{
	"id": "43065131-0e36-4c07-b8de-17b371724a27",
	"created_at": "2026-04-06T00:06:44.166536Z",
	"updated_at": "2026-04-10T03:33:15.49176Z",
	"deleted_at": null,
	"sha1_hash": "a5a4f9b6e13772fc80432e74a61c44fe6496681c",
	"title": "CDW data to be leaked next week after negotiations with LockBit break down",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50227,
	"plain_text": "CDW data to be leaked next week after negotiations with LockBit\r\nbreak down\r\nBy Connor Jones\r\nPublished: 2023-10-06 · Archived: 2026-04-05 21:41:44 UTC\r\nCDW, one of the largest resellers on the planet, will have its data leaked by LockBit after negotiations over the\r\nransom fee broke down, a spokesperson for the cybercrime gang says.\r\nSpeaking to The Register, the spokesperson, who uses the alias LockBitSupp, implied that during negotiations\r\nCDW offered a sum that was so low it insulted the crooks.\r\n\"We published them because in the negotiation process a $20 billion company refuses to pay adequate money,\" the\r\nsource said.\r\n\"As soon as the timer runs out you will be able to see all the information, the negotiations are over and are no\r\nlonger in progress. We have refused the ridiculous amount offered.\"\r\nLockBit did not respond to questions relating to what its original ransom demand was or what CDW offered in the\r\nnegotiations. It also shirked questions concerning the nature of the data stolen and what methods it used to breach\r\nthe company.\r\nAccording to the countdown timer on LockBit's victim blog, CDW's files are scheduled to be published in the\r\nearly hours of the morning on October 11.\r\nCDW has yet to comment on the incident, which appears to have been ongoing since at least September 3, when\r\nthe company was first posted to LockBit's blog.\r\nThe Register has contacted CDW for clarity but the company has not offered a response.\r\nIts automatic email reply reads: \"Thank you for contacting CDW. Your inquiry has been received and will be\r\nreviewed. Should there be a fit or an interest in engaging further, we will be in touch as soon as possible.\"\r\nThe UK Information Commissioner's Office (ICO) confirmed that it had not received a breach report from CDW.\r\nCybersecurity analyst and researcher Dominic Alvieri said the company was technically posted to LockBit's blog\r\nthree times in total. It was originally \"flashed\" – a tactic involving the quick posting and deletion of a company to\r\nencourage a fast response from the victim.\r\n\"When deadlines come and go it is a sign the company is negotiating or has at least acknowledged the incident,\"\r\nhe said.\r\n\"The repost is usually the final stages. The ransoms process can take weeks/months.\"\r\nhttps://www.theregister.com/2023/10/06/cdw_lockbit_negotiations/\r\nPage 1 of 3\n\nPosting a company to a victim blog multiple times isn't something that happens in every case but it is a known\r\naggressive tactic adopted by ransomware groups to hurry negotiations, experts told The Register.\r\n\"Ransomware groups are ramping up their tactics in forcing victims to pay quickly and this is all part of their\r\nbusiness model to extort more money in a timely fashion from their targets,\" said Jake Moore, global\r\ncybersecurity advisor at ESET. \r\n\"LockBit has previously used pressure tactics to force other victims of their attacks in order to speed up ransom\r\nnegotiations to ultimately pay up and with varying success.\r\n\"There is always a chance, however, that this is a tactic used to force their victims' hands to act quickly yet no real\r\nsubstance be in the original claim.\r\n\"This is the common gamble played between cybercriminals and their victims where one wrong move and a poker\r\nface could cost companies huge amounts in ransom payments and more problems thereafter from leaked data in\r\npublic view.\"\r\nOne historical example of LockBit setting deadlines and not dumping the stolen data was during the attack on\r\nRoyal Mail International earlier this year.\r\nThe deadline was set for February 13 and no data was published. A day later, instead of making Royal Mail\r\nInternational's stolen data public, LockBit posted the full negotiation history between it and the company in the\r\nform of a downloadable chat log.\r\nBYOD should stand for bring your own disaster, according to Microsoft ransomware data\r\nFeds hopelessly behind the times on ransomware trends in alert to industry\r\nCalifornia passes bill to set up one-stop data deletion shop\r\nRansomware fiends pounce on Cisco VPN brute-force zero-day flaw\r\nThe chat logs revealed the ransom demand was originally set at $80 million, later offering a 50 percent discount\r\nafter the company branded the demands \"absurd.\"\r\nAt the time, the release of the chat logs was seen as an example of these scare tactics. After Royal Mail's\r\ncontinued refusal to pay, LockBit eventually staggered the publication of its data, much of which included\r\nemployee information, in 10 separate dumps.\r\nThe UK's National Cyber Security Centre (NCSC) has a longstanding stance against paying ransoms to\r\ncybercriminals.\r\nIn a study by security company CyberEdge, it was found that less than half of businesses paying ransoms recover\r\nall of their data.\r\nIn the Royal Mail negotiations, the transcript shows the negotiator attempting to convince LockBit to hand over\r\ntwo files as proof the criminals' decryptor worked.\r\nLockBit realized after a few days that the two files would have allowed Royal Mail to fully recover its systems\r\nwithout paying for the decryptor.\r\nhttps://www.theregister.com/2023/10/06/cdw_lockbit_negotiations/\r\nPage 2 of 3\n\nTowards the end of the negotiations, where Royal Mail appeared to stall LockBit for as long as it could by saying\r\nit was waiting for its board to decide on whether to pay the discounted ransom fee, LockBit grew frustrated with\r\nthe tactics and published the data after days on non-responsiveness from Royal Mail.\r\nLockBit's lies, and other strange tactics\r\nOver the years, LockBit has been accused of orchestrating various \"PR stunts\" to cause confusion and raise its\r\nnotoriety level.\r\nThese have included \"fake\" ransomware attacks on large organizations, posting their details to LockBit's website\r\nalong with a countdown timer to indicate the publication date of the stolen files, just as it does with genuine\r\nvictims.\r\nOne such example came in June 2022, when it claimed to have breached incident response specialists Mandiant.\r\nIn typical fashion, the countdown timer spent days reaching zero, and what was published wasn't the data it\r\nclaimed to have stolen from the company, but instead a response to claims that the group was linked to the\r\nsanctioned cybercrime outfit Evil Corp.\r\n\"The PR stunt was likely orchestrated by LockBit because an association of their activities to Evil Corp could\r\nhave financially devastating consequences for their operations,\" said ReliaQuest in a blog post. \r\n\"Paying ransoms to these cyber threat groups is still not illegal in most countries; however, a formalized\r\nassociation with Evil Corp would render those payments potentially out of the law, with significant civil and\r\ncriminal implications for the organizations involved in them. \r\n\"Given that LockBit is one of the most prolific ransomware groups in activity at the moment, it is likely that they\r\nintend to continue their highly successful and profitable ransomware operations for the following months.\"\r\nLockBit repeated the same trick later that year, this time against French multinational IT company Thales.\r\nAlthough in Thales's case, it was only half fibbing.\r\nAt the time, Thales's public statements repeatedly denied evidence of an IT intrusion, but on November 10, 2022 –\r\nthree days after LockBit promised to publish its data – Thales confirmed that data had been stolen and published.\r\nHowever, it said the theft was carried out by \"two likely sources,\" one of which was \"confirmed through the user\r\naccount of a partner on a dedicated collaboration portal,\" and the other was unknown. ®\r\nSource: https://www.theregister.com/2023/10/06/cdw_lockbit_negotiations/\r\nhttps://www.theregister.com/2023/10/06/cdw_lockbit_negotiations/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.theregister.com/2023/10/06/cdw_lockbit_negotiations/"
	],
	"report_names": [
		"cdw_lockbit_negotiations"
	],
	"threat_actors": [
		{
			"id": "50068c14-343c-4491-b568-df41dd59551c",
			"created_at": "2022-10-25T15:50:23.253218Z",
			"updated_at": "2026-04-10T02:00:05.234464Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Indrik Spider",
				"Evil Corp",
				"Manatee Tempest",
				"DEV-0243",
				"UNC2165"
			],
			"source_name": "MITRE:Indrik Spider",
			"tools": [
				"Mimikatz",
				"PsExec",
				"Dridex",
				"WastedLocker",
				"BitPaymer",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b296f34c-c424-41da-98bf-90312a5df8ef",
			"created_at": "2024-06-19T02:03:08.027585Z",
			"updated_at": "2026-04-10T02:00:03.621193Z",
			"deleted_at": null,
			"main_name": "GOLD DRAKE",
			"aliases": [
				"Evil Corp",
				"Indrik Spider ",
				"Manatee Tempest "
			],
			"source_name": "Secureworks:GOLD DRAKE",
			"tools": [
				"BitPaymer",
				"Cobalt Strike",
				"Covenant",
				"Donut",
				"Dridex",
				"Hades",
				"Koadic",
				"LockBit",
				"Macaw Locker",
				"Mimikatz",
				"Payload.Bin",
				"Phoenix CryptoLocker",
				"PowerShell Empire",
				"PowerSploit",
				"SocGholish",
				"WastedLocker"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "9806f226-935f-48eb-b138-6616c9bb9d69",
			"created_at": "2022-10-25T16:07:23.73153Z",
			"updated_at": "2026-04-10T02:00:04.729977Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Blue Lelantos",
				"DEV-0243",
				"Evil Corp",
				"G0119",
				"Gold Drake",
				"Gold Winter",
				"Manatee Tempest",
				"Mustard Tempest",
				"UNC2165"
			],
			"source_name": "ETDA:Indrik Spider",
			"tools": [
				"Advanced Port Scanner",
				"Agentemis",
				"Babuk",
				"Babuk Locker",
				"Babyk",
				"BitPaymer",
				"Bugat",
				"Bugat v5",
				"Cobalt Strike",
				"CobaltStrike",
				"Cridex",
				"Dridex",
				"EmPyre",
				"EmpireProject",
				"FAKEUPDATES",
				"FakeUpdate",
				"Feodo",
				"FriedEx",
				"Hades",
				"IEncrypt",
				"LINK_MSIEXEC",
				"MEGAsync",
				"Macaw Locker",
				"Metasploit",
				"Mimikatz",
				"PayloadBIN",
				"Phoenix Locker",
				"PowerShell Empire",
				"PowerSploit",
				"PsExec",
				"QNAP-Worm",
				"Raspberry Robin",
				"RaspberryRobin",
				"SocGholish",
				"Vasa Locker",
				"WastedLoader",
				"WastedLocker",
				"cobeacon",
				"wp_encrypt"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6c4f98b3-fe14-42d6-beaa-866395455e52",
			"created_at": "2023-01-06T13:46:39.169554Z",
			"updated_at": "2026-04-10T02:00:03.23458Z",
			"deleted_at": null,
			"main_name": "Evil Corp",
			"aliases": [
				"GOLD DRAKE"
			],
			"source_name": "MISPGALAXY:Evil Corp",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434004,
	"ts_updated_at": 1775791995,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a5a4f9b6e13772fc80432e74a61c44fe6496681c.pdf",
		"text": "https://archive.orkl.eu/a5a4f9b6e13772fc80432e74a61c44fe6496681c.txt",
		"img": "https://archive.orkl.eu/a5a4f9b6e13772fc80432e74a61c44fe6496681c.jpg"
	}
}