Learn from LockBit’s Leaked Logs

Negotiations that is. The Royal Mail.

LockBit leaked logs of the negotiations with the Royal Mail

These make for interesting reading. There are a bunch of techniques used by spies handling agents that show up here.

Firstly, all decisions are made by someone of higher authority.

Secondly, the negotiator is not only unable to make decisions, they’re not even definitely involved in the whole thing. They claim to be someone from the IT department. Much as a spy never says “I work for MI6, give me the documents” and instead says, “I work at the embassy. I will see that this gets to the right people.”

Thirdly, there are multiple little tricks of subterfuge and “confusion” to delay the negative consequences.

“You have the wrong company, we don’t make that much, in fact we lose money!” “Can you decrypt 6G of critical data. I know you don’t want people to die.” “They don’t want to go forward without knowing that your decryptor works”

Ultimately it fails because the negotiations could never succeed. The Royal Mail was not going to pay, and so LockBit was always going to end up releasing data. I don’t know what the negotiations were supposed to accomplish, but the negotiator was skilful in handling the ransomware operator.

https://www.pwndefend.com/2023/02/15/lockbit-3-0-and-royal-mail-chats-published/

-