LockBit, one of the most prolific Ransomware-as-a-Service operations in the world, has introduced new negotiation rules for its affiliates. The revised rules were imposed due to the LockBit leadership’s disappointment with lower-than-expected ransom payments, according to a report published by Analyst1.
The ransom amounts and discounts offered by LockBit affiliates vary significantly from case to case. In one case, a company boasting a substantial revenue of nearly $700 million faced a ransom demand of $5 million, coupled with a 25% discount. Meanwhile, a company with a revenue of approximately $38 million was met with an initial ransom of $1.5 million, alongside a more generous 30% discount.
The root of these discrepancies lies in the decentralized nature of LockBit's affiliate network, reportedly comprised of hundreds of individuals. Prior to the rule change that came into effect in October 2023, ransomware negotiations were largely unregulated and there were no codified rules and guidelines. The researchers said that the varied ransom amounts stem from the levels of experience among affiliates, many of whom are young and inexperienced, and their willingness to offer discounts.
In some cases, affiliates offered discounts of up to 90% just so they could get a payout. And this, in turn, affects more seasoned criminals, who offer more reasonable discounts.
In response, new rules were implemented detailing negotiation tactics that affiliates are required to adhere to such as a tiered percentage-based system for ransom payments, depending on the victim's annual revenue.
-
companies with revenue up to $100 million pay from 3% to 10%
-
companies with revenue up to $1 billion pay from 0.5% to 5%
-
companies with revenue of more than $1 billion pay from 0.1% to 3%
However, “the final decision on a ransom payment amount is still at the affiliates discretion, depending on their assessment of the damage inflicted on the victim,” according to the report.
Also, from now on, the affiliates are not permitted to offer discounts greater than 50% of the initial ransom demand.
Earlier this month, cybersecurity researchers warned that the LockBit ransomware group is mass-exploiting the remote code execution vulnerability (CVE-2023-4966 aka CitrixBleed) in Citrix NetScaler ADC and NetScaler Gateway products to compromise organizations.
This week, the US and Australian security agencies released a joint advisory highlighting IoCs (Indicators of Compromise), TTPs (tactics, techniques, and procedures), and detection methods associated with LockBit ransomware and multiple threat groups exploiting CitrixBleed.
