LockBit leaks expose nearly 200 affiliates and bespoke data-stealing malware The latest revelation from law enforcement authorities in relation to this week's LockBit leaks is that the ransomware group had registered nearly 200 "affiliates" over the past two years. Affiliates are those people who buy into the gang's ransomware-as-a-service model, and happily use LockBit's wares in exchange for a cut of …
Not only did the authorities expose the aliases of LockBit's affiliates, but they also defaced the affiliate portal with a message directed to them all, seen after logging in.
That doesn't sound professional. Did they do it to give perpetrators a warning so they can cover their tracks plus to score some internet points?
You can't keep the game up forever because they are allowing attacks on third parties by doing so. So they probably had an interim period where they tried to gather as much info about the affiliates as they could, then they shut everything down and put up the web page.
The invitation for affiliates to contact them is probably directed at those who suspect or may already know their goose is cooked based on their interactions with Lockbit "home base" recently, to get them to surrender voluntarily or possibly give up information about others hoping to reduce the consequences.
Sure some will flee, or already are beyond prosecution, but they will never be able to feel comfortable traveling freely to places with extradition treaties because they can't know if their true identities were exposed.
By providing drip fed, carefully timed releases of information like password hashes and other user identifiers, it creates both a certainty and an unknown: The certainty being that the evidence wasn’t actually destroyed (despite claims by the people originally running the master infrastructure) while a huge uncertainty is whether the evidence is of any use, given that those running the infrastructure have been exposed as incompetent. Knowing this, affiliates who (stupidly) opted to proxy data through their own servers will also be wondering if they got shipped a “custom Stealbit build” likely causing many sleepless nights and a large dose of paranoia ahead, since they have know way of truly knowing if their infrastructure was compromised too and for how long.
On the other side of the equation, this kind of announcement allows police criminologists giving presentations in schools/universities to show something potentially convincing to talented young people beyond tacit admissions that the Computer Misuse Act is pretty much toothless and that the state is a complete killjoy when it comes to IT security work. A healthy dose of prevention is better than a cure when it comes to stopping people from joining criminal gangs offering far better pay than both GCHQ and the private sector combined.
Yes. And it shifts some of the attention of affiliates from finding another RaaS vendor and more victims to trying to find out what the authorities know, covering their tracks, and attempting to counterattack, which is good for potential victims.
More generally, this is how the game is played. The early messages in this thread display a lack of understanding of how malware groups operate and what motivates them. Counting coup is important as a demonstration of capability. There are various studies into the economics and psychology of malware development and use to support this; there's a free ebook from RAND, for example.
I suspect it depends on what info they've got, and how many of the perps they can even get access to. Maybe people will make mistakes or start fighting each other - and give away more information by mistake. Or maybe they're hoping for people to try and get plea-bargain's and drop other people in it?
I presume LockBit was keeping extensive data about their thralls, I mean affiliates, on the chance that one or more of them might get the notion to go into business for themselves. No honor among thieves, and all that. In that case it doesn't really matter if they try to cover their tracks because the evidence is already well documented.
Not to mention what the federales really want are the top ranking folks in the organization, so rattling the small fry like this may convince some of them to try and strike a deal to save themselves if they have something particularly spicy to share.
LockBit's Mikhail Vasiliev is in custody in Canada and being extradited to the US. Magomedovich Astamirov is already in custody in the US and is awaiting trial. Various others are under indictment, and sometimes these folks do get nabbed later when they travel outside Russia.
And, yes, these trials often end in convictions, if the defendant doesn't plead out first, as Vyacheslav Igorevich Penchukov just did, for involvement with Zeus and IcedID. He'll be sentenced in early March; the two charges he plead guity to have maximum sentences of 20 years each.
So, yeah, you missed something.
The image in the article shows nothing more than a list of mostly first names, all of them nicely capitalised. It's a picture of nothing. It's certainly not a list of affiliate accounts.
I have no idea what games the NCA are playing here, but what is being shown is so obviously and painfully not what it purports to be that you'd need to be extremely unaware to fall for it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
