Ransomware group Lockbit has modified its organizational strategy on negotiations in a bid to increase its illicit revenue, BNN Bloomberg reports.
According to a report from cyber threat intelligence firm Analyst1, the gang's leadership has expressed disappointment in its ransom payouts being lower than those of rival ransomware groups. This was attributed to the organization's rapid expansion and addition of "young and inexperienced" affiliates, the report stated. In response, new rules were established detailing negotiation tactics that affiliates are required to adhere to, such as demanding 3% to 10% of total sales from victims with revenue of up to $100 million, 0.5% to 5% for firms with up to $1 billion in sales, and 0.1% to 3% for firms with revenue exceeding $1 billion. However, "the final decision on a ransom payment amount is still at the affiliates discretion, depending on their assessment of the damage inflicted on the victim," said the report. LockBit was responsible for several of the largest ransomware incidents of 2023, including attacks on Boeing Co., Industrial Commercial Bank of China, and the Royal Mail of the United Kingdom.
LockBit criminals tightens ransom demands
Ransomware group Lockbit has modified its organizational strategy on negotiations in a bid to increase its illicit revenue, BNN Bloomberg reports.
Attackers purporting to be Royal Mail distributed malicious emails about a failed package delivery with a PDF attachment that included a link redirecting to a Dropbox-hosted ZIP file, which then facilitated the execution of Prince ransomware.
Such websites, which are operated under "AI Nude" and are advanced by black hat SEO techniques, promise the conversion of uploaded photos into deepfake nudes but display a link, which when clicked redirected to another site with the password and link to the password-protected Dropbox-hosted archive that contains the infostealer malware.
Both iOS and Android devices have been targeted with attacks involving the fake app dubbed "SB-INT," which lured victims into manually trusting the Enterprise developer profile before triggering the registration process that would seek additional information from victims.