back to article LockBit leaks expose nearly 200 affiliates and bespoke data-stealing malware

The latest revelation from law enforcement authorities in relation to this week's LockBit leaks is that the ransomware group had registered nearly 200 "affiliates" over the past two years. Affiliates are those people who buy into the gang's ransomware-as-a-service model, and happily use LockBit's wares in exchange for a cut of …

  1. elsergiovolador Silver badge


    Not only did the authorities expose the aliases of LockBit's affiliates, but they also defaced the affiliate portal with a message directed to them all, seen after logging in.

    That doesn't sound professional. Did they do it to give perpetrators a warning so they can cover their tracks plus to score some internet points?

    1. Doctor Syntax Silver badge

      Re: Warning

      I was thinking the same thing. Why not set up some sort of honey trap to draw them further in. But then I wondered - maybe they've already been doing that for some time.

      1. elsergiovolador Silver badge

        Re: Warning

        Even if they done that then why stop?

        1. DS999 Silver badge

          Re: Warning

          You can't keep the game up forever because they are allowing attacks on third parties by doing so. So they probably had an interim period where they tried to gather as much info about the affiliates as they could, then they shut everything down and put up the web page.

          The invitation for affiliates to contact them is probably directed at those who suspect or may already know their goose is cooked based on their interactions with Lockbit "home base" recently, to get them to surrender voluntarily or possibly give up information about others hoping to reduce the consequences.

          Sure some will flee, or already are beyond prosecution, but they will never be able to feel comfortable traveling freely to places with extradition treaties because they can't know if their true identities were exposed.

          1. Anonymous Coward
            Anonymous Coward

            A good psyop campaign

            By providing drip fed, carefully timed releases of information like password hashes and other user identifiers, it creates both a certainty and an unknown: The certainty being that the evidence wasn’t actually destroyed (despite claims by the people originally running the master infrastructure) while a huge uncertainty is whether the evidence is of any use, given that those running the infrastructure have been exposed as incompetent. Knowing this, affiliates who (stupidly) opted to proxy data through their own servers will also be wondering if they got shipped a “custom Stealbit build” likely causing many sleepless nights and a large dose of paranoia ahead, since they have know way of truly knowing if their infrastructure was compromised too and for how long.

            On the other side of the equation, this kind of announcement allows police criminologists giving presentations in schools/universities to show something potentially convincing to talented young people beyond tacit admissions that the Computer Misuse Act is pretty much toothless and that the state is a complete killjoy when it comes to IT security work. A healthy dose of prevention is better than a cure when it comes to stopping people from joining criminal gangs offering far better pay than both GCHQ and the private sector combined.

            1. Michael Wojcik Silver badge

              Re: A good psyop campaign

              Yes. And it shifts some of the attention of affiliates from finding another RaaS vendor and more victims to trying to find out what the authorities know, covering their tracks, and attempting to counterattack, which is good for potential victims.

              More generally, this is how the game is played. The early messages in this thread display a lack of understanding of how malware groups operate and what motivates them. Counting coup is important as a demonstration of capability. There are various studies into the economics and psychology of malware development and use to support this; there's a free ebook from RAND, for example.

    2. I ain't Spartacus Gold badge

      Re: Warning

      I suspect it depends on what info they've got, and how many of the perps they can even get access to. Maybe people will make mistakes or start fighting each other - and give away more information by mistake. Or maybe they're hoping for people to try and get plea-bargain's and drop other people in it?

    3. Ashentaine

      Re: Warning

      I presume LockBit was keeping extensive data about their thralls, I mean affiliates, on the chance that one or more of them might get the notion to go into business for themselves. No honor among thieves, and all that. In that case it doesn't really matter if they try to cover their tracks because the evidence is already well documented.

      Not to mention what the federales really want are the top ranking folks in the organization, so rattling the small fry like this may convince some of them to try and strike a deal to save themselves if they have something particularly spicy to share.

    4. Enormous Crowe Turd

      Re: Warning

      Maybe they already have everything they need. Many of the perpetrators of internet scams are outside the jurisdiction of the West - ie: China / N. Korea / Russia - maybe even state sponsored - so a middle finger is all you have...

  2. Anonymous Coward
    Anonymous Coward

    would be great news but nobody will spend a year in jail

    politicians get the bitcoins, perps plea deal, victims out in the cold.

    did I mis anything?

    maybe I'm jaded from years of the same thing over and over.

    1. Michael Wojcik Silver badge

      Re: would be great news but nobody will spend a year in jail

      LockBit's Mikhail Vasiliev is in custody in Canada and being extradited to the US. Magomedovich Astamirov is already in custody in the US and is awaiting trial. Various others are under indictment, and sometimes these folks do get nabbed later when they travel outside Russia.

      And, yes, these trials often end in convictions, if the defendant doesn't plead out first, as Vyacheslav Igorevich Penchukov just did, for involvement with Zeus and IcedID. He'll be sentenced in early March; the two charges he plead guity to have maximum sentences of 20 years each.

      So, yeah, you missed something.

  3. TimMaher Silver badge

    I’m sure that…

    …I recognise some of those names.

    Not mine of course.

    1. Flocke Kroes Silver badge

      Re: recognise some of those names

      Me too. ID:89 used to run the US copyright system, ID:164 is a time traveller. and ID:1 is infamous for having a privileged account on just about every Windows system. Why did so many sign up on 2022-06-25?

    2. Michael Wojcik Silver badge

      Re: I’m sure that…

      I had my suspicions about Harold, but Beverley??!

  4. may_i


    The image in the article shows nothing more than a list of mostly first names, all of them nicely capitalised. It's a picture of nothing. It's certainly not a list of affiliate accounts.

    I have no idea what games the NCA are playing here, but what is being shown is so obviously and painfully not what it purports to be that you'd need to be extremely unaware to fall for it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like