Full Report
Being seen as reliable is good for ‘business’ and ransomware groups care about 'brand reputation' just as much as their victims
Analysis Summary
# Threat Actor: LockBit Ransomware Group
## Attribution & Identity
This summary focuses on the **LockBit** Ransomware-as-a-Service (RaaS) gang, based on research presented by Max Smeets of Virtual Rotes at Black Hat Europe 2025.
**Known Aliases/Associated Groups:** Affiliates (at its height, 194 affiliates operated under the LockBit RaaS structure).
## Activity Summary
* Active between 2022 and 2024 at its height.
* At its peak, the group managed 194 affiliates.
* Over 110 affiliates progressed attacks to the negotiation stage.
* Approximately 80 affiliates successfully received payment from the ransomware group for successful attacks.
* Law enforcement operations in 2024 aimed to disrupt LockBit operations and specifically targeted the gang's reputation to erode trust among affiliates.
* LockBit operators prioritize maintaining a positive **brand reputation**; they must be seen as trustworthy and known for upholding their end of the deal (delivering decryptors, not holding data post-payment) to ensure affiliates continue working with them and victims continue paying.
## Tactics, Techniques & Procedures
- **Affiliate Model:** Utilizing affiliates to research victim networks, identify, and exfiltrate sensitive data before deploying encryption.
- **Data Exfiltration/Extortion:** The core threat involves exfiltrating large amounts of sensitive data and encrypting internal systems.
- **Negotiation/Trust Management:** Operators must maintain negotiation credibility (delivering services as paid for) to secure extortion payments.
- **Target Reconnaissance:** Affiliates conduct deep research on the company, specifically looking for financial data that indicates a willingness or capacity to pay.
- **Financial Assessment TTP:** A key intelligence-gathering focus is locating documentation detailing the victim's **cyber insurance coverage** to accurately set the ransom demand, effectively shifting the financial risk to the insurer.
## Targeting
- **Sectors:** Not explicitly limited, but targeting includes companies whose financial situation (potentially indicated by insurance coverage details) suggests they are likely to pay.
- **Geography:** Not specified beyond the context of a global conference presentation.
- **Victims:** Specific victims paying the ransom may experience greater media coverage, which the presenter suggests could damage their reputation, though the article suggests paying might be the most cost-effective solution in some cases (citing Caesars Palace and MGM attacks as examples of high-cost incidents where payment decisions were critical).
## Tools & Infrastructure
- **Malware Families Used:** LockBit ransomware (implied RaaS infrastructure).
- **Infrastructure (C2, domains, IPs):** Not specified in detail.
## Implications
Ransomware groups, specifically LockBit, operate heavily on **reputation and trust** within their underground ecosystem to sustain the RaaS business model. Law enforcement action targeting reputation can cause affiliates to switch providers. The availability and details of a victim's cyber insurance policy are critical factors used by adversaries to set maximal extortion demands.
## Mitigations
- **Data Segmentation:** Cyber insurance policy documentation and all related communications should be heavily segmented, secured, or entirely air-gapped from the main company network.
- **Reputation Management:** For victims, understanding the trade-off between payment (fast recovery, potentially lower immediate cost) and non-payment (risk of prolonged disruption) remains a complex business decision, influenced by shareholder responsibility and potential insurer input.
- **Maintaining Trust (Actor Focus):** For the ransomware group, ensuring prompt delivery of decryptors and non-retention of exfiltrated data is crucial for maintaining affiliate engagement and ensuring victim payments.