LockBit, one of the most prolific ransomware hacking groups, is using their victims’ financial statements as leverage to maximize their profits, according to a cyber incident response expert on Thursday.
“There have been multiple cases in which hackers demand payments based on the targeted companies’ financial documents,” said Lim Jung-yeon, a senior staff researcher and leader of the incident response team of South Korean cybersecurity firm S2W, at the first session of the 29th Network Security Conference Korea (NetSec-KR) on April 20. “They use information such as insurance coverages and cash equivalents.” The NetSec-KR, which is hosted by the Korea Institute of Information Security & Cryptology, is the largest cybersecurity academic conference in the country.
A ransomware attack is a hacking method where cybercriminals hold victims’ data hostage through encryption and demand payment for unlocking that data. The attackers leave instructions for negotiation on the targets’ computers and provide the decryption key once the deal is sealed. According to the expert, 99 companies have fallen victim to LockBit last month, which was the largest number among all ransomware groups.
Lim explained that LockBit tends to set the initial ransom demand with the consideration of a negotiation process which sometimes includes offering discounts to their “clients,” a word used by the hacking group to indicate their victims during negotiation.
This practice sometimes works in the favor of cybersecurity researchers. If the hackers request a payment in the low-price range at the beginning of the negotiation, this could imply that they failed to gain the confidential information.
The expert shared an actual case where LockBit requested 50,000 dollars from a victim at the beginning of the negotiation. This was between nearly 150 to 30 times lower than the amount the hackers have demanded from other companies with comparable earnings. The researcher assumed from the ransom payment that the hackers might have failed to extort sensitive data as the company’s internal network system was well protected. The final deal was settled at 40,000 dollars, a 20% decrease from the initial ransom amount, the expert explained.
“They also use the extorted sensitive data, such as recently secured contract information, and apply it in deducing the initial ransom amount,” said the senior researcher to The Readable. “Not only LockBit but also many other ransomware groups are looking into financial statements.”
