LockBit says CDW data will be disclosed after negotiations fail • The Register


CDW, one of the largest resellers on the planet, will have its data leaked by LockBit after negotiations over ransom fees failed, a spokesperson for the cybercrime gang said.

Talk to The registerthe spokesperson, who uses the pseudonym LockBitSupp, suggested that during negotiations, CDW offered a sum so low that it insulted the scammers.

“We released them because in the negotiation process a $20 billion company refuses to pay enough money,” the source explained.

“As soon as the time runs out you will be able to see all the information, the negotiations are over and are no longer ongoing. We refused the ridiculous amount offered.”

LockBit did not respond to questions about its initial ransom demand or what CDW offered during negotiations. He also evaded questions about the nature of the data stolen and the methods used to hack the company.

According to the LockBit victims blog countdown, the CDW files are expected to be released early in the morning of October 11.

CDW has yet to comment on the incident, which appears to have been ongoing since at least September 3, when the company first posted about it on the LockBit blog.

The register reached out to CDW for clarity, but the company did not offer a response.

Its automatic email response reads: “Thank you for contacting CDW. Your request has been received and will be reviewed. If there is an opportunity or interest in further engagement, we will contact you as soon as possible. possible.”

The UK Information Commissioner’s Office (ICO) has confirmed that it has not received a breach report from CDW.

Cybersecurity analyst and researcher Dominic Alvieri said the company has technically been posted on the LockBit blog a total of three times. It was originally called “flashing” – a tactic involving the rapid posting and removal of a business to encourage a quick response from the victim.

“When delays come and go, it’s a sign that the company is negotiating or has at least acknowledged the incident,” he said.

“Reposting is usually the last step. The ransom process can take weeks or months.”

Posting a company multiple times on a victim’s blog is not something that happens in all cases, but it is a known aggressive tactic adopted by ransomware groups to speed up negotiations, experts said. The register.

“Ransomware groups are ramping up their tactics to force victims to pay quickly and this is part of their business model to extort more money in a timely manner from their targets,” said Jake Moore, Global Cybersecurity Advisor at ESET.

“LockBit has already used pressure tactics to coerce other victims into their attacks in order to accelerate ransom negotiations to finally pay off and with more or less success.

“There is always a chance, however, that this is a tactic used to force victims’ hands into acting quickly, but the initial claim is not really substantiated.

“This is a common bet between cybercriminals and their victims, where one wrong move and a poker face could cost businesses huge sums in ransoms and even more problems later due to data leaks in public view.”

A historical example of LockBit setting deadlines and not releasing stolen data was during the attack on Royal Mail International earlier this year.

The deadline was set for February 13 and no data was released. A day later, instead of making the data stolen by Royal Mail International public, LockBit published the full history of negotiations between it and the company in the form of a downloadable chat log.

Chat logs revealed that the ransom demand was initially set at $80 million, later offering a 50 percent cut after the company called the demands “absurd.”

At the time, the release of the chat logs was seen as an example of these scare tactics. After Royal Mail’s continued refusal to pay, LockBit eventually staggered the release of its data, much of which included employee information, into 10 separate dumps.

The UK’s National Cyber ​​Security Center (NCSC) has a long-standing stance against pay ransoms to cybercriminals.

In a study According to security firm CyberEdge, fewer than half of companies paying a ransom get all their data back.

During negotiations with Royal Mail, the transcript shows the negotiator trying to convince LockBit to hand over two files as proof that the criminals’ decryptor worked.

LockBit realized after a few days that the two files would have allowed Royal Mail to fully recover its systems without paying for the decryptor.

Towards the end of the negotiations, as Royal Mail appeared to stall LockBit as long as it could by saying it was waiting for its board to decide whether to pay the reduced ransom fee, LockBit became frustrated with this tactic. and published the data afterwards. days of no response from Royal Mail.

LockBit’s lies and other strange tactics

Over the years, LockBit has been accused of orchestrating various “PR stunts” to sow confusion and increase its level of notoriety.

These include “fake” ransomware attacks against large organizations, publishing their contact details on the LockBit website with a countdown to indicate when the stolen files will be published, just as is the case for real victims.

One such example occurred in June 2022, when he claimed to have raped incident response specialist Mandiant. In typical fashion, the countdown clock spent days reaching zero, and what was released was not the data it claimed to have stolen from the company, but rather a response to allegations that the group was linked to sanctioned cybercrime organization Evil Corp.

“The publicity stunt was likely orchestrated by LockBit because a combination of their activities with Evil Corp could have devastating financial consequences on their operations,” ReliaQuest said in a statement. blog post.

“Paying ransoms to these cyber threat groups is still not illegal in most countries; however, formal association with Evil Corp would make these payments potentially illicit, with significant civil and criminal implications for the organizations involved.

“Given that LockBit is one of the most prolific ransomware groups operating today, it is likely that they intend to continue their highly successful and profitable ransomware operations in the coming months .”

LockBit repeated the same trick later that year, this time against the French IT multinational Thales. Although in Thales’ case it was only half a lie.

At the time, public statements from Thales repeatedly denied evidence of a computer intrusion, but on November 10, 2022 – three days after LockBit promised to release its data – Thales confirmed that the data had been stolen and published.

However, the theft was committed by “two probable sources”, one of which was “confirmed via a partner’s user account on a dedicated collaboration portal”, and the other of which is unknown. ®

Leave a comment