Infamous ransomware gang LockBit appears to be losing its touch as a series of mistakes over the past week has led to a serious blow in the reputation of the gang. A botched software update sparked a chain of events that has led researchers to deem the group “sloppy” and “amateur”.
The group has since posted leading Mediterranean port, the Barcelona Cruise Port, and Czech life sciences company Fofsa to its blog. Both have a deadline of April 25 to cooperate with the gang before their data is released to the dark web. Neither company has responded to Tech Monitor’s requests for comment.
The websites of both companies were up and running at the time of writing.
A series of mistakes has led to a serious blow in reputation for LockBit
Russian ransomware gang LockBit has posted three new victims to its dark web victim blog this week. However, at least one appears bogus as not only has the gang placed the wrong company name and logo on the blog, it demanded $800,000 for zero evidence of data and flirted with the wrong company’s CEO. “It looks like amateur hour over there,” Jon DiMaggio, researcher at Analyst1 said to Tech Monitor.
It is a long fall from grace as LockBit has gained an infamous reputation, claiming responsibility for notorious attacks such as those on the NHS, the Royal Mail and a supplier to Elon Musk’s SpaceX, in the past year alone.
An error in LockBit’s recent system update generated pages of nonsense to its revered dark web victim blog, attracting consternation from researchers online. The blog gathered numerous bogus victims called 123.com or 1.com, under lines of meaningless numbers, all bearing the usual threats of data release.
This was noticed by security company Darktracer International, who posted an alert on Twitter flagging a dip in “the reliability of the RaaS service operated by LockBit”.
“They appear to have become negligent in managing the service,” the tweet reads, meaning that the blog itself appears to have been “left unattended”.
In reality, an update to server-to-server communication security appears to have malfunctioned, explains DiMaggio. “They have a tool that automatically does that, so a test malfunction behind this seems plausible to me. It does seem a little stupid to do it at a public level, though. You’d think they would carry this sort of thing out on an offline server,” he told Tech Monitor.
Lockbit members then pursued Darktracer International in search of revenge. However, they mistook the security company for UK-based Darktrace, and flirted with its CEO, instead. “Poppy, would you like to go to a restaurant with me? You sexy <3” reads the message, above the usually intimidating legend: “All data will be published!”
The gang also threatened to release data it had allegedly uncovered belonging to the company, demanding $800,000 for information they could not produce. The links to alleged proof only led to the Darktrace website. This is clearly not the work of the key members, explains Dimaggio. “They have a lot of affiliates who work for them. It won’t be the core gang managing the blog. They will have to fix this though,” he said.
Neither of the companies appears to have incurred any damage. Darktrace has released a statement explaining it is “aware of tweets from LockBit,” but that it has found no evidence of intrusion.
“We will continue to monitor the situation extremely closely, but based on our current investigations we are confident that our systems remain secure and all customer data is fully protected.” Tech Monitor has yet to receive a reply to a request for comment from Darktracer International.
Researchers online appear to have lost all patience for what appears to be an already dwindling reputation. “I don’t believe a word from LockBit, only the data. He’s lost the little credibility he had left,” tweeted researcher Dominic Alvieri.