation public to pressure Entrust into paying the ransom. This is the first time LockBit published\r\nvictim negotiations.78 While it was speculated at the time that this was a new tactic that LockBit would\r\ncontinue to use, this appears to be an isolated incident.\r\n~August 20, 2022 — LockBit begins to leak Entrust data on its data leak site\r\n~August 21, 22 2022 — DDoS attack shuts down LockBit infrastructure79\r\nAugust 24, 2022 — Entrust data is posted to a popular criminal forum known as “Breached”\r\n(breached[.]vc / breached[.]to) by a user named “LockBit.” The filenames and directory structure were\r\nuploaded to match the data previously seen in the original leak posted to LockBit’s infrastructure.\r\nStrangely, the contents of the files could not be validated since many of the file archives were corrupt. I\r\ninitially assumed the post was from the authentic LockBit ransomware gang. However, after thinking the\r\ndata was not from the Entrust breach, it seemed the upload may have been from someone else claiming to\r\nbe LockBit. But why? What would anyone gain from posting irrelevant data with the same filenames and\r\ndirectory structure as the real thing? This did not make sense.\r\nAugust 25, 2022 — LockBit claims the leak on the Breached forum was fake\r\nAugust 27, 2022 — LockBit posts Entrust data across three publicly available data-sharing websites. Each\r\nlink directs the user to a torrent allegedly comprised of Entrust data. However, once again, the data is\r\ncorrupt.\r\n~August 28, 2022 —LockBit’s infrastructure is back online, signaling the end of the DDoS attack. Entrust\r\ndata is once again available for download directly from LockBit’s infrastructure. \r\nAugust 29, 2022 —LockBit claims they identified and fixed the issue causing data corruption within the\r\nfile archives \r\nOnce the data became available on LockBit’s infrastructure, both researchers and cybercriminals compared the\r\ndata from the initial release on the Breached forum, the torrent release on public infrastructure, and the data posted\r\nto LockBit’s website. While much of the data from the earlier attempts was corrupt, a limited sampling of the data\r\ncould be validated against the final release of authentic Entrust data stolen. It was, in fact, the same. Since the data\r\nwas the same, and LockBit claimed the breached release was fake, I first questioned if LockBit could have an\r\ninsider releasing data on their own. I was not the only person who thought something was wrong. You can see in\r\nthe below thread LockBit claiming the data was fake and discussing how it may have ended up on the Breached\r\nforum: \r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 31 of 54\n\nFigure 22: LockBit claims Breached forum post of Entrust data is fake \r\nI know it was you, Fredo. \r\nLockBit claimed someone took the data from its initial post on the data leak site. However, I could never access\r\nthe data until after the DDoS attack and could not validate if it was previously accessible. If so, this would explain\r\nhow the data was posted to Breached. Other criminals also questioned LockBit and claimed the data was never\r\navailable before the DDoS attack. In my opinion, there is no insider threat. LockBit themselves posted the data to\r\nBreached and then realized it was corrupt and struggled to correct the issue. Apparently, even LockBit has tech\r\nproblems sometimes! After failing several times to correct the compression issue, LockBit knew it would look\r\nfoolish after making such a spectacle about its revenge for the DDoS attack. So, to avoid looking incompetent, it\r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 32 of 54\n\nclaimed the data was fake and had been uploaded by a fraudulent third party. I don’t think so. I know it was you,\r\nLockBit! \r\nDo you like my tattoo? \r\nYou might think after the very public Entrust debacle, LockBit would give its PR campaign a break and just focus\r\non its operation, but you would be wrong. In early September 2022, a member of the Russian forum LockBit\r\nfrequents began a thread asking for suggestions for a “thematic tattoo” and tagged LockBit in the post. LockBit\r\nreplied, offering to pay anyone who tattooed the LockBit name and logo on their body. The tattooed individual\r\nsimply needed to post proof of the tattoo to collect payment. No one would tattoo a ransomware gang’s name on\r\nthemselves, would they? Apparently, there are lots of stupid people in the world who will do anything for money.\r\nThe LockBit circus was in full effect. \r\nSoon, posts on social media began to appear, and a list of BTC wallets with images of tattoos and videos was\r\nshared on GitHub, as well as the underground forum where LockBit initially posted.80,81 Below is part of the\r\nconversation and a sampling of images submitted as evidence for payment from LockBit groupies: \r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 33 of 54\n\nFigure 23: LockBit tattoo convo and groupie tattoos \r\nI don’t think LockBit initially planned this as a PR stunt, because they did not start the forum thread but instead\r\nresponded as a joke to the person who made the initial post. However, once people posted images and videos to\r\nsocial media, showing themselves getting the LockBit tattoo, the press began to publish articles about the event.\r\nSoon, what started as a simple comment on a forum was a major public spectacle reported by news organizations\r\nworldwide. Suddenly, LockBit needed to pay up, which they did for the most part. \r\nThe Drunken Developer \r\nTo say the least, September was an interesting month for LockBit. On September 21, 2022, as the buzz from the\r\ntattoo contest began to subside, an unknown persona with the alias “Ali Qushji Crew” made a bold claim on both\r\nTelegram and Twitter:82 \r\nFigure 24: Telegram post and tweet from someone claiming they hacked LockBit  \r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 34 of 54\n\nAccording to the persona, they had hacked LockBit’s infrastructure and stole its ransomware builder source code,\r\nwhich they made available to download using the supplied password. This is significant since the builder creates\r\nthe LockBit ransomware payload used in attacks. Once made public, anyone can use it as they see fit. Shortly after\r\nthe tweet, a cybersecurity researcher based in Ukraine, @3xp0rt, uploaded the files to GitHub, making them\r\navailable for anyone to analyze.  \r\nThe strangest part of the incident is not the leak but the story surrounding it. You see, Ali Qushji and its associated\r\nteam did not hack LockBit infrastructure or steal the builder as claimed. Instead, Ali Qushji and the hacking tale\r\nwere created to provide plausible deniability to the real perpetrator behind the leak. However, while the story and\r\npersona were fictitious, the ransomware builder source code leaked was authentic! The obvious question is, if\r\nLockBit was not hacked, how did the person behind the leak gain access to the ransomware builder? The answer\r\ncame from vx-underground:83 \r\nFigure 25: Explanation posted to Twitter explaining the ransomware builder was leaked by an\r\ninsider and not hacked by Ali Qushji84 \r\nWhen the news of the leak became public knowledge, the dark web blew up with chatter across hacking forums\r\nand markets. Now we have “Proton,” (Figure 25)“Ali Qushji,” (figure 24), and a mystery developer/programmer\r\nattributed to the ransomware builder’s leak. I could not wait to see what LockBit would say. Have you ever\r\nwatched a good TV show that ends with a cliffhanger leaving you to wait in anticipation for the next episode?\r\nThat was what this felt like. Further, I found the Proton account also had a telegram channel and posted the exact\r\nmessage, word for word, as the Ali Qushji post.  \r\nLockBitSupp was not responding to questions on the forum, but it showed he was available online in Tox, a secure\r\nchat platform it uses to communicate. I guess LockBit was busy investigating what and how the builder leaked\r\nand did not want to comment until it understood how the leak transpired. Several hours passed. Then, finally,\r\nLockBit responded, addressing the situation. LockBit claimed a disgruntled employee with an on-the-job drinking\r\nproblem was behind the leak. Here is LockBit’s explanation:\r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 35 of 54\n\nLockBit is a criminal, so I must question the validity and motivation behind anything it claims. No matter which\r\nof the explanations is accurate, it reflects poorly on LockBit. However, in this case, LockBit’s explanation makes\r\nthe most sense. For one, if someone did, in fact, compromise one of LockBit’s servers, why would they only\r\nrelease a single builder? It’s plausible a developer may only have access to the code (builder) he is developing and\r\nnot the entire arsenal of ransomware, explaining why only it was released. Second, if the scenario in which a\r\nhacking team was behind the attack were true, why did they only create their online persona just prior to the leak?\r\nThis is a huge red flag. Only an amateur or someone with little experience developing online personas would\r\npresent the leak in this manner. Yet, something else LockBit said convinced me to believe their version of the\r\nevents. If an outside group did breach LockBit’s server and gain access to their most sensitive data, — their source\r\ncode — then why did they: \r\n“Just forget to deface it [LockBit’s website] when they broke it, and also merge the builder of the world’s fastest\r\nstealer, locker 2.0, Linux locker with 14 types of architectures, a database with correspondence, wallets for\r\npayment, advert logins and web sources panels, and history of visits to the server with my IP address from\r\nStarlink.” — LockBitSupp   \r\nThis is a rare occasion where every point LockBit made rings true. Unfortunately, LockBit runs a very secure\r\noperation. Someone would have exposed them a long time ago if it didn’t. Anyone who put the time and effort\r\ninto breaching LockBit would not stop with a single builder. For example, look at all the information and data\r\ngained from the infamous Conti leak compared to this event.85 Chat logs, tools, operational playbooks, wallets,\r\nand source code were all leaked in that event. In comparison, it’s not even close. This was the act of a disgruntled\r\nemployee making a point to his boss and not an elite team of hackers trying to expose LockBit’s whole\r\noperation.  \r\nThe more important part of the story, according to LockBitSupp, is the disgruntled developer — the same\r\ndeveloper discussed earlier who defected from BlackMatter to develop LockBitBlack.  \r\n“This coder is so cunning that he does not even remember that the story of ‘buying’ sorts was invented only in\r\norder to save his ass from revenge, because he defected to competitors” — LockBitSupp  \r\nThe “story” LockBitSupp is referencing is that it purchased BlackMatter ransomware source code as opposed to\r\nstealing it by recruiting its developer as I discussed earlier. The “defected to competitors” comment references the\r\ndeveloper leaving BlackMatter to support LockBit. However, if true, I would consider the developer central to\r\nLockBit Black and expect him to have access to far more information and resources than he released in the leak.  \r\nThere was another point made while discussing the breach with LockBit, which may explain the motivation\r\nbehind the leak. A few months earlier, in July 2022, LockBit paid out $50,000 to an individual who found a flaw\r\nin the code present in LockBit Black, which allowed files to be decrypted without the decryption key.\r\n86\r\nApparently, the code was originally present in BlackMatter, and since LockBit used that to develop LockBit\r\nBlack, the same vulnerability also existed in it. The theory is that LockBit took the $50K out of the developer’s\r\nsalary since he did not correct the flaw before using it to develop LockBit Black. LockBit acknowledged the flaw\r\nand stated it did pay the $50K payment as part of its bug bounty program but denied the funds were taken from\r\nthe developer. Instead, LockBit claims it paid the bounty from its own funds, which had nothing to do with the\r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 36 of 54\n\ndisgruntled developer. However, this theory fits perfectly into the events leading up to the leak and would provide\r\na motive for why the developer betrayed LockBit.  \r\nYou Have the Right to Remain Silent \r\nIn late September and October 2022, LockBit continued to break records with high-volume attacks. One victim,\r\nPendragon, was a United Kingdom-based automotive company that LockBit attacked and demanded a $60 million\r\nransom! LockBit operated as usual, encrypting systems and stealing internal data from the organization.\r\nPendragon, however, refused to negotiate with LockBit. The company stated, “We refuse to be held hostage by\r\nthis group, and we will not be paying a ransom demand.”87 There were also several European-based healthcare-related organizations breached in October 2022 that also refused to pay. Unfortunately, the breach resulted in\r\npatient data being exposed on the dark web.88 Despite several non-paying victims, LockBit had many other\r\nvictims who did pay. With so many attacks taking place involving LockBit ransomware, things were going well\r\nfor the gang, but that was about to change.  \r\nOn November 9, 2022, a dual Russian-Canadian national, Mikhail Vasiliev, was accused of participating in the\r\n“LockBit global ransomware campaign” and arrested at his home in Canada. The next day, the US Department of\r\nJustice (DOJ) issued a criminal complaint also charging him with a series of ransomware-related charges.89 The\r\narrest was reported by news outlets globally. The DOJ released the following statement pertaining to the arrest:  \r\n“Yesterday’s successful arrest demonstrates our ability to maintain and apply relentless pressure against our\r\nadversaries,” said FBI Deputy Director Paul Abbate. “The FBI’s persistent investigative efforts, in close\r\ncollaboration with our federal and international partners, illustrates our commitment to using all of our\r\nresources to ensure we protect the American public from these global cyber threat actors.”90  \r\nAdding to the buzz, many news outlets published headlines similar to the one below: \r\nFigure 26: DarkReading news article about the LockBit arrest  \r\nWhen I heard a core member of LockBit was arrested, I was immediately skeptical. You see, LockBit is extremely\r\ncareful in running their operation, and I would be shocked if any core gang member would reside in a US-friendly\r\nnation where they could be arrested and extradited. Most ransomware-related arrests involve affiliates who often\r\nlive outside of Russia. Did they actually arrest one of the key leaders of LockBit? I found the answer buried within\r\nthe details of the court documents. \r\nIn the criminal complaint, the DOJ stated Vasiliev was caught off guard as he sat at a table in his garage while\r\nusing his laptop. Fortunately, Vasiliev did not have time to log out of his laptop before being subdued, making its\r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 37 of 54\n\ncontents available to law enforcement. The confiscated laptop was the same system Vasiliev used to communicate\r\nwith LockBit and to conduct attacks. According to the criminal complaint: \r\nUnfortunately, since Vasiliev was not actively logged into the attack management console, law enforcement could\r\nnot access LockBit’s administrative infrastructure. However, they gained some additional information from\r\nanalyzing the laptop’s memory. \r\nThe information in this section of the criminal complaint was especially informative. Having firsthand knowledge\r\nof the admin console and infrastructure, I recognized the platform based on the pages found in the memory of\r\nVasiliev’s computer. Specifically, the reference to “/page#builder/builder_red” told me Vasiliev was not a core\r\nmember of the gang. You see, “builder_red” represents the admin page used for “LockBit Red,” which I discussed\r\nearlier is the internal name used for LockBit 2.0, the previous version of LockBit ransomware. LockBit Red was\r\nreplaced with LockBit Black in June 2022. This indicated Vasiliev worked with the gang prior to June and had not\r\naccessed the new LockBit Black operation used in current operations. A core member would have certainly\r\naccessed the LockBit Black admin console. While it’s possible Vasiliev accessed LockBit Black from another\r\nsystem, I think that detail would be included in the criminal complaint.  \r\nTo be clear, if Vasiliev is not a core member, as I believe, the arrest is still significant. It just means the arrest will\r\nhave a smaller impact than what the media portrayed. Further, regardless of Vasiliev’s role with the gang, his\r\nmaximum penalty is five years in prison.92 The punishment does not fit the crime when you consider the damage\r\nLockBit causes to its victims. I don’t think this will send the “warning to ransomware actors” that the DOJ is\r\npublicizing. While outside the scope of this paper, the penalties for supporting ransomware attacks must be much\r\ntougher.  \r\nUnmasking LockBit\r\nThere is a lot of information discussed in this report! If you have read my previous research, you know I pride\r\nmyself on supporting my assessments and analysis with technical evidence. I like to break down each finding and\r\nshow exactly how I came to my conclusion. However, this report is based primarily on human intelligence\r\ngathering, which makes it much harder to lay out in an analytical, evidence-driven format.\r\nIn place of technical evidence, I have provided human intelligence supported by screenshots and quotes\r\nthroughout this report to convey the analysis and findings I will give next. Remember, since my research is based\r\non human correspondence, underground forum posts, and statements made directly by the individuals behind and\r\nassociated with the LockBit operation, there is a higher margin for error. Still, I wanted to tell this story in a way\r\nnot previously reported and show the operation from the eyes of the adversary. I also wanted to demonstrate the\r\nvalue of human intelligence in a cyber context because I believe it is extremely valuable for understanding\r\nransomware adversaries. After months of investigating, this is what I learned about the humans hiding behind the\r\nLockBit persona and its ransomware operation.\r\nTwo members of the LockBit gang, the leader and another core member, likely operate the LockBitSupp\r\npersona. \r\nThroughout this report, we discuss interactions and behaviors observed by the LockBitSupp persona. One\r\nof the frequent points discussed by criminals is whether the individual behind the persona is the gang’s\r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 38 of 54\n\nleader, as it claims, or if there are multiple individuals. Some criminals speculate that the persona is\r\nnothing more than a PR tool; however, I don’t agree with that assessment. There could be multiple\r\nindividuals behind the account, but if so, they are key members of the gang. The persona has a high level of\r\nknowledge about the gang’s operation and access to sensitive materials that only a senior member would\r\nhave.  \r\nI believe the gang’s leader is behind the LockBitSupp persona and, on occasion, has another member fill in\r\nto keep the profile active and engaged with the criminal community. I believe this because there are only a\r\nfew occasions in which the persona contradicts itself and makes mistakes. On other occasions, I believe the\r\ncontradictions are intentional to throw off law enforcement and researchers like myself.  \r\nFor example, remember the incident I discussed earlier, where the LockBitSupp persona stated they\r\npurchased BlackMatter source code and then, several months later, claimed they obtained it for free from a\r\nransomware developer. I believe another gang member operated the persona to conduct the interview\r\nthrough the LockBitSupp persona and not the gang’s leader. That individual did not expect the question\r\nabout how it obtained the source code and answered incorrectly. This triggered a series of events that\r\neventually led the developer to defect and leak LockBit’s source code to its ransomware builder.  \r\nLockBit did NOT operate the Gogalocker and Magacortex ransomware operations as attributed in\r\nprevious security vendor reporting. The attribution was derived from weak evidence too common to use for\r\nattribution. Further, after a series of arrests of members associated with Gogalocker, no evidence or\r\naccusations exist to connect the operations with one another.  \r\nLockBit is associated with several high-profile ransomware gangs: \r\nLockBit personally knows the identity of the key members of DarkSide, BlackMatter, and BlackCat\r\nransomware gangs. He also had close ties to the key leaders who previously ran the REvil ransomware\r\ngang. Additionally, LockBit claims another popular criminal persona known well in the criminal\r\ncommunity is associated with the leadership behind the former Conti gang, now BlackBasta. Lockbit also\r\nclaims this individual and the other core members of the former Conti gang are working for the FSB 93. \r\nLockBit interacted and frequently communicated with the REvil persona “Unknown”, amongst others, who\r\nis believed to have been the leader of the gang. LockBit does not believe the individual currently running\r\nREvil, is the authentic REvil leader. \r\nLockBit confirmed that the core members of DarkSide were the same individuals behind BlackMatter and\r\nBlackCat ransomware. LockBit also confirmed the leadership of BlackBasta are the same individuals who\r\nran the former Conti ransomware operation. While the security community already made these connections\r\nthrough technical means, LockBit’s interpretation is derived from human relationships with the members\r\nwho make up these gangs, making it a more significant association.  \r\nLockBit did not purchase BlackMatter source code as believed but instead obtained access to it from its\r\ndeveloper in November 2021. \r\nThe developer of DarkSide ransomware is the same individual who developed BlackMatter and LockBit\r\nBlack ransomware and previously developed malware for Fin7, another cybercrime group. \r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 39 of 54\n\nThe developer who recently leaked LockBit ransomware should be a high-value target for law enforcement\r\nand government operations. \r\nThe developer is highly connected within the Russian ransomware and organized cybercrime community.  \r\nThe individual previously developed malware for Fin7 and then created DarkSide ransomware, which was\r\nused in the Colonial Pipeline attack, and then developed ransomware for BlackMatter ransomware\r\noperations before joining LockBit to create LockBit Black.  \r\nThe individual (developer) has defected from BlackMatter and LockBit and may now be in hiding.  \r\nThis person would provide the best chance to turn into a major player with inside knowledge of\r\nhuman and technical operations spanning major cybercrime syndicates. Both BlackMatter and\r\nLockBit have previously threatened the developer.  \r\nThe developer has information related to the identity of both LockBit and DarkSide leadership and possibly\r\nFin7. Leadership in these gangs also likely knows the identity of the developer. The fact that neither\r\nLockBit nor BlackMatter have attempted to Dox, or worse, physically harm the developer is an indication\r\nthat he likely has information that could be used against these gangs if something were to happen to him. (I\r\ndon’t know this for a fact, but it makes sense and has been insinuated by sources close to the involved\r\nparties.) \r\nAdditionally, LockBit has made threats against the developer but never followed through even after the\r\ndeveloper leaked its source code. \r\nAnother party, who is well known and connected to cyber criminals and has close ties to the developer,\r\nshared inside details stating the developer told him directly that he did, in fact, leak the LockBit\r\nransomware builder source code after LockBit refused to pay him the amount they agreed upon.  \r\nDeveloper attributes:\r\nMale, likely in his mid-30s, living in Russia or in a former CIS state in Eastern Europe \r\nServed in a military unit where he performed a job that required a high level of technical knowledge  \r\nPreviously convicted of crimes and may have served a short sentence in prison \r\nMarried and has children \r\nAllegedly operates his own site on the dark web to solicit work, indicating he likely works for other\r\ncriminals in addition to LockBit \r\nThe developer provided his side of the story and details the timeline and sequence of operational events\r\nfrom when he defected from BlackMatter to when he and LockBit began their altercation resulting in his\r\nquitting the operation. A transcript of his statement can be found in the appendix of this report.    \r\nAccording to LockBit’s former developer, since he left the operation, LockBit has had no support for\r\nLockBit 3.0. \r\nIf true, this could be leveraged against LockBit.  \r\nWhile LockBit’s operation continues to dominate the ransomware ecosystem, many criminals are growing\r\ntired of the gang’s leadership and public antics.  \r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 40 of 54\n\nThe leader of LockBitSupp claims he keeps his PGP secret key and a multi-signature wallet on a hidden\r\nflash drive. The wallet requires passwords, which in a previous conversation, he stated were 50 characters\r\nin length and randomly generated. It also requires a key file, which he states is on another flash drive that\r\nhe keeps around his neck made from red wool. He uses wool so he can quickly rip off and swallow the flash\r\ndrive upon his arrest. Who knows if any of this is true, but he certainly put much thought into the story. You can\r\nsee his claims in Figure 27 below.  \r\nFigure 27: LocBitSupp discusses how he will evade being identified as the leader of the gang if\r\narrested \r\nOn several occasions, LockBitSupp claimed he uses Starlink, the satellite internet provider owned by Elon Musk.  \r\n“I have already said more than once that I use Starlink, because it increases the radius of my search.”\r\n— LockBitSupp \r\nLockBitSupp claims he believes the area of accuracy for an IP address assigned to a satellite network is much\r\nbroader than traditional methods, which would make it harder to track him down should his network access be\r\nidentified. Once again, I don’t know if he is telling the truth or if this is for show. \r\nFinal Entry \r\nLockBit is not going away anytime soon. Despite the recent negativity expressed by members within the criminal\r\ncommunity, LockBit runs a lucrative operation that is attractive to cybercriminals. The easy-to-use, point-and-click graphical interface built into the attack management console makes it fast and efficient for criminals to\r\nconduct enterprise ransomware attacks with far less technical expertise required than ever before. Additionally, the\r\naffiliate-controlled payment model builds trust with cybercriminals and ensures they are paid for their work.\r\nHowever, if any of these services or components of the RaaS program change, such as not updating ransomware,\r\ntools, or infrastructure, LockBit activity would significantly decrease. Further, there is a lot of competition waiting\r\nto move in if LockBit were to fall out of favor with cybercriminals.  \r\nThe previous gangs that once held first place, such as Maze, REvil, and Conti, all eventually fell. The common\r\ntheme across each is that their egos grew out of control, and their greed drove them to push things too far.\r\nEventually, they overstep and gain attention from entire governments with greater resources than traditional law\r\nenforcement. Regardless, it’s unlikely LockBit will ever face arrest or spend time in a prison cell. In reality, its\r\ngreatest concern is that its own government will find them, confiscate their finances, and force them to support its\r\nmilitary or government cyber operations.  \r\nThis may be one reason LockBit claims it no longer resides in Russia, though I believe that is more likely a story\r\nintended to throw off investigators. For example. over the course of my investigation, LockBitSupp discussed\r\nliving in China, the Netherlands, Hongkong, and even the US. At one point, the gang’s leader even claimed he\r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 41 of 54\n\nowned a stake in two restaurants based in New York City! However, the one place he discussed the least, Russia,\r\nis most likely where he resides today.  \r\nAnother problem is we approach ransomware criminals similarly to traditional criminals. Ransomware criminals\r\nare protected and out of the reach of law enforcement unless they leave Russia and are caught in a nation that\r\nallows extradition to the United States. However, we address the problem by issuing warrants and working to\r\narrest Russian ransomware criminals like LockBit with tactics that continue to fail. I don’t fault law enforcement,\r\nbut it’s time we change the way we approach the ransomware problem.  \r\nIn my opinion, we need to conduct information warfare operations intended to inject propaganda and\r\nmisinformation across dark web forums used by ransomware criminals. If criminals lose trust in the RaaS\r\nprovider, they will not work for them. Paranoia, distrust, and concerns about losing revenue are common among\r\nransomware affiliates. We need to play on this fear. This, in conjunction with attacks against ransomware services\r\nand infrastructure, would deny the resources that ransomware gangs provide to their affiliates. Driving distrust and\r\ncausing intermittent service outages would frustrate criminals and affect the RaaS provider negatively. Regardless\r\nof how we address the issue, one thing is for sure, what we are doing now is not working, and it’s time for a\r\nchange.  \r\nAbout Analyst1\r\nThreat intelligence teams often struggle to bridge the gap from insight to action. Analyst1 is the Orchestrated\r\nThreat Intelligence Platform designed to resolve this issue. It automatically organizes threat data, links it to your\r\nassets and vulnerabilities, and customizes views for different roles. Analyst1’s orchestration layer streamlines\r\nworkflows and automates reliable actions by integrating with SIEM, ticketing, and vulnerability management\r\nsystems. From Fortune 500 financial institutions to national security agencies, enterprises trust Analyst1 to unify\r\ntheir defenses, significantly reducing their response time from days to minutes.\r\nApendix\r\nStatement from LockBit Black Developer\r\n“LockBitSupp is being disingenuous when it portrays its “fired” coder as a deranged psycho who is on anti-anxiety medication.\r\nIt benefits him, given that he does not disclose the “quotes” about the details of what happened.\r\nThe coder who worked with him is me. I’ll make it clear right away, no one fired me, in fact. I left on my own.\r\nThe decision to leave was made after I finally got an understanding of the situation that I was simply thrown.\r\nAt the moment, LockBit has no technical support for either the current 3.0 draft or the old 2.0 without any support\r\nfor almost a year now. I don’t know how LockBitSupp parted ways with the coder who wrote 2.0.\r\nAccording to LockBitSupp, the type encoder became afraid of something and decided to leave. I think about the\r\ntrue state of affairs, regarding the 2.0 developer, we will never know.\r\nNow to what happened to me.\r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 42 of 54\n\nAt the end of 2021…\r\nBy that time, on the LockBitSupp forum, if my memory serves me, I wrote that I was considering proposals for\r\ncooperation.\r\nI wrote to him. He was very happy, as I understood, especially after he found out who I was.\r\nI said that I was ready to write a new locker from scratch. And showed him my source. To which he said that there\r\nwas no need to write a new locker, it was enough to modify the metter code. I warned him that the metter had\r\nalready fired at that moment with all possible ABs, to which he replied that it didn’t matter, because adverts still\r\ncut down AB before setting up the network.\r\nWe agreed with him on such terms of cooperation.\r\n1. Before the release of the locker, at the stage of finalizing the code of the metter, he pays me 20K per month.\r\n2. After the release, I get 10% of the money he receives from adverts for further support of the 3.0 project. The\r\npayment of these interests will occur every first day of the month, after the release.\r\n3. LockBitSupp will remove its 2.0 from the panel so that adverts use only 3.0.\r\nThese are all agreements on which mutual agreement has been reached. I specifically draw your attention to this.\r\nFurther, within 6 months (before the release), I added 2 functions to the current metter code:\r\n1. PsExec distribution over the network.\r\n2. Distribution over the network using GPO (group policies), plus automatic self-removal of group policy after a\r\nspecified time.\r\nAdditionally, uninstallation of MS defender, overwriting of free space on the hard disk after encryption, and\r\nsecure deletion of files (multiple overwriting of the contents of the file before deletion, including the filename, to\r\nprevent the recovery of deleted files) was added.\r\nI note that with the next check for AVcheck (even before the release), my locker started to fire like LockBit 3.0! I\r\nasked a question about this LockBitSupp, what’s going on? To which he replied that most likely the tester who\r\ntested the new locker had a “leak,” he forgot to turn off the AV. Here I had the first bad feeling that the locker was\r\nbeing used even before the release. Later it turned out that LockBitSupp gave it to some advert for a ‘test’ so that\r\nhe would check it ‘in combat’ conditions. True, he kept silent about whether the payment was as a result of this\r\n‘test.’\r\nThe release took place at the end of June 2022.\r\nAfter the release, LockBitSupp announced a bug bounty, which I found out later, i.e., he didn’t ask for my consent.\r\nLiterally a couple of weeks later after that, LockBitSupp tells me that some kind of researcher from some cantor’s\r\nrecovery got in touch with him, which states that there is a bug in the encryption of my locker and that larger files,\r\nsuch as virtual disk images, can be decrypted. But only such files. Because they contain large areas filled with\r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 43 of 54\n\nzeros, the blocks on which the data is encrypted are repeated. Salsa encryption algorithm20. This was my joint, I\r\nadmit it. And the jamb was, as it turned out, even when the metter was. I don’t want to justify myself. I just\r\nwanted the best, it turned out as always, I in pursuit of encryption speed, decided to rewrite the salsa algo from 32\r\nregisters to SSE myself and missed one significant moment. Vobshem, I quickly fixed it. Replacing the standard\r\nalgorithm. After that, LockBitSupp billed me 50K, which he promised to the researcher, as a reward. To which I\r\nsaid that if the profit is divided 90% by 10%, then the costs should be shared in the same ratio. I transferred him\r\n5K in Monero, as my share in the reward of the researcher. By the way, another lie of LockBitSupp is that he paid\r\nall 50K from ‘his own pocket.’\r\nThen came August 1. And, accordingly, the payment of my interest. To which he told me that his wallet was being\r\nsynchronized. As a result, the wallet was synchronized with him only after 9 days. At the end, he sends me a\r\nscreenshot of a wallet with bitcoins, on which there are approximately 120K in dollars.\r\nThe fact is that I’m ‘in the know’ and I understand perfectly well that for the promoted software it’s not just a\r\npenny, but tears … To my question LockBitSupp, why is that? He replied that most of the adverts were on\r\nvacation. And the fact that you can’t compare 2020 and 2022, that everything is complicated, etc. LockBitSupp\r\nwent on to say that out of the 120K received, it takes back the 50K paid to the researcher for the bug bounty. As a\r\nresult, 70K remained, of which only 5K are mine (interesting math) 10% of 70K turns out to be not 7K but 5. As a\r\nresult, he transferred 10K to me — this is 5K that I gave to pay the researcher and 5K — my interest for the\r\nmonth.\r\nAt that time, the current locker 3.0 was supported by me, plus, I wrote a new metamorphic locker on SysCall to\r\nbypass the AB proactivation (to be fair, I note that the new locker was invisible at least to sophos) and utilities for\r\n‘killing’ AB. LockBitSupp knew about these developments, but we had not yet stipulated the conditions for their\r\nuse on the PP.\r\nNaturally, I suspended development. I decided to wait another month, leaving only support for 3.0.\r\nLiterally after this, LockBitSupp turns to me, like the files of the ‘clients’ of adverts are not decrypted. I asked for\r\nsamples of these files.\r\nAnd found out that the files are encrypted twice. At the beginning with my locker, then 2.0. Naturally I ask\r\nLockBitSupp a question about our deal that he had to take his 2.0 away. To which he replied that ‘everything is for\r\nthe convenience of adverts,’ that adverts have a choice whether to work with 2.0 or 3.0. Naturally, wallets 2.0 and\r\n3.0 are different. In fact, it turns out that he takes everything from 2.0 to himself, and from 3.0, I can only get 10%\r\n(and I didn’t receive those, judging by August 1). He never removed 2.0 from the panel, even after everything was\r\nrevealed.\r\nThen came September 1. Instead of his interest, he sent me a screenshot of wallet 3.0 with ~42 bitcoins,\r\nannouncing with pathos that there would be something else and that I didn’t trust him in vain, the amount would\r\nonly grow, because. adverts began to return from holidays.\r\nI asked him to give me my 4 bitcoins, since 10% is mine. To which he replied that I didn’t work for 2 months\r\n(probably forgot about support for 3.0) and I will receive this money ONLY when I give him a new metamorphic\r\nlocker and killers for defender and sophos, at least. At the same time, I remind you that the conditions for new\r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 44 of 54\n\ndevelopments have not been discussed. I told him about it. To which LockBitSupp stated that 10% is for\r\nEVERYTHING, i.e., for support 3.0 and for ALL new developments!!!\r\nAnd then I went nuts. Immediately he tells me that for 10%, I should generally work 24/7 without a breeze. He\r\nbegan to offer ‘guarantors’ through which I can get money if I fulfill his conditions.\r\nI thought carefully and announced my leaving.\r\nIn general, I told everything as it is. PS I don’t remember exactly, but, LockBitSupp somewhere stated that he\r\n‘bought’ metter sources for 1KK. So, he did not buy anything, he got everything from me.”\r\nIOCs\r\nType Indicator Value\r\nURL hxxps://lockbitsupp[.]uz\r\nURL hxxps://lockbitapt[.]uz\r\nURL hxxps://decoding.at/\r\nURL hxxps://decoding.at\r\nURL hxxps://bigblog.at\r\nURL hxxp://ppaauuaa11232.cc/dlx5rc.dotm\r\nURL hxxp://ppaauuaa11232.cc/aaa.exe\r\nURL hxxp://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd[.]onion\r\nURL hxxp://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd[.]onion\r\nURL hxxp://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd[.]onion\r\nURL hxxp://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd[.]onion\r\nURL hxxp://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd[.]onion\r\nURL hxxp://lockbitsupp[.]uz\r\nURL hxxp://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad[.]onion\r\nURL hxxp://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd[.]onion\r\nURL hxxp://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd[.]onion\r\nURL hxxp://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd[.]onion\r\nURL hxxp://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid[.]onion\r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 45 of 54\n\nURL hxxp://lockbitsapzxzkpf33daeacsarqdtjjlkouxd7emxaqk7f3svavbmmad[.]onion\r\nURL hxxp://lockbitsapu34zkhnafamvkegbmdfh5yvqjbth6g376z2tgvef34jnqd[.]onion\r\nURL hxxp://lockbitsapliyedzmz5yjcoj27yfgeix6rzrhj7ss4kvfmdv6iyvxlad[.]onion\r\nURL hxxp://lockbitsapfq6mp7djlmbtk4uj53vnueldrjsgfjew3ccridkufmmmyd[.]onion\r\nURL hxxp://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did[.]onion/or\r\nURL hxxp://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did[.]onion\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?f51e3d94fa5d7445ac6ccf46aaf94046\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?f51e3d94fa5d7445a8696d94832c0475\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?eca510985c0f395fc68355f78c72eb7e\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?eca510985c0f395fc4baa509e1da3bcf\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?d0407ac9d97c78cbe1bab382e265a7d9\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?d0407ac9d97c78cbde67fd2060343ad5\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?d0407ac9d97c78cbb88e6c4b00b8a89a\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?d0407ac9d97c78cbb6f307818bf431f2\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?d0407ac9d97c78cbaf286670236c136f\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?d0407ac9d97c78cb888c818dbe3e5451\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?cb814bf5252f2b2ea736bae86cbcf628\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?cb814bf5252f2b2ea3fe8107302e50ff\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?addd79899d34fb74c43f52b0a95da6a7\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?addd79899d34fb7491c6ff7476ce466dthis\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?addd79899d34fb7491c6ff7476ce466d\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?A51C1D5E9695AD10E3E5D3142E83715D\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?A51C1D5E9695AD10B1522FE6DF4E9208\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?a51c1d5e9695ad108fab064cdbdb6ae1\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?a51c1d5e9695ad10816fa0b6cc7c88d9\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?a2232793f05765b5c9ac68b9fad2a1ff\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?a2232793f05765b5c28d50f847219aa9\r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 46 of 54\n\nURL hxxp://lockbitks2tvnmwk[.]onion/?a2232793f05765b5b85bb84c8da9db4d\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?a2232793f05765b5aa8bd0bc79613991\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?9b7fda8d33fec3f997360f45c651cd80\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?96b283ef5b7acd4ce514760e6c76dd19\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?96b283ef5b7acd4cd8f82cd385f7b7d4\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?96b283ef5b7acd4cbf37248ab20916dd\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?96b283ef5b7acd4cba28204b9ace04d7\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?96b283ef5b7acd4cb4866f7e3736dc38\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?96b283ef5b7acd4cb0221ee5b5d41430\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?96b283ef5b7acd4caff60ac8c075e649\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?96b283ef5b7acd4cafa3a6a68e5a0970\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?96b283ef5b7acd4cad70668439891476\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?96b283ef5b7acd4cac43816fe754becc\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?96b283ef5b7acd4ca9a01f7006c0a55e\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?96b283ef5b7acd4c9f9a1cc242625249\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?96b283ef5b7acd4c9ea6d36aad088c6a\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?96b283ef5b7acd4c956975d05400de35\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?962823c4ebe6623dda54cba73ca3f6d9\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?962823c4ebe6623d8d7f97d1626ba803\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?92727ee520aebc7ddb0b8513298c5f9f\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?92727ee520aebc7db018651dbcf6a903\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?8cf3e3c381b4e3e2dd6218830eab1937\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?8cf3e3c381b4e3e2c3e99c5cab5b114f\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?8b28321abd4e73ffa3972c962701b1c6\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?8b28321abd4e73ff947ffdb0830a9bbd\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?8841dd9b0ac925ffea072c230e6c6e86\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?8841dd9b0ac925ffcb8a22ce2d1f7a6a\r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 47 of 54\n\nURL hxxp://lockbitks2tvnmwk[.]onion/?8841dd9b0ac925ff8cdb45fa32c58795\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?85c01e35fd24495cd7f75dbe06dd8a8e\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?85c01e35fd24495cabd967551f73c273\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?828c57864cbb23b6f00d7365444267c2\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?828c57864cbb23b6e1fda4efbb92a2c4\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?828c57864cbb23b6c0372f2c9dfc478e\r\nURL hxxp://lockbitks2tvnmwk[.]onion/?828c57864cbb23b694906f88baef18c7\r\nURL hxxp://lockbitks2tvnmwk[.]onion\r\nURL hxxp://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd[.]onion\r\nURL hxxp://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad[.]onion\r\nURL hxxp://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd[.]onion\r\nURL hxxp://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd[.]onion\r\nURL hxxp://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd[.]onion\r\nURL hxxp://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd[.]onion\r\nURL hxxp://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid[.]onion\r\nURL hxxp://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd[.]onion\r\nURL hxxp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd[.]onion\r\nURL hxxp://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd[.]onion\r\nURL hxxp://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd[.]onion\r\nURL hxxp://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd[.]onion\r\nURL hxxp://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead[.]onion\r\nURL hxxp://lockbitapt[.]uz\r\nURL hxxp://lockbit-decryptor[.]top/?cb814bf5252f2b2ea736bae86cbcf628\r\nURL hxxp://lockbit-decryptor[.]top/?cb814bf5252f2b2ea3fe8107302e50ff\r\nURL hxxp://lockbit-decryptor[.]top/?a2232793f05765b5c9ac68b9fad2a1ff\r\nURL hxxp://lockbit-decryptor[.]top/?a2232793f05765b5c28d50f847219aa9\r\nURL hxxp://lockbit-decryptor[.]top/?a2232793f05765b5b85bb84c8da9db4d\r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 48 of 54\n\nURL hxxp://lockbit-decryptor[.]top/?a2232793f05765b5aa8bd0bc79613991\r\nURL hxxp://lockbit-decryptor[.]top/?9b7fda8d33fec3f997360f45c651cd80\r\nURL hxxp://lockbit-decryptor[.]top/?96b283ef5b7acd4ce514760e6c76dd19\r\nURL hxxp://lockbit-decryptor[.]top/?96b283ef5b7acd4cd8f82cd385f7b7d4\r\nURL hxxp://lockbit-decryptor[.]top/?96b283ef5b7acd4cbf37248ab20916dd\r\nURL hxxp://lockbit-decryptor[.]top/?96b283ef5b7acd4cba28204b9ace04d7\r\nURL hxxp://lockbit-decryptor[.]top/?96b283ef5b7acd4cb4866f7e3736dc38\r\nURL hxxp://lockbit-decryptor[.]top/?96b283ef5b7acd4cb0221ee5b5d41430\r\nURL hxxp://lockbit-decryptor[.]top/?96b283ef5b7acd4caff60ac8c075e649\r\nURL hxxp://lockbit-decryptor[.]top/?96b283ef5b7acd4cafa3a6a68e5a0970\r\nURL hxxp://lockbit-decryptor[.]top/?96b283ef5b7acd4cad70668439891476\r\nURL hxxp://lockbit-decryptor[.]top/?96b283ef5b7acd4cac43816fe754becc\r\nURL hxxp://lockbit-decryptor[.]top/?96b283ef5b7acd4ca9a01f7006c0a55e\r\nURL hxxp://lockbit-decryptor[.]top/?96b283ef5b7acd4c9f9a1cc242625249\r\nURL hxxp://lockbit-decryptor[.]top/?96b283ef5b7acd4c9ea6d36aad088c6a\r\nURL hxxp://lockbit-decryptor[.]top/?96b283ef5b7acd4c956975d05400de35\r\nURL hxxp://lockbit-decryptor[.]top/?8cf3e3c381b4e3e2dd6218830eab1937\r\nURL hxxp://lockbit-decryptor[.]top/?8cf3e3c381b4e3e2c3e99c5cab5b114f\r\nURL hxxp://lockbit-decryptor[.]top/?8b28321abd4e73ffa3972c962701b1c6\r\nURL hxxp://lockbit-decryptor[.]top/?8b28321abd4e73ff947ffdb0830a9bbd\r\nURL hxxp://lockbit-decryptor[.]top/?8841dd9b0ac925ffea072c230e6c6e86\r\nURL hxxp://lockbit-decryptor[.]top/?8841dd9b0ac925ffcb8a22ce2d1f7a6a\r\nURL hxxp://lockbit-decryptor[.]top/?8841dd9b0ac925ff8cdb45fa32c58795\r\nURL hxxp://lockbit-decryptor[.]top/?85c01e35fd24495cd7f75dbe06dd8a8e\r\nURL hxxp://lockbit-decryptor[.]top/?85c01e35fd24495cabd967551f73c273\r\nURL hxxp://lockbit-decryptor[.]top\r\nURL hxxp://lockbit-decryptor[.]com/?addd79899d34fb74c43f52b0a95da6a7\r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 49 of 54\n\nURL hxxp://lockbit-decryptor[.]com/?addd79899d34fb7491c6ff7476ce466dfollow\r\nURL hxxp://lockbit-decryptor[.]com/?addd79899d34fb7491c6ff7476ce466d\r\nURL hxxp://lockbit-decryptor[.]com/?\r\nURL hxxp://dtutgqjuzv7sktgl[.]onion/\r\nCitations\r\n1. https://twitter.com/3xp0rtblog/status/1569230420314554372\r\n2. https://github.com/3xp0rt/LockBit-Tattoo\r\n3. https://www.redhotcyber.com/en/post/rhc-interviews-lockbit-3-0-the-main-thing-is-not-to-start-a-nuclear-war/\r\n4. https://www.kaspersky.com/resource-center/threats/lockbit-ransomware\r\n5. https://cyware.com/research-and-analysis/lets-talk-about-lockbit-an-in-depth-analysis-7cf0\r\n6. https://arstechnica.com/information-technology/2020/05/lockbit-the-new-ransomware-for-hire-a-sad-and-cautionary-tale/]\r\n7. https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/targeted-ransomware-threat\r\n8. https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks\r\n9. https://www.kaspersky.com/resource-center/threats/lockbit-ransomware\r\n10. https://www.youtube.com/watch?v=FbZyADzEez4 \r\n11. https://symantec.broadcom.com/hubfs/Symantec-Targeted-Ransomware-White-Paper.pdf\r\n12. https://analyst1.com/whitepaper/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel\r\n13. https://techcrunch.com/2021/10/29/europol-hackers-norsk-hydro/\r\n14. https://nostarch.com/art-cyberwarfare\r\n15. https://tria.ge/220824-x5m6ysaahk/behavioral1#report\r\n16. https://id-ransomware.blogspot.com/2019/10/abcd-ransomware.html\r\n17. https://www.bleepingcomputer.com/forums/index.php?app=core\u0026module=global\u0026section=register\r\n18. https://finance.yahoo.com/quote/BTC-USD/history?\r\nperiod1=1410739200\u0026period2=1593302400\u0026interval=1wk\u0026filter=history\u0026frequency=1wk\r\n19. https://www.hhs.gov/sites/default/files/lockbit-ransomware.pdf\r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 50 of 54\n\n20. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/\r\n21. https://www.bleepingcomputer.com/news/security/lockbit-ransomware-self-spreads-to-quickly-encrypt-225-\r\nsystems/\r\n22. https://thedfirreport.com/2020/06/10/lockbit-ransomware-why-you-no-spread/\r\n23. https://www.bleepingcomputer.com/news/security/ransomware-gangs-team-up-to-form-extortion-cartel/\r\n24. https://thehackernews.com/2022/07/experts-find-similarities-between.html\r\n25. https://www.cbsnews.com/news/ransomware-cybercrime-cartel-wizard-spider-viking-spider-lockbit-twisted-spider/\r\n26. https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf\r\n27. https://analyst1.com/blog/dark-web-justice-league\r\n28. https://geminiadvisory.io/lockbit-launches-ransomware-blog/\r\n29. https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf\r\n30. https://www.cybereason.com/blog/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool\r\n31. https://chuongdong.com/reverse%20engineering/2022/03/19/LockbitRansomware/\r\n32. https://www.bleepingcomputer.com/news/security/lockbit-ransomware-recruiting-insiders-to-breach-corporate-networks/\r\n33. https://www.bleepingcomputer.com/news/security/accenture-confirms-hack-after-lockbit-ransomware-data-leak-threats/\r\n34. https://www.crn.com/news/security/accenture-s-lack-of-transparency-in-ransomware-attack-sets-bad-example-partners\r\n35. https://www.bleepingcomputer.com/news/security/lockbit-ransomware-recruiting-insiders-to-breach-corporate-networks/\r\n36. https://twitter.com/AuCyble/status/1425422006690881541\r\n37. https://www.bleepingcomputer.com/news/security/lockbit-gang-leaks-bangkok-airways-data-hits-accenture-customers/\r\n38. https://www.bleepingcomputer.com/news/security/lockbit-gang-leaks-bangkok-airways-data-hits-accenture-customers/\r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 51 of 54\n\n39. https://www.techtarget.com/searchsecurity/news/252508243/Accenture-sheds-more-light-on-August-data-breach\r\n40. https://www.sec.gov/ix?doc=/Archives/edgar/data/1467373/000146737321000229/acn-20210831.htm\r\n41. https://duo.com/decipher/lockbit-ransomware-variant-targets-vmware-esxi\r\n42. https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/\r\n43. https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/\r\n44. https://cyware.com/news/connecting-the-dots-between-lockbit-30-and-blackmatter-a33ce68f\r\n45. https://www.theregister.com/2021/10/04/in_brief_security/\r\n46. https://www.techtarget.com/searchsecurity/news/252503605/Kaseya-1500-organizations-affected-by-REvil-attacks\r\n47. https://gizmodo.com/report-fbi-had-ransomware-decryption-key-for-weeks-bef-1847715916\r\n48. https://analyst1.com/file-assets/History-of-REvil.pdf\r\n49. https://twitter.com/ddd1ms/status/1498012695035011079\r\n50. https://analyst1.com/blog/a-behind-the-scenes-look-into-investigating-contileaks-1\r\n51. https://www.cyber.nj.gov/garden_state_cyber_threat_highlight/conti-ransomware-group-announces-shutdown-proliferation-continues-via-affiliates\r\n52. https://www.bleepingcomputer.com/news/security/conti-ransomware-source-code-leaked-by-ukrainian-researcher/\r\n53. https://techcommunity.microsoft.com/t5/microsoft-security-experts/part-2-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254421\r\n54. https://www.malwarebytes.com/blog/threat-intelligence/2022/08/ransomware-review-july-2022\r\n55. https://www.malwarebytes.com/blog/threat-intelligence/2022/08/ransomware-review-july-2022\r\n56. state.gov/darkside-ransomware-as-a-service-raas/\r\n57. https://analyst1.com/file-assets/History-of-REvil.pdf\r\n58. https://www.bleepingcomputer.com/news/security/darkside-ransomware-gang-returns-as-new-blackmatter-operation/\r\n59. https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-claims-to-be-shutting-down-due-to-police-pressure/\r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 52 of 54\n\n60. https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackcat\r\n61. https://www.scmagazine.com/analysis/ransomware/blackcat-confirms-blackmatter-roots-but-makes-an-ask-of-the-researcher-community\r\n62. https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant–\r\nlockbit-3-.html\r\n63. https://www.redhotcyber.com/en/post/rhc-interviews-lockbit-3-0-the-main-thing-is-not-to-start-a-nuclear-war/\r\n64. https://www.justice.gov/opa/press-release/file/1084361/download\r\n65. https://therecord.media/fin7-cybercrime-cartel-tied-to-black-basta-ransomware-operation-report/\r\n66. https://www.mandiant.com/resources/blog/unc2165-shifts-to-evade-sanctions\r\n67. https://analyst1.com/whitepaper/nation-state-and-ransomware\r\n68. https://www.prodaft.com/resource/detail/silverfish-global-cyber-espionage-campaign-case-report\r\n69. https://analyst1.com/file-assets/Nationstate_ransomware_with_consecutive_endnotes.pdf\r\n70. https://www.speartip.com/resources/evil-corp-poses-as-babuk-to-avoid-sanctions-and-secure-payment/\r\n71. https://borncity.com/win/2022/10/11/exchange-server-neue-0-day-nicht-notproxyshell-cve-2022-41040-cve-2022-41082/\r\n72. https://therecord.media/microsoft-investigating-alleged-exchange-zero-day/\r\n73. https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-gets-aggressive-with-triple-extortion-tactic/\r\n74. https://techcrunch.com/2022/07/27/entrust-data-stolen-june-cyberattack/\r\n75. https://breached.vc/Thread-Entrust-com-Leak-Part1\r\n76. https://analyst1.com/whitepaper/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel\r\n77. https://techcrunch.com/2022/07/27/entrust-data-stolen-june-cyberattack/\r\n78. https://angle.ankura.com/post/102htog/lockbit-implements-new-technique-by-leaking-victim-negotiations\r\n79. https://twitter.com/vxunderground/status/1562839055158558720?lang=e\r\n80. https://github.com/3xp0rt/LockBit-Tattoo\r\n81. https://twitter.com/vxunderground/status/1568273779050127363?lang=en\r\n82. https://twitter.com/3xp0rtblog/status/1572510793861836802\r\n83. https://twitter.com/_JohnHammond/status/1572570711155417089?\r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 53 of 54\n\n84. https://twitter.com/_JohnHammond/status/1572570711155417089?\r\n85. https://analyst1.com/blog/a-behind-the-scenes-look-into-investigating-contileaks-1\r\n86. https://twitter.com/ido_cohen2/status/1571039567666638848\r\n87. https://techmonitor.ai/technology/pendragon-posted-on-lockbit-3-0-blog\r\n88. https://www.bankinfosecurity.com/lockbit-publishes-stolen-data-as-hospital-rejects-extortion-a-20155\r\n89. https://www.justice.gov/usao-nj/pr/russian-and-canadian-national-charged-participation-lockbit-global-ransomware-campaign\r\n90. https://www.justice.gov/opa/pr/man-charged-participation-lockbit-global-ransomware-campaign\r\n91. https://www.justice.gov/usao-nj/press-release/file/1551116/download\r\n92. https://therecord.media/alleged-lockbit-operator-to-be-extradited-from-canada-to-u-s/\r\n93. https://the-key.tk/2022/12/17/interview-lockbit/\r\nSource: https://analyst1.com/ransomware-diaries-volume-1/\r\nhttps://analyst1.com/ransomware-diaries-volume-1/\r\nPage 54 of 54", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://analyst1.com/ransomware-diaries-volume-1/" ], "report_names": [ "ransomware-diaries-volume-1" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "6f37e16f-64b2-4b9c-b5b4-08d0884660eb", "created_at": "2022-10-25T16:07:24.380872Z", "updated_at": "2026-04-10T02:00:04.966462Z", "deleted_at": null, "main_name": "Viking Spider", "aliases": [], "source_name": "ETDA:Viking Spider", "tools": [ "Ragnar Locker", "RagnarLocker" ], "source_id": "ETDA", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5", "created_at": "2022-10-25T16:07:23.797925Z", "updated_at": "2026-04-10T02:00:04.752608Z", "deleted_at": null, "main_name": "LockBit Gang", "aliases": [ "Bitwise Spider", "Operation Cronos" ], "source_name": "ETDA:LockBit Gang", "tools": [ "3AM", "ABCD Ransomware", "CrackMapExec", "EmPyre", "EmpireProject", "LockBit", "LockBit Black", "Mimikatz", "PowerShell Empire", "PsExec", "Syrphid" ], "source_id": "ETDA", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e9f85280-337c-4321-b872-0919f8ef64a6", "created_at": "2022-10-25T16:07:24.261761Z", "updated_at": "2026-04-10T02:00:04.914455Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "Gold Village", "Maze Team", "TA2101", "Twisted Spider" ], "source_name": "ETDA:TA2101", "tools": [ "7-Zip", "Agentemis", "BokBot", "Buran", "ChaCha", "Cobalt Strike", "CobaltStrike", "Egregor", "IceID", "IcedID", "Mimikatz", "PsExec", "SharpHound", "VegaLocker", "WinSCP", "cobeacon", "nmap" ], "source_id": "ETDA", "reports": null }, { "id": "b4ec06e5-60c9-4796-9f85-129c77d1652b", "created_at": "2023-01-06T13:46:39.21956Z", "updated_at": "2026-04-10T02:00:03.249407Z", "deleted_at": null, "main_name": "VIKING SPIDER", "aliases": [], "source_name": "MISPGALAXY:VIKING SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "c3c864b3-fac9-4d56-8500-7c06c829fbf8", "created_at": "2023-01-06T13:46:39.071873Z", "updated_at": "2026-04-10T02:00:03.203749Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "GOLD VILLAGE", "Storm-0216", "DEV-0216", "UNC2198", "TUNNEL SPIDER", "Maze Team", "TWISTED SPIDER" ], "source_name": "MISPGALAXY:TA2101", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "821d8858-a784-4ab2-9ecb-56c7afeed7d7", "created_at": "2023-11-21T02:00:07.403629Z", "updated_at": "2026-04-10T02:00:03.479942Z", "deleted_at": null, "main_name": "SilverFish", "aliases": [], "source_name": "MISPGALAXY:SilverFish", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434393, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6e5c42318f536dc6931929ec95020fcff206919e.pdf", "text": "https://archive.orkl.eu/6e5c42318f536dc6931929ec95020fcff206919e.txt", "img": "https://archive.orkl.eu/6e5c42318f536dc6931929ec95020fcff206919e.jpg" } }