According to Darkreading, The LockBit 4.0 affiliate panel was compromised in May, exposing operational inconsistencies within the ransomware-as-a-service group, revealing chaotic internal practices, and providing an unprecedented view into the unregulated nature of the ransomware ecosystem.
LockBit has been perceived for years as a highly professional and efficient criminal organization within the ransomware landscape. This perception portrayed the group as a sophisticated entity, akin to a well-structured technological startup. However, the recent exposure of LockBit’s 4.0 affiliate panel challenged this established view, instead revealing an operation characterized by disorganization, internal conflicts, and significant operational inconsistencies. This event demonstrated that the reality of ransomware threats is more fragmented and unpredictable than previously understood, departing from a disciplined, corporate-like model.
The leak, which occurred in May, encompassed a substantial volume of data, including thousands of chat messages exchanged between LockBit affiliates and their victims. This data also contained numerous ransomware builds, internal user tags, and cryptowallet information. The compromise of LockBit’s 4.0 affiliate panel was marked by its replacement with a link directing to this comprehensive data dump. This incident provided an extensive, behind-the-scenes look into the operational dynamics of ransomware-as-a-service (RaaS) ventures, following similar insights gained from the Conti leaks in February 2022, which also shed light on ransomware gang operations.
Analysis of the leaked materials indicated that the affiliate ransomware ecosystem operates primarily on an opportunistic and disorganized basis. Affiliates demonstrated varying degrees of professionalism, often operating with minimal oversight from the central LockBit platform. Some affiliates engaged in careful negotiation processes with victims and consistently provided decryption tools post-payment. Conversely, other affiliates would cease communication immediately after a ransom payment was secured. One specific interaction documented an affiliate attributing corrupted files to antivirus software and instructing a victim to await the correct decryption tool, stating, “the boss is very busy.” This communication eventually ceased without resolution for the victim.
The established rules governing the LockBit platform were frequently disregarded by its affiliates. LockBit’s operational guidelines explicitly prohibited targeting Russian organizations. Despite this prohibition, two Russian government entities were subjected to attacks in February. To mitigate the repercussions and preserve the group’s reputation, LockBit administrators intervened directly, providing free decryptors to the affected organizations. The affiliate responsible for these particular attacks was subsequently suspended and assigned an internal tag, “ru target,” indicating their transgression of the rules concerning Russian targets.
Financial aspects of the LockBit operation, as revealed by the leak, also exhibited a lack of clarity and consistency. An examination of 159 Bitcoin wallets associated with various extortion attempts showed that only 19 of these wallets actually received funds. This discrepancy suggests that some affiliates might have conducted negotiations and transactions outside the official LockBit platform, likely to circumvent the platform’s stipulated 20% commission on ransom payments. One affiliate successfully extorted more than $2 million from a Swiss cloud provider. However, a majority of affiliates involved in extortion attempts ultimately did not receive any funds from their operations.
The disorganization observed within these groups does not diminish their threat but rather complicates defensive strategies. The absence of a consistent structure or standardized operational procedures among affiliates makes it difficult for defenders to develop predictable response playbooks. The variability in affiliate behavior, where one might offer support and honor agreements while another disappears after payment, introduces significant unpredictability into incident response planning. This inconsistency also diminishes the perceived value of paying a ransom, as there is no guarantee of a successful outcome, such as the provision of a working decryptor or the cessation of data exposure.
