The latest revelation from law enforcement regarding this week’s LockBit leaks is that the ransomware group had registered nearly 200 “affiliates” over the past two years.
Affiliates are people who buy into the gang’s ransomware-as-a-service model and willingly use LockBit’s products in exchange for a share of extorted victims’ loot.
New information about the group is being released daily by the National Crime Agency (NCA), which controls the LockBit site and transformed it yesterday, announcing the successful takedown of the world’s leading ransomware gang.
Today’s LockBit leak led to the sharing of information from the group’s affiliate portal, showing 187 different affiliates registered between January 31, 2022 and February 5, 2024.
LockBit 3.0 Affiliates List Published by NCA
The FBI began investigating LockBit in 2020, and the group has since developed new variants of its ransomware, the latest of which was released in mid-2022, so the data shared today likely shows all affiliates who have already deployed the most recent version. from LockBit.
Data collected by compromising LockBit’s backend will be used to investigate those involved in the ransomware deployment and who paid money to be part of LockBit’s affiliate program.
“A large amount of data was exfiltrated from the LockBit platform before it was all corrupted,” we can read on the LockBit website, now under the control of the NCA.
“Using this data, the NCA and its partners will coordinate further investigations to identify hackers who pay to be affiliated with LockBit. Some basic details published here for the first time.”
By covering the story Yesterday we compared the transformation of LockBit’s site into what is essentially a troll page to the NCA showing the middle finger to criminals – a finger it extended again today.
Not only did authorities reveal the pseudonyms of LockBit affiliates, but they also defaced the affiliate portal with a message for everyone, visible after logging in.
The UK, US, France, Germany, Switzerland, Australia, Finland and the Netherlands all participated in multinational efforts to destroy affiliate infrastructure, the website says .
“These servers enabled both the initial affiliate cyberattacks and supported the theft of victim data and its processing to the ‘StealBit’ servers.”
The disappearance of StealBit
Details of StealBit – Operation LockBit’s bespoke data exfiltration tool offered to affiliates – were revealed in yesterday’s announcement and released today as the second major reveal.
Much has been made over the years about LockBit’s various ransomware payloads and its double extortion model, but StealBit is the lesser-known malware that was first deployed with the LockBit 2.0 attacks dating back to 2021.
The NCA today released its analysis of StealBit, highlighting the tool’s importance in LockBit attacks and for the affiliates who deploy it.
Data is stolen from victims by affiliates before the ransomware payload is dropped and before organizations are locked out of their systems, using StealBit, which is password protected.
Once the exfiltration tool is deployed, it allows affiliates to select files from a specific folder or the entire computer, authorities said.
The selected files are then sent back to LockBit through one of six proxy servers using a WebDAV header, which contains a new 33-character file name starting with 0 or 1, the file path, the computer name and a unique identifier.
The unique identifier is what allows affiliates to be assigned for each data theft and is what LockBit management uses to see who should be paid for a given job.
If StealBit fails to connect to its hardcoded IP address used to send stolen data back to headquarters, it will shut down and uninstall itself to evade detection.
The most common method of data exfiltration involves running the data through the affiliate’s own infrastructure ahead of StealBit’s, which authorities say is to prevent incident responders to locate the malware servers.
Diagram of the two methods used by affiliates to steal victims’ data using StealBit malware
In a final warning to LockBit supporters, the NCA said that StealBit’s six proxy servers have been located and “destroyed” and that anyone “ill-advised” enough to attempt to bring them back online would be located.
“StealBit is an example of LockBit’s attempt to offer a complete ‘one stop shop’ service to its affiliates, encryption, exfiltration, trading, publishing,” the seized website reads.
“Essentially, we have fully analyzed and understood how this malware and its associated infrastructure works. We have located and destroyed the servers, and can locate them again if anyone was misguided enough to attempt to use it.” ®