From data leaks to group fallouts, the trials and tribulations of ransomware collectives generate a lot of buzz in traditional media outlets and cybersecurity news platforms alike. Many of the ransomware-related scandals result from different groups making opposing claims, affiliates accusing operators of deception, or leaders making promises that ultimately prove to be worthless. For instance, recently we’ve had groups denying links to other gangs (despite strong evidence from security researchers), groups misidentifying their victims, and allegedly extinct groups rising from the ashes. Ransomware groups are as trustworthy as they are ethical, which makes it difficult for researchers to sort fact from fiction. We must treat every new development within the ransomware landscape with a healthy dose of skepticism, and use the experience we’ve gleaned from many years of tracking these groups to assess the likely credibility of new claims. In this blog, we’ll take a look at some examples of when ransomware groups have confused watchers and blurred the boundaries between truth and lies, and think about how we can best tackle the issue of untrustworthiness in our analysis of these collectives. 

LockBit: A difficult relationship with the truth

Ah yes, LockBit — everyone’s favorite ransomware group. This group first appeared in September 2019 under the guise “ABCD ransomware”, progressing into LockBit 2.0 in June 2021. The first half of 2022 has seen multiple interesting developments in this collective’s trajectory. Some are pretty clear-cut and undebatable. For example, in late June 2022, LockBit officially released Lockbit 3.0, an improved version of its malware that will allegedly help it become the “world’s fastest and most stable ransomware”. Around the same time, the group created several new mirror websites, to ensure that LockBit’s operations remain online as much as possible. The new sites also introduced the option of paying ransoms via the cryptocurrency Zcash, which cybercriminals favor because it enables transactions to be verified without revealing the sender, receiver, or transaction amount. So far, so good on LockBit’s claims.

Big bug bounty claims

The change that really got the security industry talking was the group’s unveiling of a bug bounty program. This scheme offers rewards starting from USD 1,000 for security exploits, personally identifiable information (PII), or information on high-value targets. Immediately after the announcement, members of cybercriminal forums began questioning the program’s legitimacy. They debated whether LockBit would be true to its word and actually pay out in return for any submitted findings. Others wondered whether participants in the bug bounty scheme could even risk punishment under Russian law for developing plans and creating conditions for the commission of crimes by organized criminal groups, or if it might result in a participant being sued by the “victims” they share information about. On one forum, LockBit’s representative set out the case for the group’s trustworthiness, favorably comparing the group’s scheme to the bug bounty programs offered by large technology companies, who pay only “5-10k for critical vulnerabilities”. 

It remains to be seen whether LockBit will cough up as a result of a submitted disclosure; as security researchers, we are still in “wait and see” mode. Threat actors themselves appear to be retaining their doubts: In a 04 Jul 2022 cybercriminal forum thread, a user jokingly asked whether LockBit will pay the security research firm Malvuln for finding a “Buffer Overflow” vulnerability on the LockBit 3.0 data-leak site. LockBit has failed to respond thus far, but one forum user compared the ransomware collective’s operations to the  Aesop fable “The Boy Who Cried Wolf” (see Figure 1), indicating frustration and a lack of trust in the underground community. LockBit has a long history of playing fast and loose with their promises: The group has frequently promised to release data when a timer counts down to zero, only to reset the clock once the counter reaches the end. 

A checkered history

Looking back at LockBit’s track record provides plenty of justification for our unwillingness to immediately believe LockBit’s promises. Take the June 2022 controversy involving LockBit, Evil Corp, and Mandiant. Speculation began to spread that Evil Corp—a financially-motivated cybercriminal group active since 2007—and LockBit had been working together. The cybersecurity firm Mandiant published a blog that alleged Evil Corp was using LockBit’s ransomware in its attacks to avoid sanctions imposed by the US Treasury Department’s Office of Foreign Assets Control that could restrict ransom payments from US-based victims. In response, LockBit created a new post on its data-leak website that threatened to release 356,841 files allegedly stolen from Mandiant (see Figure 2), along with a timer counting down to the file publication time. When the timer hit zero, many expected to see actual Mandiant data. Instead, LockBit released .txt files containing a statement responding to Mandiant’s blog. The statement dismissed allegations about links to Evil Corp, claiming that some of the tools these two groups use are available on publicly accessible websites and platforms, such as GitHub. It highlighted that the similarity in tools cannot constitute evidence that the same group has conducted an attack.

This trick was not without consequences: Cybercriminal forum users responded to the stunt by criticizing LockBit for not delivering on its promises, posting false data, and not releasing information when the time was up. Members emphasized that this was a common problem with LockBit, posting memes about LockBit failing to deliver on its promises (see Figure 3).

Conti’s dramatic farewell

Another ransomware group that is no stranger to controversy is Conti, an experienced and successful collective that first appeared in late 2019. In May 2022, Conti announced on cybercriminal forums that it would be halting its operations and closing its affiliate program. Many observers thought this had been on the cards for some time: There were rumors of internal rifts after Conti released a statement supporting Russia in the Ukraine war, and then a Ukrainian cybersecurity researcher published over 60,000 messages allegedly taken from the backend of a Jabber server that Conti used for internal communications at the end of February 2022. Yet the prominence of the group—which conducted the second highest number of attacks in Q2 2022 out of all the ransomware groups we monitor (see Figure 4)—prompted predictions that the group’s shutdown was not entirely as it seemed. Some forecasted that Conti had not really shut up shop, and that the group would soon reappear under a new name. 

Even before the Conti shutdown, cybersecurity researchers had started speculating about a tie between Conti and the ransomware groups Hive and AlphV because of similarities in the collectives’ attacks and targets. After the May 2022 closure announcement, observers wondered whether Conti’s operators intended to create smaller, autonomous groups, which could allow members to continue conducting attacks with less chance of detection than a mammoth, infamous collective. This scheme might also allow groups to combine a ransomware-as-a-service model with new malware capabilities, which could maximize agility,effectiveness, and avoid creating patterns of attacks that are easily mitigated. 

Another theory holds that former members of Conti and the REVil (aka Sodinokibi) ransomware group—the notorious collective responsible for the July 2021 attack against technology firm Kaseya—now run the ransomware group Black Basta. This relative newcomer to the ransomware scene accounted for the fourth highest number of attacks in Q2 2022 of all the groups we monitor (see Figure 4). Proponents of this hypothesis point to similarities between the groups’ data-leak sites, payment systems, and affiliate behavior. Users on cybercriminal forums, including an official LockBit representative, also chimed into the debate. The LockBit representative characterized the developments as the creation of different Conti divisions, rather than a rebranding into BlackBasta. The true nature of the groups’ association may become clear over time; we have seen multiple examples in the past of ransomware groups changing their names in order to continue operating. For their part, Conti denied the allegations during the “For Peru” Black Basta campaign. 

A large pinch of salt

It’s hard to think of many examples of developments relating to ransomware groups that haven’t been murkily mired in confusion and doubt. One recent case that springs to mind is the ransomware collective AstroLocker’s declaration that it would halt its ransomware operations and pivot instead to carrying out cryptojacking attacks. Following this announcement, the group released the decryptor for its malware, which is about as much “proof” as we’re ever going to get that a ransomware gang will stick to its word. Perhaps this quagmire of uncertainty is all by design; may be in ransomware groups’ interests for researchers, law enforcement, and potential victims to never quite know what the gangs are up to and how they will behave during and following negotiations. The ransomware collectives can exploit the unpredictability, keep us on our toes, and prevent us from totally fulfilling the security commandment “Know Thine Enemy”.

That said, following ransomware groups closely and trying to discern trends and patterns that can help us identify the most likely scenarios is our best chance of successfully defending against this threat. Digital Shadows (now ReliaQuest) monitors ransomware groups on a daily basis, tracking their victims, announcements, behavior, and related chatter. If you’d like to take advantage of this intelligence, as well as countless other insights into the dark web and cybercriminal underworld, sign up for a demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here. Alternatively, you can access a constantly-updated threat intelligence library providing insight on this and other cybercriminal-related trends that might impact your organization and allow security teams to stay ahead of the game. Just sign up for a free seven-day test drive of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.