China and the US were hardest-hit by the LockBit ransomware group between December 2024 and April this year, research shows, with affiliates targeting 156 organizations in all.
Trellix Advanced Research Center has released its analysis of the LockBit SQL database dump it observed in May, noting that China was probably the greatest focus because of its large industrial base and manufacturing sector.
"Unlike BlackBasta and Conti RaaS groups that occasionally probe Chinese targets without encrypting them, LockBit appears willing to operate within Chinese borders and disregard potential political consequences, marking an interesting divergence in their approach," the researchers said.
Meanwhile, affiliates such as BaleyBeach, umarbishop47, and btcdrugdealer were active in the US, where attacks appeared to be more spread out among affiliates, suggesting a more opportunistic approach rather than specialized targeting.
Taiwan was the third most-targeted country, followed by Brazil and Turkey. One group, Swan, had a broad geographic reach, targeting multiple European countries including Austria, Czech Republic, and Switzerland.
This, researchers pointed out, indicates sophistication in the group's ability to navigate different regulatory environments.
"The victimology data reveals some unexpected targeting patterns. It's particularly surprising to see such a concentrated effort on Chinese and Taiwanese organizations," the researchers said.
"Unlike other ransomware groups that might shy away from such politically sensitive targets, LockBit appears to have operated with a different calculus."
LockBit affiliates are diversifying targets
Manufacturing was the most frequently targeted sector, followed by consumer services, the finance sector, and government services.
After analyzing LockBit negotiation chats, Trellix researchers discovered 18 confirmed payments to cryptocurrency wallets believed to be under the control of LockBit affiliates, netting them around $2,337,000.
"The data paints a picture of varying strategies, with initial ransom demands ranging from modest to exorbitant. What’s clear is that substantial discounts were the norm, often between 10% and 80%, highlighting the haggling that goes on behind the scenes of these cyber extortion attempts," researchers said.
"Affiliate success within LockBit varied significantly, indicating differences in skill and potentially specialization in specific familiar industries and/or countries."
The LockBit owner appears to have been charging affiliates 20% of ransom payments, adding up to around $456,000 over the period.
It made a lot less from auto-registration invitations, though - around $10,000 to $11,000.
"The assertion made by LockBit on the RAMP underground forum, which claimed monthly earnings of $100,000 from auto-registration, is thus considered to be significantly exaggerated," the researchers said.
LockBit is still causing havoc
LockBit was once one of the most prolific and successful ransomware-as-a-service groups, but was disrupted early last year by international law enforcement bodies.
Since then, a number of group members and affiliates have been arrested.
The group's exaggerated claims of earnings, researchers said, shows how cyber criminals are inclined to hype up their successes and downplay their failures.
"What this leak truly shows is the complex and ultimately less glamorous reality of their illicit ransomware activities," they said.
"While profitable, it’s far from the perfectly orchestrated, massively lucrative operation they’d like the world to believe it is."
MORE FROM ITPRO
- Building ransomware resilience to avoid paying out
- CISA issues warning over Medusa ransomware after 300 victims from critical sectors impacted
- UK government officials consider banning ransomware payments
-
An executive suggested laid off staff use AI for counseling – I think that's ludicrousOpinion In the immediate aftermath of Microsoft layoffs, promoting AI careers advice feels supremely cold
-
Everything we know about the Ingram Micro cyber attack so farNews A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
Everything we know about the Ingram Micro cyber attack so far
News A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'News The Hunters International ransomware group is rebranding and switching tactics
-
Swiss government data published following supply chain attack – here’s what we know about the culpritsNews Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackersNews While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabsNews An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operatorsNews A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attackNews A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector
-
Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?News The Scattered Spider group has been highly active in recent years
