LockBit Leaks Expose Nearly 200 Affiliates and Bespoke Data-Stealing Malware

This article provides an update on recent revelations regarding the LockBit ransomware group. Law enforcement authorities have disclosed that nearly 200 "affiliates" have registered with the group over the past two years. Affiliates are individuals who participate in the gang's ransomware-as-a-service model, utilizing LockBit's tools in exchange for a share of the profits obtained from victims.

The National Crime Agency (NCA) is releasing new information daily, as they have control over LockBit's site following the successful takedown of the ransomware gang. Today's leak from LockBit includes data from the group's affiliate portal, revealing 187 registered affiliates between January 31, 2022, and February 5, 2024.

The FBI initiated an investigation into LockBit in 2020, and the group has since developed new variants of its ransomware. The leaked data is expected to aid in identifying individuals involved in deploying the ransomware and participating in the LockBit affiliate program.

Law enforcement agencies have seized control of LockBit's platform and obtained significant data, including details of attacks, extorted funds, stolen data, and communication logs. The NCA has defaced the affiliate portal with a message addressing affiliates directly, warning them of the investigation and potential repercussions.

Security Officer Comments:
Additionally, details about StealBit, LockBit's bespoke data exfiltration tool offered to affiliates, have been revealed. StealBit is used to steal data from victims before deploying the ransomware payload. The tool allows affiliates to select specific files for exfiltration, which are then sent back to LockBit via proxy servers. Law enforcement has located and "destroyed" all six of StealBit's proxy servers, warning against any attempts to reactivate them.

Suggested Corrections:
Overall, the NCA, along with international law enforcement partners, is actively dismantling LockBit's infrastructure and pursuing those involved in the ransomware operations.