LockBit redraws negotiation tactics after affiliates fail to squeeze victims
Cybercrime group worried over dwindling payments ... didn't they tell them to Always Be Closing?
In response to growing frustrations inside the LockBit organization, its leaders have overhauled the way they negotiate with ransomware victims going forward.
LockBit leadership has expressed concern over the low rate at which organizations are paying, and when they do pay, the sums being collected by affiliates are deemed too low.
The inconsistency of negotiations is also a point of contention among head honchos. There is a belief within LockBit's ranks that less-experienced affiliates are failing to net the expected minimum payment from victims and are too frequently offering unsanctioned discounts.
Before the rule change came into effect in October, there was little by way of codified rules or guidelines for negotiations. Affiliates were left entirely to their own devices and the inconsistent negotiations fueled a rise in victims refusing to pay ransoms.
This is largely because the group's less-experienced affiliates are offering discounts too great in proportion to the ransom sum. Further, incident responders tracking the group's negotiations are recording this data and using it against them.
When negotiators feel they can get a bigger discount when engaging with more experienced affiliates because previous attacks have shown they can be offered, these negotiators shut down talks and refuse to pay at all. They feel like they're getting a bad deal and the criminals don't end up getting paid.
In some cases, LockBit said they've seen affiliates offer discounts of up to 90 percent just so they can get a payout – something that's affecting more experienced criminals, who offer less aggressive discounts, from collecting their ransoms.
That's why LockBit has brought in guidance for affiliates to follow, as well as rules regarding maximum discounts that can be offered and how low negotiations can go relative to the initial ransom sum.
According to intel gathered by security shop Analyst1, LockBit issued a survey in September offering affiliates the opportunity to vote on potential rule changes, noting the group's frustration.
It gave affiliates six options to choose from:
- Leave everything as it is. Affiliates establish their own rules with no restrictions, as it always has been.
- Establish a minimum ransom request depending on the company's yearly revenue, for example at 3 percent, and prohibit discounts of more than 50 percent. Thus, if the company's revenue is $100 million, the initial ransom request should start from $3 million with the final payout no less than $1.5 million.
- Do not apply any restrictions on the minimum amount required as it depends on the damage inflicted on the victim. However, the maximum discount shouldn't be more than 50 percent. For example, if the initial ransom is set to be $1 million, affiliates can't accept any payments less than $500,000.
- Prohibit any payments less than the amount the victim is insured by if you could find cyber insurance.
- Prohibit any payments less than 50 percent of the amount the victim is insured by if you could find cyber insurance.
- Other proposals you have in mind.
LockBit then settled on two rules that would guide all future negotiations, starting October 1.
The first was the ransom payment amount, and how affiliates should be setting the initial sum in proportion to the victim's annual revenue.
- Revenue up to $100 million – ransom should be between 3 and 10 percent
- Revenue up to $1 billion – ransom should be between 0.5 and 5 percent
- Revenue more than $1 billion – ransom should be between 0.1 and 3 percent
While the ransom sum ultimately is still set at the affiliate's discretion and "whatever amount seems fair," LockBit said, the guidance above should be followed in textbook ransomware deployment scenarios.
Affiliates may adjust ransoms if they fail to destroy the victim's backups, for example.
The second rule concerns the discounts being offered by affiliates. While the ransom sum can still be set somewhat at the affiliate's discretion, they now have much less of a license to hand out discounts, setting a hard maximum of 50 percent.
"From October 1, 2023, it is strictly forbidden to discount more than 50 percent of the originally requested amount in correspondence with the attacked company during the negotiation process," said LockBit in a message sent to affiliates, shared with Analyst1.
"For those who have a steely character, know how to determine the ransom amount that a company will pay with a high probability and almost never make large discounts, please keep this rule in mind and adjust the ransom amount with the size of the maximum allowable discount. The ransom amount is still set at your discretion in whatever amount seems fair to you.
- Impatient LockBit says it's leaked 50GB of stolen Boeing files after ransom fails to land
- Boeing acknowledges cyberattack on parts and distribution biz
- LockBit alleges it boarded Boeing, stole 'sensitive data'
- CDW data to be leaked next week after negotiations with LockBit break down
"Please strictly follow the rules and try to adhere to the recommendations as much as possible."
Analyst1 cited previous conversations between LockBit and The Register as an example of these new policies in action.
When negotiations between reseller giant CDW and LockBit broke down in early October, the Windows ransomware group's spokesperson told us that it calculated CDW's annual revenue to be $20 billion and its payment offer was far too low.
"As soon as the timer runs out you will be able to see all the information, the negotiations are over and are no longer in progress," a LockBit spokesperson said at the time. "We have refused the ridiculous amount offered."
In accordance with LockBit's new ransom guidelines, a $20 billion valuation would see the demanded ransom set between $20 million and $6 billion.
LockBit posted on its leak blog that CDW only offered it $1.1 million as a ransom in response to the requested $80 million – an offer it seemingly deemed offensive.
"The ongoing battle between ransomware groups and their potential victims underscores the need to monitor new developments in this ever-evolving landscape closely," said Analyst1.
"The key takeaway from this analysis is the recognition that each LockBit case can be inherently unique, primarily due to the internal organizational structure. One of the most distinguishing factors is that affiliates who are responsible for the breach itself are also the ones behind negotiations. What does it mean? Every time a negotiator engages in a new case, they might deal with a different individual.
"The human factor, encompassing psychological nuances and varying experience levels, significantly influences the negotiation process. Therefore, affected entities must adapt and navigate these variables effectively to enhance their chances of a successful resolution in the complex landscape of mitigating LockBit attacks." ®