{ "id": "98fa540d-ba8e-49f5-81af-8d594a783f57", "created_at": "2026-04-06T00:11:17.656025Z", "updated_at": "2026-04-10T03:29:40.202148Z", "deleted_at": null, "sha1_hash": "9b8e6fa2ddcd7736b092427f0e231568a4502004", "title": "Ransomware Diaries V. 3: LockBit's Secrets", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 10847077, "plain_text": "Ransomware Diaries V. 3: LockBit's Secrets\r\nBy Jon DiMaggio\r\nPublished: 2023-08-15 · Archived: 2026-04-05 14:36:25 UTC\r\nWARNING: PLEASE DO NOT TRY THIS AT HOME. ENGAGING WITH RANSOMWARE CRIMINALS\r\nSHOULD ONLY BE CARRIED OUT BY TRAINED PROFESSIONALS. WHILE IT SEEMS “COOL” TO\r\nINTERACT WITH BAD GUYS, DOING SO PUTS YOU AND YOUR EMPLOYER AT GREAT RISK.\r\nPLEASE DO NOT ATTEMPT TO EMULATE WHAT YOU SEE IN THIS REPORT UNLESS YOU HAVE THE\r\nKNOWLEDGE, EXPERIENCE, AND SKILL SET TO PERFORM SUCH ACTIONS. THANK YOU!\r\nIntro\r\nIn this volume of the Ransomware Diaries, I will share interesting, previously unknown details of the LockBit\r\nransomware operation that LockBit has tried very hard to cover up. Until now, you have been lied to about\r\nLockBit’s true capability. Today, I will show you the actual current state of its criminal program and demonstrate\r\nwith evidence-backed analysis that LockBit has several critical operational problems, which have gone unnoticed. \r\nThis time, besides using fake personas, I have spoken directly with the gang and many of its affiliate partners. I\r\nalso reached out to victims. I learned what happens behind the scenes during the ransom negotiations and the\r\nrelationships LockBit has with its affiliate partners and competing rival gangs. LockBit has secrets it does not\r\nwant either party to know. Now, I look forward to sharing them with you! \r\nBefore I begin, I need to share a significant event that took place as I finalized this report. In August 2023,\r\nLockBit’s leadership vanished and was unreachable to fellow gang members, including its affiliate partners, for\r\nthe first two weeks of August. During that time, several of LockBit’s close associates shared concerns that the\r\ngang’s leadership was on the run or dead. Then, on August 13, LockBit reappeared on private channels as if it\r\nnever happened. Still, during the time LockBit was gone, LockBits data leak site and infrastructure were up, but\r\nno one was actively managing it.\r\nThe question is: why? Fortunately, I have some answers. \r\nKey Findings\r\nLockBit may currently be compromised. After sharing my findings in this report with the LockBit gang,\r\nit disappeared and went dark on Tox, which it uses to communicate and run its operation. At the same time,\r\nI received a message from affiliates who thought I hacked the gang. Then, I received another message from\r\na third party who indicated they may have hacked the gang’s infrastructure. At the time, it was unclear if\r\nthe humans behind the LockBit gang had gone into hiding, or were just taking a break, but their lack of\r\nactivity was significant, I believe the gang went dark to clean up the intrusion into its infrastructure.  \r\nLockbit has an issue publishing and leaking victim data. It has used propaganda on its leak site and a\r\nstrong narrative across criminal forums to hide the fact it often cannot consistently publish stolen data.\r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 1 of 43\n\nInstead, it relies on empty threats and its public reputation to convince victims to pay. Somehow, no one\r\nbut affiliate partners noticed. This problem is due to limitations in its backend infrastructure and available\r\nbandwidth. \r\nLockBit recently updated its infrastructure to address these deficiencies. However, this is a gimmick to\r\nmake it appear that it corrected the previously mentioned problem with posting victim data. It claims\r\nvictims’ “FILES ARE PUBLISHED”. Often, this is a lie and a ploy to cover up the fact that LockBit\r\ncannot consistently host and publish large amounts of victim data through its admin panel, as promised to\r\nits affiliate partners. Further, over the past six months, LockBit has presented empty threats it failed to act\r\nupon after many victims refused to pay. Yet, somehow, no one has noticed.  \r\nAffiliates are leaving LockBit’s program for its competitors. They know that LockBit is unable to\r\npublish large amounts of victim data, despite its claims. Additionally, it takes them days to weeks to review\r\nthe correspondence and reply to their affiliate partners. Some requests simply go unaddressed by the\r\nLockBit gang. \r\nLockBit missed its most recent release date to produce an updated ransomware variant to support its\r\npartner affiliates. Instead, it relies on outdated, publicly available ransomware, leaked from its\r\ncompetitors. \r\nLockBit wants to steal ransomware from its rival ransomware gangs to use in its own operation and\r\noffer through its admin panel. It wants to provide an al-a-carte-style ransomware offering and become a\r\none-stop shop for hacker affiliates. \r\nPart I: Our Story\r\nPreviously on the Ransomware Diaries \r\nIn the first volume of the Ransomware Diaries, I detailed my account of the LockBit ransomware gang, which I\r\nwrote after spending months working undercover using fake personas to monitor conversations and build\r\nrelationships with cyber criminals.  \r\nThe Ransomware Diaries Volume 1 demonstrated how human intelligence can add value when applied to the\r\ntechnical analysis of cyber threats. Hopefully, this volume will build upon that work.  \r\nThe most significant difference between my initial research and this report is that I have been able to establish a\r\ndirect line of communication with the leader of LockBit, and many of its affiliate partners, directly as myself.\r\nWhile risky, talking directly with the gang made for greater personal interaction, allowing me to obtain more\r\ninformation than I could with fake personas alone. \r\nStill, I used personas while investigating criminal activity discussed in this report and monitored conversations\r\nacross dark web forums. Additionally, I scrutinized LockBit’s leak site, examining each new victim post to\r\nobserve how LockBit published data and negotiated with its victims.  \r\nI contacted victims, asking questions about their incident, and seeking details to better understand the human\r\ninteraction they experienced dealing directly with ransomware criminals. Now, I will share details of my ongoing\r\ninvestigation as it took place.  \r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 2 of 43\n\nFinally, I have significant, previously unknown findings, which LockBit has tried to hide from both the public and\r\nits partners, which I will expose to provide an inside look into the LockBit ransomware gang. \r\nThis is our story. \r\nLockBit Gets Handsome \r\nAfter publishing my research, I was concerned about how the LockBit gang would react once they saw I had\r\nposted details of their internal operation. Pissing off the world’s most notorious cybercriminal, who has deep\r\npockets and strong ties within Russian organized crime, is not the smartest thing I have done, so I was curious\r\nabout their reaction.  \r\nSubsequently, in January, after the Ransomware Diaries went live, I logged onto both Exploit and XSS — two\r\nforums often used by Russian cybercriminals. The first comment I saw from LockBit was made on XSS and was\r\nnot what I expected. A security researcher asked LockBit what it thought of the report. You can see LockBit’s\r\nresponse in Figure 1. \r\nFigure 1: A comment from LockBit on the underground forum, XSS, about my Ransomware Diaries\r\nVolume 1 report.   \r\nI laughed when I read the comment. Later in a direct conversation, I asked LockBit to send me pictures of it on its\r\nyacht to include in this report; however, it declined to send them! \r\nNext, I checked the Exploit forum. There were no comments about my report, but LockBit definitely sent a\r\nmessage. When I viewed Lockbit’s account, I saw my own face staring back at me! Apparently, LockBit decided\r\nto update its avatar and use my face to represent its persona.  \r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 3 of 43\n\nFigure 2: My Oh Sh!t moment -LockBit updating their profile with my picture. At least it’s a good\r\npic.  \r\nAt first, I was unsure if this was an authentic account associated with the same criminals I interacted with\r\npreviously. In those interactions, I engaged with the gang through an account they used, named “LockBitSupp,”\r\non the XSS forum. This other account present on the Exploit forum, with my face as the avatar, was titled\r\n“LockBit.” \r\nStill, I wanted to see if there was a “LockBitSupp” account on the Exploit forum, so I conducted a query for the\r\nusername. I found it had previously existed, but had been dormant since May of 2021, when the forum admins\r\nbanned ransomware content after the fallout of the Colonial Pipeline incident. Since then, the “rules” have been\r\nrelaxed a bit, though recruiting for ransomware operations is still banned. \r\nThe criminal behind the “LockBit” account created it in January 2020, over a year before registering the\r\n“LockbitSupp” persona. The LockBit account had also been dormant for some time and only recently became\r\nactive. Shortly after, in March 2023, the person behind the “LockBit” account made a new post that provided\r\nadditional evidence, proving this was one of the gang’s personas.  \r\nYou see, LockBit uses Tox, an encrypted communication application, to communicate with other criminals,\r\njournalists, and researchers. Similar to how a phone number is assigned to a phone, Tox has its own unique value\r\nused to identify and connect each account, which LockBit lists on the “contact us” section of their data leak site. \r\nYou can see in Figure 3 that LockBit’s Tox ID documented on the “Contact Us” page is the same Tox ID provided\r\nin a post by the “LockBit” account that uses my face. It is also the Tox ID used by the LockBitSupp persona on\r\nthe other forum (XSS) discussed in my previous research. Now, I was confident the account was authentic and\r\nused by core members of the LockBit gang.\r\nFigure 3: Lockbit Tox ID seen on their website and in a post by the “LockBit” account. \r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 4 of 43\n\nThe Tox ID convinced me, but the human traits behind the account were even more convincing. After spending so\r\nmuch time studying, observing, and profiling the LockBitSupp persona over the last year, I have become\r\nespecially familiar with the human characteristics of the individuals behind LockBit’s mask. As detailed in my\r\nprevious research, at that time, at least two people operated the “LockBitSupp” account. One is the gang’s leader\r\nitself.  \r\nNow, to be fair, it has always been professional with me. However, while engaging with other criminals, I have\r\nobserved characteristics indicating it is closed-minded, sexist, racist, and sometimes quite dramatic when engaged.\r\nIf the gang’s leader were a celebrity instead of a criminal, it would have been canceled long ago.  \r\nFurther, while I know this will anger it, its personality reminds me of “UNKN,” the former leader and voice of the\r\nREvil ransomware gang. Ironically, the two hated one another and constantly argued in front of other criminals on\r\nunderground forums.  \r\nThe second person facilitating the LockBitSupp account is friendlier and more pleasant to deal with. It is also\r\nmuch younger than the leader, based on its mannerisms and communication style. It is nice to talk to in\r\ncomparison to Mr. Grumpy pants!  \r\nSo now that you know there are multiple people behind the persona, understand that when I talk about LockBit as\r\nan individual, I am referring to the first personality I describe. I am referring to the gang leader and not one of the\r\nother LockBit members operating the account.  \r\nSince I began my research, additional people may now respond from this account. Still, the two I described have\r\nhistorically worked the persona since the early days of its operation.   \r\nI also noticed that the gang’s leader frequently posts on the criminal forums today, compared to the Tox account,\r\nwhich has a tiered structure to facilitate its operation. That account is where I have communicated with the\r\nyounger member more frequently. I mentioned that there may be additional gang members responding from the\r\naccount today because LockBit’s Tox account is almost always online. All of this and the stark differences in\r\npersonalities and mannerisms make me confident in this assessment. \r\nNow, let me explain Lockbit’s workflow to operate Tox. With a 24/7 operation, the gang has a structure to\r\nsuccessfully manage and handle the volume of communication requests and questions that come in daily.\r\nLockBit’s leadership assigns rotating responsibilities to the gang’s lower-ranking members, who keep the queue\r\nmoving and answer requests. They respond to messages from “online” accounts first and then filter out remaining\r\nrequests as time permits.  \r\nHowever, it takes longer to get a response whenever I ask for anything significant where a decision is needed. The\r\nlower-ranking members handling the account must push the request to the leader and await a response. I know this\r\nbecause I have talked with the younger guys more often on Tox, but when I have something significant to ask, it\r\ntakes them much longer to respond to me. Then when I do get the response, the mannerisms, feel, and tone are\r\nentirely different.  \r\nAdditionally, several very bright researchers with expertise in the Russian language have told me that one of\r\nLockBit’s close partners within the gang, who often operate the Tox chat and occasionally post on criminal\r\nforums, is of Ukrainian descent.  \r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 5 of 43\n\nI am not an expert and cannot attest to this myself, but I have been told there is a difference in the grammar and\r\nverbiage used by someone who learned to speak Russian in Ukraine vs. someone who is a native Russian speaker.\r\nThis would also explain why LockBit distanced itself from Russia and publicly posted a message after the war\r\nbegan, stating that the gang was a-political and would not take sides.  \r\nNow, let’s get back to the forums and the new, more handsome Lockbit account that started this story! In true\r\nLockBit fashion, it was about to unleash a dramatic plot to deceive and steal from another notorious criminal\r\norganization, the Royal Ransomware gang. \r\nIn walks Baddie.  \r\nThe Royal Ransomware Drama \r\nIn late January 2023, Lockbit responded to a forum thread titled “LockBit 3.0 Black Builder.” In the thread, an\r\naffiliate ransomware hacker asked about the leaked LockBit ransomware builder, which I discussed in the\r\nRansomware Diaries Volume I.   \r\nLockBit tells the affiliate: \r\n“The builds from the merged builder differ in size from the builds from my panel, hence the\r\nconclusion that the offended encoder somehow modified the builder, there are no guarantees that\r\nthere is no universal master key.” –LockBit \r\nIn other words, LockBit is saying that since the file size of the builder had changed, someone may have altered the\r\nsource code. LockBit warns that the developer could have altered the builder to allow for a universal decryption\r\nkey, which, if true, would allow victims to decrypt their data without paying a ransom.  \r\nI suppose this is possible, but in reality, the variance in the file size could be anything from an altered feature to a\r\nuniversal key or even a backdoor. I have looked at the leaked builder, and the changes appear insignificant. It\r\nlikely would have been discovered if there were an issue since the disgruntled developer leaked the builder in\r\nSeptember 2022. \r\nSeveral days after LockBit made the statement, another persona who goes by the moniker “Baddie” joined the\r\nconversation. Let’s pause and establish Baddie’s relevance before continuing with our story. You see, Baddie is a\r\npersona I follow, and I bet many of you reading this will recognize it as well. If not, as pointed out by security\r\nresearcher Azim Khodjinaev, Baddie claims to be a senior member or possibly the leader of the Royal ransomware\r\ngang.  \r\nMore notably, if truly the leader of Royal ransomware, Baddie is likely part of the former Conti gang. Various\r\nresearchers, myself included, as well as cyber security vendors have attributed Royal ransomware as a spin-off\r\ngroup that evolved after the Conti gang ceased operation in May 2022.  \r\nWhile outside the scope of this report, one of my favorite bad guy chasers, @BushidoToken (AKA Will Thomas,\r\nCTI Researcher at Equinix) wrote a great blog detailing exactly how Royal aligns with the Former Conti gang.  \r\nBack to our story…  \r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 6 of 43\n\nThe Lockbit persona had just posted a comment on the underground forum, Exploit, addressing a hacker who\r\nwanted to use the leaked LockBit ransomware builder in extortion attacks. LockBit told the hacker it could make\r\nmuch more money using Lockbit’s admin panel as a partner in their operation, as opposed to working alone with\r\nthe leaked ransomware variant.  \r\nThis is where Baddie comes into the conversation. Apparently, Baddie is upset with LockBit. While it does not\r\ntranslate well, Baddie is asking LockBit if partnering with their gang is immensely profitable and successful, then\r\nwhy is LockBit trying to convince Royal Ransomware affiliates to give LockBit access to the Royal ransomware\r\nbuilder? You can see part of the conversation in Figure 5. \r\nFigure 5: Baddie challenging LockBit about its inquiries into Royal Ransomware \r\nIn response, LockBit quickly denies any wrongdoing and states that it wants access to Royal’s builder to create a\r\nransomware comparison table. LockBit claims it wants to demonstrate that LockBit Black is the most efficient\r\nransomware offering on the criminal market. Like Baddie, I immediately questioned this. LockBit, you are a\r\ncriminal, and while I appreciate the business-like effort, you are not taking part in a Gartner vendor assessment.\r\nNo one is buying this. \r\nBaddie, of course, is reluctant to give LockBit access, and the two begin to argue. Baddie accuses LockBit of\r\nattempting to gain access for other reasons, such as stealing from competitors. Further support of this claim came\r\nfrom VX-underground on January 27, 2023, when it shared interesting news about a new LockBit variant titled\r\n“Lockbit Green.” \r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 7 of 43\n\nFigure 6: VX-Underground tweet announcing the release of LockBit Green\r\nThis was strange. Usually, LockBit would discuss and beta test a new ransomware variant amongst affiliates\r\nbefore its release. Additionally, LockBit released both Red and Black variants in June each year, not January.\r\nLooking at this closer, it became apparent why this release is less significant than previous LockBit updates,\r\nwhich we will discuss next. \r\nGotta Make That Green!  \r\nBefore I saw the conversation between LockBit and Baddie, a message appeared from the LockBitSupp persona\r\non the other prominent criminal forum, XSS, in December 2022. The message stated that LockBit planned to\r\nrelease an updated payload based on the leaked Conti ransomware in the coming weeks. Strangely LockBit\r\ndeleted the post shortly after.  \r\nI did not know how I felt about the short-lived post, and I considered that LockBit might be trying to mislead\r\nresearchers, so I did nothing with the information. I did not think LockBit would use someone else’s ransomware\r\nbecause it is focused on building its brand and has a massive ego. Using a competitor’s ransomware payload when\r\nyou have your own would be like working for Apple and owning an Android phone. You just don’t do it. \r\nNow, let me explain why LockBit deleted its comment. Remember, I said many of the forum posts today are made\r\nby the leader of LockBit. However, the younger member occasionally makes posts from the same account. This\r\nwas one of those occasions.  \r\nYou see, the junior LockBit member should only have announced their plans to use a competitor’s ransomware\r\nonce they were ready to add it to their admin panel. The senior member saw the post and deleted it a few hours\r\nlater. \r\nSo, in January 2023, When I read VX-underground’s tweet, I wanted to verify if this was, in fact, a revised version\r\nof Conti’s ransom payload. Fortunately, I did not have to wait long to validate the claim. Shortly after the release,\r\nBleeping Computer published an article detailing the similarities and differences between this new release,\r\nrenamed LockBit Green, and previous Conti variants.\r\nAs you likely know by now, LockBit Green is a modified version of Conti ransomware. The two obvious changes\r\nwere, first, the ransom note, which now directs victims to LockBit negotiation infrastructure, and second, it no\r\nlonger appends “.lockbit” to encrypted files. Instead, it uses random characters, which are added to each file.  \r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 8 of 43\n\nBleeping Computer and Prodaft, a cyber intelligence company, had an interesting theory explaining why LockBit\r\nis using one of its competitor’s payloads. The company believes LockBit wants to attract Conti’s former affiliates,\r\nwho prefer using the Conti payload. This makes sense since many affiliates have moved on from LockBit’s\r\nprogram to support other competing ransomware operations.  \r\nSadly, the information I found leads to a far worse scenario for defenders and incident responders. To explain, I\r\nneed to share information and details on other behind-the-scenes events leading up to this before I present my\r\nfindings surrounding the use of LockBit Green and other ransomware LockBit is trying to obtain. For those who\r\ncan’t wait, you can jump ahead to the section titled “LockBits Secrets,” where I will explain everything in greater\r\ndetail. For the rest of you, please read on. \r\nLockBit’s American Dream \r\nOver the next week, In February 2023, LockBit and Baddie continued their argument. LockBit continued to deny\r\nit was trying to steal Royal’s builder, and Baddie continued to call out LockBit’s true intentions. This is where the\r\nconversation took a strange turn.  \r\nI am unsure if LockBit believes what it says or is trying to deflect and steer the conversation away from itself, but\r\nit calls Baddie a gangster and accuses it of working for the FSB. Based on the information I read in the Conti\r\nleaks, I think it is highly probable Baddie once did and may still have an association with the FSB, if it genuinely\r\nwas a former member of the Conti gang, as suggested.  \r\nThe comment itself is not significant to my research, but LockBit’s negative sentiment towards the intelligence\r\nagency is meaningful. In the conversation, LockBit claims that Maksim Yakubets, a wanted criminal the United\r\nStates indicted in 2019 for leading the EvilCorp ransomware gang and currently supporting the FSB, is working\r\nwith Baddie and Royal ransomware.  \r\nThe irony in the accusation is that EvilCorp used LockBit ransomware in attacks last year, but LockBit must have\r\nforgotten about that. Figure 7 below displays the correspondence between the two gang leaders: \r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 9 of 43\n\nFigure 7: LockBit accuses Baddie and Royal Ransomware of working with Yakubets and the FSB. \r\nIt’s important to understand that LockBit does not believe it will ever be arrested, let alone imprisoned. It believes\r\nit is too intelligent to be caught. It thinks the only organization that could find it is the FSB since they have deep\r\nconnections in the Russian ransomware scene.  \r\nThis is why the leader of LockBit hides from the FSB as much as it hides from the FBI. It is afraid of having its\r\nassets frozen and being forced to support the Russian government. Can you imagine if you went from making\r\nhundreds of millions a year to having to take a mediocre salary as a government employee? If that happened,\r\nLockBit might have to sell its yacht. That would be true punishment for LockBit.  \r\nFor these reasons, I began questioning whether LockBit moved to another region outside of Russia. I don’t think it\r\nwould go far and is likely in a former CIS country, but I also noticed it was previously far more careful with its\r\nwords when discussing the FSB. The fact that it speaks freely and with negative sentiments toward the\r\norganization may signify it has moved outside of their reach. Of course, if you ask LockBit, which I have, it will\r\ntell you it is chilling out, enjoying life in the US!  \r\nI have spent time trying to determine who the leader of LockBit is and where it lives. Making this determination is\r\nnot easy, so I have gone down many rabbit holes to explore and assess each of the theories and claims.  \r\nLockBit intentionally puts out misinformation. For example, if you recall from Volume 1, LockBit has claimed it\r\nlived in China, the Netherlands, Hongkong, and now the US. It even claims it is a partial owner of several\r\nrestaurants in New York City and owns a Tesla! None of this is likely true, but it makes me laugh and wonder how\r\nit comes up with this stuff.  \r\nFigure 8 below shows LockBit stating that it now resides in the US. It wouldn’t lie, would he? \r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 10 of 43\n\nFigure 8: LockBit claims it is in the USA \r\nAgain, we should not discount the claims made by a criminal, but we certainly should not take their word for it\r\neither. I think it is highly unlikely that LockBit is in the US, but anything is possible. I think it’s important to\r\nexplore all possibilities from a government and law enforcement perspective.  \r\nI wrote this section of the report to share my belief that LockBit has fled Russia and is now living in another CIS\r\ncountry. If I am wrong, and it is still in the region, it clearly feels comfortable that Russian intelligence is unaware\r\nor incapable of discovering its true identity.\r\nThe Baddie Dox \r\nKeeping your identity private is important when you are the leader of a ransomware gang, which is why it’s ironic\r\nthat LockBit would be associated with outing another ransomware figurehead.  \r\nBased on the correspondence I have discussed between January and March 2023, Baddie and LockBit do not like\r\none another. Even so, while stealing from each other may be tolerated, there are rules you don’t break in the\r\ncriminal world, such as doxing.  \r\nIf you are not aware, doxing is when you reveal the human identity of the person behind an anonymous online\r\npersona. It’s like ratting someone out, which can have serious repercussions when the person identified is a\r\nwanted criminal. It is a rule that can get you banned from many forums where criminals conduct business. \r\nFor these reasons, I was surprised to see an exchange between LockBit and other criminals, revealing the alleged\r\nidentity of the man behind the Baddie persona. It started when a member of the forum posted a link to a US\r\nTreasury press release that named several members of the TrickBot malware operation. Several of the men listed\r\nin the sanctions were also associated with the Conti ransomware gang. The Treasury issued sanctions against the\r\nmen for their role in cybercrime operations and money laundering schemes.  \r\nIt may sound odd that criminals would post and discuss a Treasury press release on an underground hacking\r\nforum, but conversing on articles related to ransomware operations is a fairly common practice. \r\nLockBit saw the post and asked about Stern and Baddie, whom the US treasury did not list. We have already\r\ndiscussed Baddie, but if you are not aware, Stern is one of the senior managers of the Conti operation whose\r\ncorrespondence and role were observed in the chat logs found in the Conti leaks earlier last year.  \r\nShortly after LockBit asked the question, another persona responded, sharing details about Baddie’s identity. The\r\ninformation included Baddie’s real name, birthdate, passport number, address, education, and social media\r\naccounts.  \r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 11 of 43\n\nI honestly have no idea if the man listed is really Baddie. This certainly could be misinformation, and I found no\r\nincriminating information about the person. Yet, if it were Baddie, I would not expect to easily find evidence\r\nlinking its identity. I decided not to post the information and photo in case it belonged to an innocent person.  \r\nYou can see relevant parts of the conversation in Figure 9 below. \r\nFigure 9: the conversation about the Treasury sanctions and the dox of Baddie, a senior member of\r\nRoyal ransomware. \r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 12 of 43\n\nIt is strange that the dox was the only post made by the account used to release the information, despite being\r\ncreated in October 2022. Shortly after leaking Baddie’s alleged identity, the account was banned by administrators\r\non the forum for attempting to dox someone, though LockBit’s role was overlooked.  \r\nMany criminals have complained that LockBit gets special treatment on these forums and is rarely held\r\naccountable for its actions. I wondered if LockBit is behind the dox against Baddie for challenging its operation. It\r\nwould not be the first time LockBit has released information on someone it does not like. Time will tell.   \r\nPart II: The Victims’ Story\r\nNow that you know what the leadership of the LockBit gang has been up to behind the scenes, let’s discuss the\r\nhigh-profile public attacks that have taken place since January 2023. The public attacks I will discuss have been\r\nreported and discussed heavily by the media and other researchers. So, to add value, I will share behind-the-scenes\r\naspects involving the gang itself.  \r\nA Royal Mess \r\nDespite LockBit’s drama and antics with other ransomware criminals, the gang and its partner hacker affiliates\r\nhave been busy in the first half of 2023. LockBit kicked off the year by breaching, encrypting, and stealing\r\nsensitive data from Royal Mail, the largest postal service provider in the United Kingdom.  \r\nOn January 12, 2023, Royal Mail followed the instructions left in the ransom note presented on their encrypted\r\nsystems and logged into LockBit’s chat negotiation portal. The conversation began rather cordially. \r\nFigure 10: Begining of Royal Mail ransom negotiations  \r\nNow, you may be asking yourself why an employee in the IT department would negotiate such a critical\r\ntransaction. Well, if you believe what the employee said, it’s because his manager asked him too!  \r\nI find it highly unlikely that someone in IT was the best option Royal Mail could come up with to manage this\r\ncrisis. Further, I would have expected LockBit to immediately realize that the “IT guy” was a professional\r\nnegotiator, not just an employee from Royal Mail’s help desk.  \r\nUnderstand that ransomware gangs do not like dealing with negotiators and often terminate discussions once\r\nidentified. Many will state this upfront because negotiators often drag out the negotiation process to buy the\r\ncompany time, then try to lowball the ransom payment.  \r\nBasically, they are an annoyance to ransomware gangs that want the victim to quickly pay for their “post pentest\r\nservices,” AKA the Ransomware attack.\r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 13 of 43\n\nTo my surprise, LockBit did not flag the employee as a hired negotiator and instead continued the conversation.  \r\nLet me tell you, for an “IT guy” it did a fantastic job delaying and getting LockBit to decrypt files as “proof” of\r\ntheir decryption capability. It also stalled the gang from posting Royal data on their leak site.  \r\nThe IT guy had such a nonchalant approach, as though this was just another day at the office. At one point, in the\r\nmiddle of LockBit’s demands, The IT guy told the Lockbit extortionist that it was “time for bed” and that it would\r\ntalk to him Monday!\r\nFigure 11: The “IT guy” goes to bed. \r\nNow at this point, you would expect the LockBit negotiator to realize that the company was stalling for time.\r\nInstead, it continued to ask if Royal Mail was ready to pay.  \r\nThe funniest part of all of this is the extortion demand LockBit requested. The gang wanted Royal Mail to pay $80\r\nmillion! That would be the highest ransom paid by any company to date. Further, LockBit had the audacity to tell\r\nRoyal Mail, “You are very greedy and don’t want to pay for my service.” \r\nOne of the negotiator’s stall tactics was to ask LockBit how it came up with the $80 million figure. Lockbit told\r\nhim that $80 million was 0.5% of their revenue and should be easy for Royal Mail to pay. LockBit actually told\r\nRoyal Mail that it was in their best interest to pay because once it posted Royal Mail’s data publicly, the\r\ngovernment would fine them 4% of their annual revenue, amounting to $640 million. This was how LockBit\r\njustified its ransom demand, which is comical.  \r\nFrom January 26 through February 2, the “IT guy” continued to masterfully stall the LockBit negotiator. It told\r\nLockBit that the $80 million ransom was not plausible and that the “Board” would not approve it. To further delay\r\nprogress, the IT guy argued that they were not the Royal Mail that Lockbit thought they were but instead a much\r\nsmaller subsidiary of the bigger organization.  \r\nFigure 12: Segment of the chat negotiation log between LockBit and Royal Mail\r\nFor every answer LockBit had, the Royal Mail negotiator would restate his argument that they were just a small\r\ncompany owned by Royal Mail. The stonewalling frustrated LockBit, who then began sending various links to\r\nwebsites and wikis that showed information about the Royal Mail corporate structure and financial earnings.  \r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 14 of 43\n\nI am not sure why LockBit kept arguing or felt the need to justify its ransom demand, but it was clear to me that\r\nthe “IT guy” was playing with LockBit at this point. \r\nFigure 13: Segment of the chat negotiation log between LockBit and Royal Mail \r\nThere was another interesting moment in the negotiation exchange. Royal Mail told LockBit that they needed\r\nspecific files, totaling 6GB of data, decrypted to send life-saving medical equipment that hospitals needed to be\r\ndelivered. Royal Mail claimed that without this equipment, patients would die.  \r\nFigure 14: Royall Mail requesting LockBit decrypt files necessary to “save lives”. \r\nIt was no surprise that Lockbit did not care. LockBit claimed the files were not related to transporting medical\r\nsupplies. Instead, they were critical files Royal Mail could use to help restore their data. LockBit was correct, but I\r\ndon’t blame Royal Mail for trying! Either way, it was a good tactic, since LockBit has given decryption keys to\r\nhospitals in the past after its partner affiliates shut down emergency systems.  \r\nRoyal Mails’ attempt to regain access to their data by lying about its purpose upset LockBit. In response, on\r\nFebruary 6, 2023, LockBit publicly posted some of Royal Mail’s data and told them they had 50 hours to pay.\r\nRoyal Mail and the “IT guy” never responded to LockBit again.  \r\nOn February 9, LockBit announced it had released all of Royal Mail’s stolen data, making it available to\r\ndownload from LockBit’s data leak site. \r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 15 of 43\n\nFigure 15: Royal Mail post on LockBit’s data leak site stating it had published all available data. \r\nAs I was researching this report, something odd occurred regarding the Royal Mail data post. Previously, you\r\ncould download the stolen data by clicking the “link” button on the Royal Mail leak post shown in Figure 16.\r\nHowever, several months later, in June 2023, I checked again and could not access the stolen data. Instead, I was\r\npresented with this message: \r\nFigure 16: Message presented when clicking the link to download Royal Mail data. \r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 16 of 43\n\nThis was strange because the LockBit data leak site claimed the data was present and available to download. If\r\nyou recall from the first volume of the Ransomware Diaries, someone conducted a denial-of-service attack against\r\nLockBit when it tried to leak data from the cyber security company Entrust.  \r\nIn the event, LockBit’s entire infrastructure was down — not just the data download infrastructure associated with\r\nthat site. I am not an expert on DDoS attacks, but it seems odd that LockBit has not reposted or leaked the data\r\nelsewhere. Perhaps LockBit is unaware, since the denial only affects the data download links themselves.\r\nAlternatively, perhaps LockBit is simply struggling to host the massive amount of stolen Royal Mail data.\r\nBehind the Scenes of the Royal Mail Attack \r\nDespite the public reports and ongoing negotiations throughout January, LockBit officially claimed responsibility\r\nin February 2023. For several weeks in January, the media and researchers, including myself, attributed the attack\r\nto LockBit. Researchers and media initially blamed LockBit for the attack due to the ransom note left by the\r\nRoyal Mail attacker.  \r\nFellow cyber security researcher Danial Card, AKA “mRr3b00t,” posted an image of the note left for Royal Mail\r\nwhich you can see in Figure 17 below.  \r\nThe title “LockBit Black Ransomware” is listed at the top of the note and includes instructions to the victim\r\ndirecting them to go to LockBit’s victim negotiation website.  \r\nDespite the evidence, LockBit claimed it was not responsible. As seen in Figure 18 LockBit discusses the\r\naccusations with other criminals, claiming someone else used its ransomware to conduct the attack, but the gang\r\ndid not authorize it. Instead, on January 12, LockBit claimed the mystery attacker used the leaked version of its\r\nransomware we discussed earlier. \r\nFigure 18: LockBit’s response to initial accusations that it was behind the Royal Mail attack \r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 17 of 43\n\nThe next day, on January 14, LockBit announced it had identified who was behind the attack. LockBit claimed it\r\nwas one of its’ affiliate partners but still took no responsibility.  \r\nLater in the conversation, LockBit stated, “If you were me, with thousands of targets and hundreds of adverts\r\n(hacker partners), with an endless stream of targets, why would I follow them when I can just read the news?”  \r\nThis is a significant statement. Essentially, LockBit says it does not monitor or control the companies its partners\r\nattack. As we have seen with DarkSide and REvil ransomware gangs, attacking the wrong organization can have\r\nsignificant consequences. However, none of these reasons are why LockBit denied responsibility. You can see the\r\nreal reason in Figure 19, from the LockBit Gang themselves. \r\nFigure 19: Message from LockBit top Royal Mail during negotiations  \r\nI laughed when I read this. I don’t know many people who are happy with the postal service! LockBit also\r\nbelieves the government will fine Royal Mail, and the fee will be greater than the ransom. Lockbit uses this as\r\nleverage during the negotiation process, claiming the victim will save money and their reputation by making the\r\nextortion payment.  \r\nLockbit believes the government won’t fine Royal Mail unless someone claims responsibility and publishes\r\nleaked data. This is the real reason the gang denied responsibility for the attack, until they realized Royal Mail\r\nwould not pay. It had nothing to do with the leaked builder and rogue partner excuse. I have noticed that LockBit\r\nuses this excuse whenever it’s convenient, and it needs to deny responsibility.  \r\nFor example, just a few weeks before the Royal Mail attack, LockBit took down SickKids, a children’s cancer\r\nhospital in Canada. In that attack, LockBit claimed the same excuse: that it had nothing to do with the attack, but\r\ninstead was a rogue affiliate.  \r\nOnce the media began to publish articles about suffering children who could not get medical attention, LockBit\r\nprovided the decryption key and allegedly broke ties with the affiliate partner.  \r\nRoyal Mail was not as lucky, and no decryption key was provided. In addition to leveraging the government fines\r\nduring the negotiation process, there was one other reason LockBit denied responsibility. Initially, LockBit was\r\nconcerned about the impact and response from the British government, since Royal Mail is considered a critical\r\nnational infrastructure. As time went on, and nothing happened, it became less likely that an official government\r\nresponse or sanctions were coming. Eventually, with mounting evidence and no apparent backlash, LockBit felt\r\ncomfortable taking ownership of the attack.  \r\nLockBit Goes to Space Camp \r\nIn March, LockBit attacked Maximum Industries, an aerospace manufacturing company. While Maximum is just\r\none of many victims who fell to LockBit attacks in March, it is a high-profile victim due to its partnership with the\r\nSpace Exploration Technologies Corporation, AKA SpaceX.  \r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 18 of 43\n\nAs most of you likely know, Elon Musk owns SpaceX, and is one of the wealthiest people in the world. This is\r\nlikely why Maximum Industries was such an important target to the LockBit gang. LockBit believed they could\r\nleverage the relationship between Maximum Industries and SpaceX for a big payday.\r\nShortly after the attack, LockBit posted a message on its data leak site, claiming to have obtained over 3,000\r\nengineering diagrams. LockBit announced that SpaceX engineers certified the diagrams that Maximum Industries\r\nused to develop the parts and equipment used in SpaceX rockets. If SpaceX refused to pay the ransom, it would\r\npublish the data.\r\nFigure 20: Maximum Industries post on LockBit data leak site\r\nAs I researched the incident, I found the most interesting aspect of the breach was not the SpaceX relationship.\r\nInstead, it was the method used to compromise and exploit Maximum Industries.  \r\nIf you recall, I engaged with Bassterlord, one of LockBit’s top affiliates featured in the Ransomware Diaries\r\nVolume 2. I discussed the breach with Bassterlord, who shared details and later posted screenshots supporting his\r\nclaims to social media.  \r\nBassterlord told me it was not associated with the attacks, but is friendly with the hackers behind it. Bassterlord\r\nshared that the LockBit hacker breached Maximum Industries by exploiting a public-facing VPN infrastructure\r\nthat had easy-to-guess usernames and passwords such as “test,” “password” and “test_1234.”  \r\nYou can see a screenshot of the dumped creds and conversation between Bassterlord and the affiliate hacker\r\nbehind the attack in Figure 21 below: \r\nAccording to Bassterlord, his former crew, the National Hazard Agency, is the affiliate behind the attack. They are\r\nnow responsible for several high-profile breaches conducted over the past six months. They are on the rise within\r\nthe ransomware affiliate hacker ecosystem. \r\nIn the end, neither SpaceX nor Maximum Industries paid the ransom. As time on the auction grew short, LockBit\r\nposted the following message on an underground forum. \r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 19 of 43\n\nFigure 22: LockBit message to Elon  \r\nOn March 30, 2023, LockBit updated its website, stating that all of the stolen data was now published. But there\r\nwas one problem: the data was not there. I will explain why later in the report.  \r\nAn Apple a Day Keeps LockBit away \r\nOn Saturday, April 15, 2023, MalwareHunterTeam tweeted a message stating they discovered the first instance of\r\nLockBit ransomware designed to infect Apple OS X operating systems, which VX-Underground made available\r\nfor download.\r\nFigure 23: LockBit OS X samples     \r\nThe weekend of the discovery, I communicated with several researchers who began analyzing the samples. While\r\nsome had more details than others, there was a common theme across all conversations. Something was drastically\r\nwrong with this ransomware build. There were so many issues that some of the first reports stated the build was an\r\ninoperable version of LockBit ransomware, which technically was not true. It did, however, require a lot of\r\nfinessing for the payload to execute and successfully encrypt data.  \r\nFor example, you would have to bypass Apple’s built-in security measures, which do not allow an application to\r\nrun if it has an invalid signature. Instead, OS X prevents the ransomware from executing and provides a message\r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 20 of 43\n\ndirecting the user to “move it to the Trash.” This also explains why no one has ever reported an attack involving\r\nthe Apple-based LockBit variant.  \r\nAdditionally, the analysis of the binary provided clues about its intended use. The ransomware binary had a hard-coded password “test,” which the operator had to provide for it to execute. The binary also had reference to Linux,\r\nWindows, and VMware files, which is strange, since this is meant to encrypt files on an Apple operating system. \r\nNow, presenting the information after the fact makes it obvious this payload was not ready for use in attacks, but\r\nremember, when it was happening in real-time, information was all over the place.  \r\nSo shortly after hearing this, I decided just to ask LockBit what was going on. Was this a development build, or\r\nwas it intended for affiliates to use? Figure 24 shows his response. \r\nFigure 24: LockBit’s response to the Apple variant’s purpose      \r\nThe payload MalwareHunterTeam found was not ready to be used in attacks. The fact that it ended up in a public\r\nmalware repository before it was operationally ready shows that LockBit is having further issues with his\r\ndevelopers and testers. Clearly, this was an OPSEC mistake.  \r\nStill, there is valuable insight we can gain from this discovery. The ransomware’s existence demonstrates the\r\neffort and direction LockBit is moving. Clearly, LockBit is actively pursuing a ransomware payload that will\r\nencrypt Apple computer systems running OS X. We were fortunate enough to get an early warning sign of what is\r\nto come, and it is only a matter of time before a more polished version appears in LockBit attacks. \r\nDark Who? \r\nIn addition to the leaked Apple ransomware build found in April, another interesting and dramatic LockBit event\r\noccurred. The cyber security company DarkTracer noticed that Lockbit made several erroneous posts to its data\r\nleak site. The posts were not actual organizations but were fictitious company names and websites like “1.com”\r\nand “123.com.”  \r\nEven stranger, LockBit made a deadline for the made-up company to pay a $60,000 ransom or have its imaginary\r\ndata published. If the victim’s name did not give away that something was off, the $60,000 ransom should be an\r\nindicator because the greedy LockBit gang would ask for a much larger ransom if this was a legitimate victim.  \r\nThe other clue that this was not real was that LockBit populated the victim description with filler data. Figure 25\r\nshows the tweet made by DarkTracer.\r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 21 of 43\n\nFigure 25: DarkTracer tweet about LockBit data leak site  \r\nDarkTracer called out LockBit, stating that its reliability had declined and that LockBit was negligent in managing\r\nits services. DarkTracer was correct; these were not actual victims. DarkTracer’s only mistake was holding\r\nLockBit to the same standard you would a legitimate company.  \r\nFor example, to test its functionality, you would not expect Bleeping Computer to create news posts filled with\r\nerroneous data on its public website to test its ability to publish stories. Instead, you would expect them to conduct\r\ntesting and development efforts offline.  \r\nApparently, you can’t hold criminals to the same standard. You see, LockBit claimed it was simply updating and\r\ntesting its backend service’s functionality to upload victim data to its site.  \r\nThis is where things should have ended, but in true LockBit fashion, nothing can end without drama. So, LockBit\r\nmade a new post on its data leak site, shown in Figure 26.\r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 22 of 43\n\nFigure 26: DarkTrace post on LockBit’s data leak site  \r\nNotice anything wrong? LockBit called out the wrong company. The tweet that started all of this was made by the\r\ncompany DarkTracer, not DarkTrace. \r\nMaking things worse, Lockbit posted a message asking to take DarkTrace CEO, Poppy Gustafsson, out to dinner,\r\nand called her sexy. LockBit needs to learn to treat women with respect and have better manners. It should also\r\npay attention to the details and get the right company if it’s going to make a dramatic spectacle of an event caused\r\nby its own mistakes. \r\nThe funny part is that DarkTrace had nothing to do with this. Further, all DarkTracer did was tweet about a\r\nmistake LockBit made. LockBit intended to make the post about DarkTracer but got the company and its CEO\r\nwrong.  \r\nIn reality, neither company was breached by LockBit. Instead, LockBit made an ass out of itself and harassed an\r\ninnocent bystander that had nothing to do with any of this.  \r\nThe leader of LockBit frequently criticizes its employees and partners who make mistakes. I think it’s fair to say,\r\nposting erroneous victims and data and then making a spectacle out of it and threatening the wrong company that\r\nhad nothing to do with this would warrant enough evidence to propose that maybe LockBit’s leadership is the one\r\nwith the issues. These are not small mistakes. Get it together over there! \r\nThe Tox 0day \r\nIn May 2023, a 0-day exploit affecting qTox, a secure messaging platform, was sold for $500,000 on a Russian\r\nhacking forum. As discussed earlier, LockBit relies on Tox to communicate with the rest of the world outside of\r\nthe forums. So, as you can imagine, it was not happy about the news about the new vulnerability.  \r\nAccording to a tweet from VX-Underground, Tox users could be exploited simply by accepting a friend request.\r\nFor LockBit, this meant it would have to stop accepting requests to connect and communicate over Tox. LockBit’s\r\napproach was to only communicate with established contacts until it came up with a solution or found another\r\nmeans to communicate.\r\nFigure 27: Lockbit’s response to the Tox 0day        \r\nLockbit wanted to identify the bug and patch it itself to re-establish the full use of Tox for its communications.\r\nYou can see in Figure 28 that LockBit is interested in software called “Reven”, which is used to reverse engineer\r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 23 of 43\n\nand identify vulnerabilities in binary applications. LockBit wanted to use Reven to identify the bug in Tox, then\r\ncreate a patch preventing anyone from exploiting it. \r\nFigure 28: Lockbit posts about obtaining Reven software to find the vulnerability in Tox \r\nHopefully, LockBit’s comment about sending its “friends” to the software owner’s house was just a joke.\r\nRegardless, the Tox 0day caused issues for LockBit, as communication is essential to running its ransomware\r\noperation.  \r\nThis is an excellent example of why law enforcement and government intelligence agencies should continue to try\r\nto identify and assess the software that threat actors like LockBit use. They could exploit the operation and\r\npotentially infiltrate the gang’s systems and accounts. \r\nI know LockBit planned to address the Tox vulnerability, but I do not know if it was successful. Since LockBit is\r\nstill heavily reliant in Tox and has not discussed the topic lately, I think its probable that a solution was found. \r\nPart III: The Cops’ Story\r\nThe “Borris” Indictment \r\nOn May 16, 2023, the US Department of Justice (DoJ) released an indictment for Mikhail Pavlovich Matveev, a\r\nRussian national who operated with or partnered with several ransomware gangs, including the LockBit crime\r\nsyndicate. Matveev used the monikers Wazawaka, m1x, Boriselcin, Uhodiransomwar, @fuck_maze, Orange, and\r\nmy favorite “arestedbyFbi.”  \r\nWhile the indictment spotlighted Matveev’s activities, Brian Krebs first exposed Matveev’s identity and mapped\r\nout his online personas, email addresses, and criminal engagements in an article published in January 2022.  \r\nLater, Matveev told me that Azim Khodjibaev, a fellow cyber security researcher, tracked him down almost two\r\nyears before the Brian Krebs article, but had not released the information publicly.  \r\nIn addition to Azim, Matveev has spoken to several of us in the research community over the past few years. As I\r\nwrite this, I find it strange to refer to him as Matveev because I have always known him as Borris. I began\r\ncommunicating with him a few months before the indictment, when looking into hackers who previously worked\r\nwith LockBit. Beyond Azim, security researchers, such as Dmitry Smilyanets from Recorded Future, have gained\r\nMatveev’s trust and established a working relationship with the notorious hacker. \r\nIn August 2022, Matveev agreed to do an interview with Dmitry where it shared details on how it participated in\r\nattacks against high-profile organizations, like Capcom and the Washington DC police department.  \r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 24 of 43\n\nMatveev also discussed the tools and exploits it used and his relationships with various ransomware gangs.\r\nApparently, Matveev had a negative experience with REvil, but liked working with the LockBit gang and thought\r\nhighly of the gang’s leader. Matveev stated it “communicated very well with the LockBit” and “He seemed like a\r\nnormal guy“. \r\n Still, their relationship was short-lived and Matveev moved on to eventually start his own ransomware gang,\r\nBabuk, which fell apart due to internal conflict.   \r\nAt the time, there was no way to verify all of Matveev’s claims. However, based on the information released in the\r\nUS indictment, Matveev did more than participate in the attacks. In reality, Matveev was the figurehead who\r\norchestrated the attacks and led ransom negotiations with the victims whom it extorted for hundreds of millions of\r\ndollars. The US DoJ made the following statement about Matveev and the revenue he earned from extortions:\r\n“Matveev and the other members of these three ransomware conspiracies attacked at least as many as\r\n2,800 victims in the United States and around the world and made ransom demands to these victims of\r\nat least $400 million. Actual ransom payments from these victims to these perpetrators amounted to\r\nover $200 million.” –US Department of Justice\r\nAfter the DoJ released the indictment, Matveev wanted to tell his side of the story and conducted another\r\ninterview on my favorite podcast, “Click Here” with Dina Temple-Raston and Sean Powers.  \r\nIn the interview, Matveev continued to downplay his role in ransomware attacks, claimed it made far less than the\r\n$200 million the DoJ alleged it stole, and asked Dina, “Where did they get those numbers from?” The answer was\r\nfairly simple: they added the ransom payments made to wallets that Matveev controlled, which amounted to the\r\n$200 million figure.  \r\nTo be fair, Ransomware gangs and affiliates share profits, so it did have to share this money with his partners.\r\nMatveev does not understand that since it is responsible for the attacks, it is also responsible for the money it\r\nextorted, regardless of who it was distributed or paid to afterwords.  \r\nHowever, I am sure the DoJ would be happy to adjust those figures if it wanted to share the names and details of\r\nhis partners with whom it shared his ransom profits. Until then, it will take the heat for the full amount. \r\nMatveev also told Dina that LockBit had “lost their way” and compared it to REvil, which is primarily considered\r\nthe scum of the ransomware community due to their high-profile downfall and betrayal of their own partners.  \r\nMatveev stated it favors the former Conti gang’s ransomware program, which it claimed is “best product in that\r\nspace, and they are still out there. We just don’t see them.” This surprised me when it made the statement because,\r\nto my knowledge, Matveev has not worked for Conti.   \r\nI last communicated with Matveev in early July 2023 and asked him how life has been since the indictment. It said\r\nthat it is content with his current lifestyle. It has destroyed his passport and come to terms with the fact that it\r\nwon’t be able to travel outside of Russia anytime soon. The indictment appears to have given him serious “street\r\ncredibility” amongst his ransomware peers and unwanted attention.  \r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 25 of 43\n\nI asked Matveev if it still conducts ransomware attacks, and it said it is taking a break. When I asked what it is\r\ndoing with his time, if not ransomware, Matveev replied,“I wanted to tell you that I have dived deeper into\r\nexploit development, specifically.” I don’t have all the details, but Matveev says his current project focuses on\r\nexploiting Microsoft SharePoint. \r\nUnfortunately, this is a case where crime may have paid off. You see, despite making the FBI’s most wanted list\r\nand having a $10 million dollar reward for information leading to his arrest, Matveev is living freely in\r\nKaliningrad, Russia, where the government protects him from prosecution.  \r\nYou can see Matveev below relaxing at home in his python skin pants.\r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 26 of 43\n\nFigure 29: Matveev sharing a photo of himself wearing snakeskin pants a month after it was\r\nindicted by the US DoJ \r\nMatveev better hope the protection it receives from the Russian government stands, or similar to REvil, someday\r\nit may get a knock at his front door. \r\nYou’re Under Arrest for Being Stupid \r\nThe FBI’s Newark, NJ, field office has been busy. Just one month after releasing the indictment against Matveev,\r\nthe FBI arrested a LockBit affiliate. The alleged hacker is Ruslan Magomedovich Astamirov, a 20-year-old\r\nRussian national from Chechnya who was in the US and arrested by the FBI.   \r\nAccording to the criminal complaint, Astamirov has been conducting ransom and extortion operations for the\r\nLockBit gang since August 2020. That means Astamirov began hacking for LockBit at the age of 17! Astamirov\r\nshould have been at summer camp or playing sports in high school. Instead, it conspired with LockBit to conduct\r\nransomware attacks and extort organizations worldwide. Now, it is facing 20 years in prison.  \r\nLockbit should have an age restriction banning minors from running crimes for its operation because Astamirov\r\nwas not ready for the very real trouble it has gotten himself into. \r\nAstamirov was smart enough to hack and extort large companies, but based on the criminal complaint, it was way\r\nover his head. As much as it pains me to say it, most Ransomware hackers are intelligent people who have skewed\r\nethics and make poor life choices, but Astamirov is not one of them.  \r\nSimply put, Astamirov made mistakes as many young people do. It comes from a part of the world where life is\r\nvery different from the US. For those reasons, I see how it could think cybercrime was appealing, but I hope it\r\nturns his life around moving forward. It is young enough that it will have another chance someday. Hopefully, it\r\ntakes it. Still, it made some really stupid mistakes in his short-lived criminal career, which I will discuss next. \r\nMistake #1 \r\nAstamirov registered accounts with several online gambling platforms, which it attempted to use to launder\r\nmoney it obtained from conducting LockBit ransomware operations. Based on the number of platforms Astamirov\r\nregistered with, it may have also have a gambling problem. Ask yourself, what could go wrong with using dirty\r\nmoney earned from working with one of the most sought-after criminal gangs to feed your gambling addiction?\r\nMost of us would realize this is a recipe for disaster. You see, laundering millions of dollars is not easy when you\r\nhave no experience cleaning money. \r\nMistake #2 \r\nAstamirov re-used email addresses for both personal and criminal operations. It used the email to register with a\r\ncrypto exchange and then linked cryptocurrency wallets associated with ransomware payments to the account. The\r\nproblem is it used the same email address to register with social media platforms, like Meta, and online shopping\r\nplatforms, like Amazon, and then created usernames that included his real name, “astamirov_222” and\r\n“astamirov_225”.  \r\nMistake #3 \r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 27 of 43\n\nAstamirov set up at least one of two email accounts associated with ransomware operations to sync to his\r\npersonal-use iPhone and Apple computer. Making things worse, when confronted by the FBI, Astamirov tried to\r\npush the blame onto his brother, who likely had nothing to do with this. That’s low. Think about it, how many of\r\nyou have your sibling’s email accounts synced to your personal devices? Did Astamirov think anyone would\r\nbelieve this? \r\nMistake #4 \r\nAstamirov also used the same email address to register the infrastructure it used in ransomware attacks. I wish all\r\nbad guys were this dumb. My job would be much easier. The smartest thing Astamirov did was decide to\r\ncooperate with the FBI. This kid had no business engaging in a life of crime.  \r\nWhile Astamirov may not be a core gang member, and I have highlighted the stupid things it did, the arrest is still\r\na big win for the US and the FBI. The lesson here is just because you know how to hack does not mean you know\r\nhow to launder cryptocurrency. If you want to be a successful ransomware hacker, you need to be good at both. If\r\neither is lacking, you are going to get caught. Kids today…\r\nReflecting on the arrest \r\nThe funny part of this story is that only a few weeks prior to the arrest, LockBit told me criminal affiliates existed\r\nin the US. LockBit claimed dozens of affiliates conduct attacks right under our nose. You can see its comment to\r\nme in Figure 30 below.\r\nFigure 30: Lockbit claims dozens of affiliates operate within the US. \r\nPersonally, I hope it is telling the truth. Unlike Russian-based criminals, the FBI can pursue, engage, and\r\napprehend affiliates located on US soil. Over the past 12 months, there have been two arrests, one indictment, and\r\na major takedown of ransomware infrastructure disrupting the Hive operation.  \r\nThe problem with being a criminal involved with the most wanted ransomware gang worldwide is that everyone is\r\nwatching and waiting for you to make a mistake. In addition to researchers, you have government intelligence\r\nagencies and law enforcement organizations with both technical and human assets dedicated to finding you. With\r\nthat kind of heat, it only takes one mistake. \r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 28 of 43\n\nPart IV: Telling Secrets\r\nLockBit’s Secrets\r\nIn the first volume of the Ransomware Diaries, I discussed the developer behind LockBit Black and his fallout\r\nwith the gang’s leadership. After departing, the developer gave his side of the story, which I included in the\r\nreport’s appendix. In it, the developer made a comment that stuck with me as I wrote this volume of the\r\nRansomware Diaries. The developer stated: \r\n“At the moment, LockBit has no technical support for either the current 3.0 draft or the old 2.0.” -\r\nLockBit black ransomware developer \r\nHis claim is significant because, if true, LockBit was left to operate without an experienced ransomware\r\ndeveloper. Now, few developers in the world have as much ransomware experience as Lockbit’s former developer.\r\nAfter all, it developed DarkSide, BlackMatter, and LockBit Black ransomware, amongst other cybercrime-based\r\nmalware. For this reason, I wondered how his departure would affect LockBit. I now have enough evidence to\r\npose an answer, which is much more damaging than I initially thought.  \r\nI found problems in LockBit’s operation, which are byproducts of the gang’s dramatic growth over the past year\r\nand a lack of development resources. LockBit has tried to hide these problems and effectively controlled the\r\nnarrative surrounding its operation. It has fooled both victims, affiliates, and myself.\r\nThis is what LockBit does not want you to know. \r\nSecret #1: LockBit Sucks at Publishing Victim Data \r\nLockBit has a significant issue with publishing victim data to its leak site, and the problem is bigger than anyone\r\nknew.  \r\nBetween late February and the end of June 2023, LockBit claimed it released sensitive stolen data from victims\r\nwho had not given in to its extortion demand. I have learned that most of these were empty threats. For many leak\r\nsite posts during this timeframe, LockBit did not actually post victim data. It only said it did.  \r\nIf you are a victim who paid LockBit to prevent it from leaking your data during this timeframe, I am sorry to tell\r\nyou that you wasted your money. In most instances, LockBit could not publish your stolen data to its leak site,\r\neven if you had not paid, which I will demonstrate to you shortly. \r\nLockBit not only lied to victims, but it also lied to its affiliate partners who shared profit with the gang. For\r\nreaders who don’t know how this works, LockBit automates the process of stealing, hosting, and publishing\r\nvictim data all through a graphical interface in its admin panel. You can see screenshots of this panel in my\r\nprevious reporting.  \r\nOnce the affiliate hacker identifies the type of data it wants to steal within the breached environment, they use the\r\nadmin panel to collect and extract it to LockBit’s servers. As far as I know, this part is working as expected. At this\r\nstage, the LockBit affiliate and the victim begin negotiations, which they also facilitate through LockBit’s admin\r\npanel. \r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 29 of 43\n\nUsing the panel, the affiliate controls the data it wishes to publish and leak onto LockBit’s website. Most affiliates\r\nleak data slowly and use a countdown timer as a tactic to encourage the victim to pay. If the timer reaches zero\r\nand the victim has not paid the ransom, data is published and released publicly on LockBit’s website.  \r\nThis is how it is supposed to work, but the service began to have issues around February 2023 and worsened over\r\ntime. As a result, LockBit has not consistently published victim data as it has claimed throughout 2023.  \r\nWhile victims and the media have not noticed, affiliates have. As a result, many affiliates are dissatisfied over\r\ntheir partnership with LockBit. This is LockBit’s secret. However, you don’t need to take my word for it, I’ll show\r\nyou. \r\nFigure 31 shows three posts of victims who chose not to give in to LockBit’s extortion demands. One of these\r\norganizations, marked as item 1 in Figure 31, is Maximum Industries.  \r\nEarlier, I spoke about this attack which media outlets covered globally due to Maximum’s relationship with\r\nSpaceX, owned by Elon Musk. That is why it is so ironic that the data has not been released despite the gang’s\r\ndramatic threats and claims. Notice that in each post (1-3) LockBit announces, “ALL AVAILABLE DATA IS\r\nPUBLISHED.” Yet, at the time of this writing, the data is still not present on LockBit’s leak site. \r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 30 of 43\n\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 31 of 43\n\nFigure 31: Three (of many) victims between February and June of which LockBit falsely claims to\r\nhave leaked their stolen data. \r\nThe images in Figure 31 make it clear to me that LockBit has not posted the data because I study victim posts\r\ndaily. If you don’t, it may not be clear what it should look like when data is published. Thus, take a look at Figure\r\n32 below.  \r\nIn the post, you will see the victim labeled 4, 5, and 6. Notice that each entry includes a download button,\r\nexposing the victim’s sensitive data. Some have screenshots of stolen data allowing you to browse stolen files in\r\nthe post itself. Most victim posts made earlier in the year, including examples 1-3, do not. Yet, no one notices\r\nbecause each post includes the message “FILES ARE PUBLISHED”. \r\nFigure 32: Victim posts on LockBit’s leak site in which the data was leaked and available for\r\ndownload. \r\nAs stated, the worst part of this situation is that no one noticed. However, while the media and public may not\r\nhave noticed, I knew that the affiliates it affected would. After all, they share millions of dollars with LockBit to\r\nprovide these services as their partner. So, to confirm the problem was as bad as I thought, I contacted former and\r\ncurrent LockBit affiliates to ask if they were happy with LockBit’s operation and why. \r\nSeveral of the affiliates I spoke with complained that they were unhappy with issues related to publishing\r\nstolen data onto LockBit’s data leak site, which led them to leave for LockBit’s competitors, as seen in the\r\ncorrespondence below.  \r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 32 of 43\n\nFigure 33: Former LockBit affiliate’s explanation of why they LockBit’s operation \r\nIn addition to my correspondence with affiliates, the former LockBit ransomware hacker Bassterlord commented\r\nin a now-deleted public tweet about the situation: \r\n“I have nothing against LockBit, but until the data comes in normally (without delays of 2-4 months), I\r\nsee no reason to give the affiliate program 20 percent” –Bassterlord\r\nAffiliates were not the only ones to notice the problem. LockBit did too. \r\nLockBit knows it has a big problem, which it is trying to rectify. On April 24, 2023, LockBit posted a job ad for a\r\n“tester” to help with development updates. \r\nFigure 34: LockBit job ad for a “tester”  \r\nI can appreciate LockBit’s sense of humor, as requirements for the job include “greed,” “the ability to keep\r\nsecrets,” being “online 24/7” and having a “lack of personal life.” From what I know of it, that sounds like the\r\nleader of LockBit’s own job.  \r\nDespite the satire, LockBit wanted to hire someone to test and identify “errors” and program “failures” for its\r\nproduct and program. The “program” aspect would cover these testing issues, like the data upload failures I am\r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 33 of 43\n\ndiscussing.  \r\nI assume it hired someone, because a few months later, in early July, it made improvements and upgraded its\r\ninfrastructure. After the update, it posted the following message, which was the first time it addressed or admitted\r\nthe issue existed. \r\nFigure 35: LockBit addresses data posting issue in a conversation on an underground forum   \r\nLockBit claims that it corrected the issue and that the problem resulted from the load on its storage servers due to\r\nthe high volume of use by its affiliate partners. It claims the problem is corrected and that it has increased its\r\nthroughput to handle five times the load it could facilitate previously. \r\nNow, I can confirm that LockBit did, in fact, make changes and updates to its site. Yet, the update is a Band-Aid\r\nand not a long-term solution. It improved the situation but has not corrected it.  \r\nThere are still many victim posts, like the companies I listed earlier, in which LockBit still claims the data is\r\nposted, but it is not. LockBit did improve the situation and more recent posts do include victim data than before\r\nthe update. However, many new posts still do not.  \r\nInstead, LockBit made changes to make it appear that you can now download data, but it’s nothing more than a\r\ngimmick to support its narrative that the problem is fixed. \r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 34 of 43\n\nYou see, these links don’t make the data directly available to download. Instead, they only allow you to download\r\nthe file tree, which is a text file listing the directory names and structure of the victim’s data, but not the data itself.\r\nYou can see an example item A, in Figure 36.   \r\nFigure 36: File tree accessed by downloading victim data from LockBit’s leak site.   \r\nIn other instances, the posts claim the victim’s time to pay has expired and the data is published, but instead of\r\nmaking the data available as it claims, it offers the options to pay to extend time, destroy or download the data, for\r\na fee, as seen in item “B” of Figure 36.  \r\nThe fee is far less than the ransom demand, so it is unclear to me what the point of this is, besides giving LockBit\r\nan excuse not to address the problem, which is preventing it from hosting and publishing the stolen data.  \r\nIf you’re a victim, this is good news. Unless someone is willing to shell out $100k, your data is not publicly\r\nexposed. Instead, it sits on a server that only LockBit and the affiliate who took it can access. \r\nFurther evidence can be seen in several other posts after LockBit claimed to have corrected the data publishing\r\nissue. Item “7” in Figure 37 is one of many new examples where the data is available but not hosted on LockBit’s\r\ninfrastructure. Instead, it is hosted on legitimate third-party file-sharing platforms, hosted on Clearnet.  \r\nThis may sound trivial since the victim’s data is exposed, but it is an issue for LockBit’s partners, who pay\r\nthrough revenue sharing for the data to be hosted on LockBit’s infrastructure.  \r\nHosting stolen data is one of the benefits LockBit advertised to attract partner affiliates. Prior to this, it was\r\ncommon practice to use third-party file-sharing services. This is a drawback for criminals because law\r\nenforcement or the filesharing service provider itself can take down the files, removing access from both the\r\ngeneral public and criminals alike.  \r\nNow, they have lost control of the data they worked to steal. Further, it damages their reputation making victims\r\nless likely to pay the ransom. \r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 35 of 43\n\nFigure 37: Updated victim data leak posts    \r\nAdditionally, despite LockBit’s claim, I am still seeing new victims, like the post seen in Item “8” of Figure 37.\r\nHere, LockBit states data is posted, yet no link exists. This is the exact problem that I saw earlier that the update\r\nallegedly corrected. I guess LockBit really did not fix the issue, nor has it fixed its reputation, which will continue\r\nto degrade as more affiliates and victims realize LockBit will struggle to make due to its threat to post victim\r\ndata.  \r\nSo, if you are a victim of a new LockBit attack, you may want to roll the dice because it looks to me like\r\nLockBit is struggling to support its data hosting infrastructure and letting down its partners. \r\nSecret #2: Extended Support Wait Times \r\nHave you ever needed to address an issue, like your mobile phone service, or needed to speak to a representative\r\nabout a problem with your itinerary at a major airline? Well, if you have, you likely know how frustrating it can be\r\nto wait on hold for long periods to get help with your problem. It may sound funny, but criminals who work with\r\nLockBit are facing this exact issue.  \r\nYou see, LockBit, as I mentioned previously, uses the communication application Tox to converse with its\r\npartners. The application makes it difficult if not impossible, for outside organizations like the FBI and\r\ngovernment intelligence agencies, to spy on LockBit’s conversations. \r\nOften, higher levels of security make applications less user-friendly because you must give up the ease of\r\nfunctionality to harden the application. This is certainly the case for Tox, which is not the most robust or feature-driven platform. Due to this, and the high volume of attacks and increased number of partners working with\r\nLockBit, it has a major problem responding to service requests.  \r\nFrom an affiliate partner perspective, they work weeks to breach and extort a victim. Then, once they are in and\r\nhave a foothold on the target network and their data, they run into a problem. It does not matter what the problem\r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 36 of 43\n\nis. What matters is that they cannot get a response or resolution promptly, because LockBit is overloaded with\r\nmessage and service requests in its Tox queue. \r\nPersonally, I cannot imagine trying to manage hundreds of requests a day. Complaints such as “it’s impossible to\r\nget through to you” have grown more common in the LockBit community. Regardless of why, there is a growing\r\nfrustration amongst ransomware criminals due to how long it takes for LockBit to respond.\r\nFigure 38: LockBit’s response to complaints about the long response time \r\nAccording to LockBit, too many people are messaging it daily, making it difficult to keep up with the requests it\r\nreceives. The other issue is that there is no consistency in responses. LockBit responds to some requests quickly,\r\nwhile others go unread for over a week.  \r\nAs a solution, LockBit mentioned creating a ticketing system. I like the effort, but it is unlikely it will be able to\r\nimplement such a system unless LockBit develops something itself . Remember, LockBit can’t use a legitimate\r\nvendor, and nothing exists to offer the security and confidentiality a criminal organization would need.  \r\nSince Tox is open source, it would not surprise me if LockBit attempts to implement a ticketing system developed\r\nusing Tox source code, but that also takes a lot of time and resources to develop and test. If done incorrectly, it\r\nwould lead to the same frustrations it faces today. \r\nSecret #3: There Is No Ransomware Update \r\nIn June 2021, LockBit made its first significant update to its ransomware program, releasing LockBit Red, AKA\r\nLockBit 2.0.  \r\nIn June 2022, LockBit released an even more significant update, named LockBit Black, AKA LockBit 3.0. The\r\nsame developer behind DarkSide and BlackMatter developed the ransomware and included many new features\r\nand services that elevated LockBit to top of the Ransomware food chain. \r\nSo, when June 2023 came around, I waited for the next big thing. However, it didn’t happen.  \r\nHonestly, I knew there would not be an update and have been waiting to write this since last September when\r\nLockBit’s developer left. The closest update we had this year was LockBit Green, but the only thing it shared with\r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 37 of 43\n\nprevious LockBit updates was the name and color theme.  \r\nThat update, as we discussed earlier in this report, was not LockBit’s ransomware. Instead, it was ransomware\r\nleaked from Conti, a former competitor. I have had that ransomware build sitting on an external hard drive since\r\nFebruary 2022. It’s hardly new. LockBit did make some changes to improve the build, but overall, this is lame and\r\nnot what you expect from the world’s most notorious ransomware gang. Do better, LockBit! \r\nThere are several reasons that this is bad for LockBit’s partners. The most important reason, however, is that most\r\nsecurity vendors can identify and prevent LockBit ransomware from executing on their systems.  \r\nLooking at recent detections of LockBit Black samples in July 2023, between 50 and 60 out of 71 security\r\nvendors can detect LockBit’s ransomware, as shown in Figure 39.  \r\nFigure 39: VT results for recently submitted LockBit ransomware samples. \r\nThis is why LockBit affiliates must find a way to shut down security services prior to executing the payload.\r\nOtherwise, it restricts their ability to encrypt systems, reducing the amount of ransom they can demand.\r\nAdditionally, suppose the affiliate attempts to execute a payload in an environment that uses one of these security\r\nsolutions. In that case, it will be identified and flagged, likely resulting in a response from defenders. \r\nA year ago, far fewer vendors could detect LockBit Black because it was new and seen for the first time. Updates\r\nand feature development are expected when you share your profits with a ransomware provider.  \r\nLockBit claims it is working on something new, but I have seen no evidence to support this besides claims made\r\non underground forums. Personally, I like to see results, not empty promises, but perhaps affiliates are content\r\nwith using outdated ransomware due to LockBit’s reputation with the general public.  \r\nHonestly, I don’t know if an update is a week or a year away, but it’s already missed the expected June release\r\ndate, and all signs indicate that LockBit is having serious development issues. I won’t hold my breath. \r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 38 of 43\n\nSecret #4: LockBit Must Rely on Leaked, Poorly Coded, or Stolen Ransomware \r\nIf you recall from earlier, Baddie from the Royal ransomware gang confronted LockBit after learning that LockBit\r\nhad approached Royal affiliates and personnel trying to gain access to their builder. LockBit told Baddie it wanted\r\nto build a ransomware comparison table, which was obviously a lie. Lockbit was actually trying to steal\r\nransomware builders from its competitors. \r\nIn December 2022, Lockbit began a collection and theft campaign against its competitors. LockBit is willing to\r\nbuy their ransomware at what it feels is fair market price. If they don’t sell, LockBit covertly tries to obtain access\r\nand steal it for itself. Let LockBit tell you in its own words: \r\n“Both lockers (LockBit Black and LockBit Green/Conti)  present at the moment in the panel, each\r\nadvert decides which locker it wants to encrypt, fast and small, or a little slower, coders team, I’m not\r\ngreedy. I take this opportunity to say hello to Revil and Alpha, ready to buy their code too, I want to\r\ncollect all the top lockers in one panel, plus we are in the process of developing something interesting.”\r\n– LockBit \r\nIn February 2023, criminals began to discuss a rumor that LockBit had been poking around trying to get access to\r\nvarious competitor ransomware builders. Lockbit was quick to respond: \r\nFigure 40: LockBit responding to comments about using/taking its competitor’s ransomware  \r\nLockBit wishes to obtain many ransomware variants. It intends to make them available to affiliates directly from\r\nthe LockBit admin panel. This will provide additional options for its affiliates to leverage during attacks.  \r\nBy creating a “one-stop-shop,” affiliates can decide what ransom payload they wish to use. We as the security\r\ncommunity need to be prepared for this, because it will change how we defend and mitigate ransomware threats.  \r\nGetting ahead of this will make a big difference in minimizing the impact. First, you must understand precisely\r\nhow LockBit’s new RaaS model will benefit the attacker and further harm the victims. Let me explain. \r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 39 of 43\n\nConsider the situation I discussed earlier where an affiliate tries to deploy LockBit Black ransomware, but\r\ndefenses within the environment block it. The affiliate would often be out of luck since now they cannot encrypt\r\ntarget systems and data.  \r\nAlternatively, in this same situation, well-connected affiliates with access to multiple RaaS programs could simply\r\ndeploy ransomware from one of LockBit’s competitors and extort the victim. Now, LockBit gets none of the\r\nprofit. Instead, its competitors, like Alphv and Royal, get richer. However, under LockBit’s one-stop-stop shop\r\nmodel, if a ransomware payload is blocked, they have several other options just a few clicks away.  \r\nWorse, in this situation, we did our job and detected the payload, but another was deployed moments later because\r\nof the ease of use in LockBit’s admin panel. The attacker simply selects another option in the graphical interface\r\nof the panel and clicks a single button to deploy additional payloads. \r\nSecond, consider a situation like the one LockBit proposed, where the affiliate intentionally uses multiple,\r\ndifferent ransomware payloads within one target environment. For example, they deploy LockBit Black, Royal,\r\nand Conti ransom payloads. Now, three keys are required to decrypt the data, and the attacker can demand three\r\nransom payments. \r\nAn even worse case, do you remember the Kaseya MSP incident in which over 1,500 downstream companies\r\nbecame infected with ransomware? The FBI obtained the decryption key, and many companies decrypted their\r\ndata without paying millions in ransom payments. In LockBit’s multi-payload model, that would not be possible.\r\nIf Lockbit can pull this off, it could be disastrous. \r\nFortunately, this is not only bad for us, but it’s bad for all of LockBit’s competitors, who had to spend time and\r\nmoney developing their ransomware payloads. You would think they would be more aggressive at deterring it\r\nfrom doing this. Maybe they don’t believe it can gain access to their ransomware. If so, they should read Volume 1\r\nof this publication and see what happened to BlackMatter. \r\nClosing Time \r\nThe quality of LockBit’s operation is degrading. It has been slow to expand its infrastructure and\r\ndevelopment needs. LockBit has fallen behind in its ransomware and infostealer development schedule. As\r\na result, there is a significant delay in producing new ransomware variants, and LockBit is struggling to\r\npublish victim data, causing affiliates to leave and partner with other ransomware gangs.   \r\nLockBit has everyone fooled to the point that the gang does not have to leak data because victims blindly pay. No\r\nother ransomware gang has obtained a reputation that allows such behavior. If you are a victim and the LockBit\r\nransomware gang is extorting your company, threatening to expose your sensitive data, think hard before you\r\npay.  \r\nBelow is a list of contributing events that have led to the state of LockBit’s program: \r\nNo developer for an extended time \r\nData exfiltration and posting issues \r\nMissed June ransomware development deadline \r\nArrests/indictment \r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 40 of 43\n\nAffiliate loss \r\nPoorly coded Mac release/leak \r\nPoor service response time (Tox) \r\nNeed for a ticketing system \r\nThe wacky posts on the leak site with random letters and fictitious companies \r\nLockBit is trying to obtain ransomware from its direct criminal competitors. So far, it has only obtained a\r\nleaked version of Conti ransomware. The attempt to gain access to the Royal Ransomware gang’s builder\r\nand LockBit’s own admission claiming it wants to acquire and make it part of its service offering, tells us\r\nthe direction the gang is moving.  \r\nStill, in time, we will see something new from LockBit. The question is, how much damage will it incur in\r\nthe meantime?  \r\nThis is a surprising turn of events, since LockBit prides itself in providing its partners with the highest level of\r\ncustomer service and support. It constantly tries to add features and asks its partners what they want to see next in\r\nits operation and service offerings. Sometimes, things don’t go as planned, and one problem directly causes\r\nanother, creating a domino effect.  \r\nIf left unresolved, I believe these issues will lead to the downfall of the infamous LockBit ransomware gang. Still,\r\nI know LockBit is resilient, and it will do anything it can not to let that happen. The question is: will it be able to\r\nfix this, and if so, how long will it take? Until now, no one knew the truth about the state of LockBit’s business.  \r\nToday, that changes.  \r\nEpilogue\r\nFrom the beginning, I made it clear to the leader of LockBit that I was conducting an active investigation against\r\nthe ransomware crime syndicate. So, once I completed my draft of this report, I decided to ask the leader for an\r\ninterview to address my findings and give LockBit a chance to present their side of the story.  \r\nLockBit agreed, and I sent over my interview questions.  The gang’s leader never answered after reading my\r\nquestions. Yet, something I could never predict was about to happen, and I was about to make things much\r\nworse.  \r\nYou see, at the same time this final conversation took place, I jokingly made a post addressed to LockBit on social\r\nmedia:\r\nI had taken a screenshot of LockBit’s leak site and altered it to show “JonBit 3.0” instead of “LockBit 3.0” and\r\nadded a victim entry for LockBit itself.  \r\nRemember, I had grown a relationship and had talked with the gang over the past few months and felt comfortable\r\nthey would know this was a joke. To clarify, I am not an extortionist! \r\nFor this reason, I was shocked that the day after my post, the LockBit gang went dormant on its Tox account. This\r\nwas something that rarely, if ever, happened, and certainly not for an extended time.  \r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 41 of 43\n\nOver the next few days, four separate affiliate crews contacted me! This was another clue that something big was\r\nhappening. Each affiliate wanted to know if I had compromised and hacked LockBit. One directly asked me, “You\r\nactually found a way to de-anonymize everyone from lockbit????” I told them all I had not hacked anyone.\r\nAfter the fourth affiliate contacted me, I realized more was happening than I initially thought.  \r\nIt was at this point I realized that I was not the only one who could not reach LockBit — its affiliate\r\npartners could not either. That is why they were reaching out. They saw my extortion message, then saw\r\nLockBit disappear and thought I was responsible!  \r\nIt isn’t easy to assess the magnitude of these events. In the best-case scenario, something behind the scenes\r\nspooked the gang, causing them to step away from its operation.  In the worst-case scenario for LockBit, someone\r\nhas hacked their infrastructure. Regardless, I am telling you that the LockBit gang is in trouble. \r\nThe same day I made the extortion tweet seen in Figure 41, another clue presented itself. I received a DM on\r\nTwitter from someone I don’t know, who may be associated with a cyber security company. In the message, they\r\nincluded the image seen in Figure 42, displaying the login page and Tor address of the LockBit admin panel. On\r\nthe page, you are presented with a prompt to input your credentials to authenticate and gain access. The person\r\nhad taken a screenshot and written the message, “But do we really have to, though?” \r\nSee below: \r\nFigure 42: DM I received with a message insinuating LockBit’s panel authentication could be\r\nbypassed \r\nI don’t know if the cyber security company wants this information made public or associated with them, so I am\r\nnot including their name. However, the post suggested they may have found a way to bypass the login page and\r\ngain access to the LockBit admin panel without proper authentication. \r\nThings were beginning to add up. Someone may have hacked LockBit at the same time I did my HUMINT\r\noperation against the gang. As a result, now, its partners thought I had hacked and breached the gang and its\r\ninfrastructure because of my posts! They believed I was about to release their secrets, which, to be fair, was\r\nexactly what I had stated.  \r\nTo clear things up for everyone, I am an ethical researcher. I do not hack or dox anyone, let alone the most\r\nnotorious ransomware gang in the world. Still, I am not the only one concerned. LockBit is too.   \r\nI started this story by explaining that LockBit reappeared shortly before I published my research. I believe\r\nLockBit’s panel and possibly its backend infrastructure may be compromised.   \r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 42 of 43\n\nThis would explain why LockBit went dark for nearly two weeks, which it has never done before.  \r\nWhen the gang initially disappeared, and I learned of the possible breach, I thought LockBit was on the run. As it\r\nturns out,  LockBit does not die easily. Instead, during this time, LockBit was doing damage control and trying to\r\nclean up its infrastructure to restore the integrity of its operation. I cannot state this as fact, but this is my\r\nanalytical conclusion based on the events and information discovered throughout this research.  \r\nStill, the events show that no one, including LockBit, is beyond reach. In conjunction with the problems it has\r\ntried to hide from the public and its partners, the gang’s hiatus tells me one thing: LockBit’s operation is in\r\ntrouble.  \r\nAbout Analyst1\r\nThreat intelligence teams often struggle to bridge the gap from insight to action. Analyst1 is the Orchestrated\r\nThreat Intelligence Platform designed to resolve this issue. It automatically organizes threat data, links it to your\r\nassets and vulnerabilities, and customizes views for different roles. Analyst1’s orchestration layer streamlines\r\nworkflows and automates reliable actions by integrating with SIEM, ticketing, and vulnerability management\r\nsystems. From Fortune 500 financial institutions to national security agencies, enterprises trust Analyst1 to unify\r\ntheir defenses, significantly reducing their response time from days to minutes.\r\nSource: https://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nhttps://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/\r\nPage 43 of 43", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/" ], "report_names": [ "ransomware-diaries-volume-3-lockbits-secrets" ], "threat_actors": [ { "id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5", "created_at": "2022-10-25T16:07:23.797925Z", "updated_at": "2026-04-10T02:00:04.752608Z", "deleted_at": null, "main_name": "LockBit Gang", "aliases": [ "Bitwise Spider", "Operation Cronos" ], "source_name": "ETDA:LockBit Gang", "tools": [ "3AM", "ABCD Ransomware", "CrackMapExec", "EmPyre", "EmpireProject", "LockBit", "LockBit Black", "Mimikatz", "PowerShell Empire", "PsExec", "Syrphid" ], "source_id": "ETDA", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434277, "ts_updated_at": 1775791780, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9b8e6fa2ddcd7736b092427f0e231568a4502004.pdf", "text": "https://archive.orkl.eu/9b8e6fa2ddcd7736b092427f0e231568a4502004.txt", "img": "https://archive.orkl.eu/9b8e6fa2ddcd7736b092427f0e231568a4502004.jpg" } }