Ransomware hackers look into financial reports for more payment, expert says

Ransomware hackers look into financial reports for more payment, expert says
Lim Jung-yeon, a senior staff researcher from South Korean cybersecurity firm S2W, is explaining the negotiation practice of the ransomware group known as LockBit at the first session of the 29th NetWork Security Conference Korea (NetSec-KR) on April 20. Photo by Kuksung Nam, The Readable

By Kuksung Nam, The Readable
Apr. 21, 2023 8:42PM GMT+9

LockBit, one of the most prolific ransomware hacking groups, is using their victims’ financial statements as leverage to maximize their profits, according to a cyber incident response expert on Thursday.

“There have been multiple cases in which hackers demand payments based on the targeted companies’ financial documents,” said Lim Jung-yeon, a senior staff researcher and leader of the incident response team of South Korean cybersecurity firm S2W, at the first session of the 29th Network Security Conference Korea (NetSec-KR) on April 20. “They use information such as insurance coverages and cash equivalents.” The NetSec-KR, which is hosted by the Korea Institute of Information Security & Cryptology, is the largest cybersecurity academic conference in the country.

A ransomware attack is a hacking method where cybercriminals hold victims’ data hostage through encryption and demand payment for unlocking that data. The attackers leave instructions for negotiation on the targets’ computers and provide the decryption key once the deal is sealed. According to the expert, 99 companies have fallen victim to LockBit last month, which was the largest number among all ransomware groups.

Lim explained that LockBit tends to set the initial ransom demand with the consideration of a negotiation process which sometimes includes offering discounts to their “clients,” a word used by the hacking group to indicate their victims during negotiation.

This practice sometimes works in the favor of cybersecurity researchers. If the hackers request a payment in the low-price range at the beginning of the negotiation, this could imply that they failed to gain the confidential information.

The expert shared an actual case where LockBit requested 50,000 dollars from a victim at the beginning of the negotiation. This was between nearly 150 to 30 times lower than the amount the hackers have demanded from other companies with comparable earnings. The researcher assumed from the ransom payment that the hackers might have failed to extort sensitive data as the company’s internal network system was well protected. The final deal was settled at 40,000 dollars, a 20% decrease from the initial ransom amount, the expert explained.

“They also use the extorted sensitive data, such as recently secured contract information, and apply it in deducing the initial ransom amount,” said the senior researcher to The Readable. “Not only LockBit but also many other ransomware groups are looking into financial statements.”


Kuksung Nam is a journalist for The Readable. She has extensively traversed the globe to cover the latest stories on the cyber threat landscape and has been producing in-depth stories on security and privacy by engaging with industry giants, foreign government officials and experts. Before joining The Readable, Kuksung reported on politics for one of South Korea’s top-five local newspapers, The Kyeongin Ilbo. Her journalistic skills and reportage earned her the coveted Journalists Association of Korea award in 2021 for her essay detailing exclusive stories about the misconduct of a former government official. She holds a Bachelor’s degree in French from Hankuk University of Foreign Studies, a testament to her linguistic capabilities.