In response to growing frustration within the LockBit organization, its leaders overhauled the way it deals with future ransomware victims.
Rockbit’s management has expressed concern that the organization’s payout rates are low and that the amounts collected by its affiliates will be seen as too low, even if they actually pay.
Inconsistencies in the negotiations are also a point of contention among the chiefs. There is a belief within LockBit that inexperienced affiliates fail to collect expected minimum payments from victims and frequently offer unauthorized discounts.
Before the rule changes took effect in October, there were few codified rules or guidelines for negotiation. Affiliates were left entirely at their own discretion, and negotiations were inconsistent, leading to an increasing number of victims refusing to pay the ransom.
This is mainly due to the group’s less experienced affiliates offering discounts that are too large in proportion to the ransom amount. Additionally, incident responders who are tracking the group’s negotiations record this data and use it against them.
If the negotiators believe that they can get a bigger discount by negotiating with a more experienced affiliate because previous attacks have shown that there is room for negotiation, they break off negotiations and refuse to make any payments. They feel like they are getting a bad deal and the criminals end up not getting paid.
In some cases, Rockbit said it has witnessed affiliates offering discounts of up to 90% just to earn commission. This is said to have an impact on ransom collection by experienced criminals who offer less aggressive discounts.
Therefore, LockBit has introduced guidance for affiliates to follow, with rules regarding the maximum discount they can offer and how low the negotiation can be compared to the initial ransom.
according to intel Based on information gathered by security specialist Analyst1, LockBit conducted a survey in September that flagged the group’s complaints and offered merchants the opportunity to vote on potential rule changes.
Affiliates now have six options to choose from:
- Leave everything as is. Affiliates will still establish their own rules without restrictions.
- Set a minimum ransom demand based on a company’s annual revenue and prohibit discounts of more than 50%, for example 3%. So if the company’s revenue is $100 million, the initial ransom demand should start at his $3 million, and the final payment should be more than $1.5 million.
- Please do not set limits on the minimum required amount depending on the victim’s damage situation. However, the maximum discount he should not exceed 50%. For example, if the initial ransom is set at her $1 million, the affiliate will not be able to accept her payment of less than $500,000.
- If cyber insurance is found, prohibit payments below the victim’s insured amount.
- If cyber insurance is found, prohibit the victim from paying less than 50% of the insured amount.
- Any other suggestions I have in mind.
Rockbit has since agreed to two rules that will guide all future negotiations starting October 1st.
The first was about the amount of the ransom payment and how affiliates set the initial amount proportional to the victim’s annual revenue.
- Revenues up to $100 million – ransom must be 3-10%
- Revenues up to $1 billion – ransom must be 0.5-5%
- Revenues are $1 billion or more – ransom must be between 0.1 and 3%
While the total ransom amount is ultimately still set at the affiliate’s discretion and is set at “an amount they feel is fair,” Lockbit said the above guidance should be followed in a textbook ransomware deployment scenario. .
For example, affiliates may adjust the ransom amount if they are unable to destroy the victim’s backups.
The second rule concerns discounts offered by affiliates. The ransom amount can still be set to some extent at the affiliate’s discretion, but the power to offer discounts has now been significantly reduced, with the maximum value set at 50%.
“From October 1, 2023, it is strictly prohibited to offer discounts of more than 50% of the original requested amount in response to the attack target company during the negotiation process,” Rockbit said in a message sent to affiliates. and shared it with Analyst 1.
“Those who have a steely personality and know how to determine the amount of ransom a company will pay with high probability, and who rarely give deep discounts, should keep this rule in mind and pay the ransom with the largest size allowed. Please adjust the amount of the ransom.The ransom amount will still be set at your discretion and at an amount that you feel is fair to you.
“Please adhere to the rules and try to adhere to the recommendations as much as possible.”
Analyst 1 uses LockBit and register As an example of these new policies in action.
When negotiations between reseller giant CDW and LockBit broke down in early October, a spokesperson for the Windows Ransomware Group calculated CDW’s annual revenue at $20 billion, making the payment offer too low. he said.
A Rockbit spokesperson said at the time: “As soon as the timer expires, all information will be available for review and negotiations have concluded and are no longer ongoing.” “I declined the offer of an exorbitant amount.”
According to LockBit’s new ransom guidelines, for a $20 billion valuation, the required ransom would be between $20 million and $6 billion.
LockBit posted on its leak blog that it offered only $1.1 million in ransom money compared to the $80 million CDW had demanded, an offer that appeared to be aggressive.
“The ongoing battle between ransomware groups and their potential victims highlights the need to closely monitor new developments in this evolving landscape,” said Analyst 1 .
“A key takeaway from this analysis is the recognition that each LockBit case may be unique in nature, primarily due to its internal organizational structure. One is that the affiliate responsible for the infringement itself is also the one behind the negotiations.” What does this mean? Negotiators often work with different people each time they take on a new case. There is a possibility to negotiate.
“Human factors, including psychological nuances and varying experience levels, have a significant impact on the negotiation process. Affected companies therefore need to understand the complexities of mitigating a LockBit attack in order to ensure a successful resolution.” These variables must be effectively adapted and manipulated to increase the chances of success.” ®