Pandas in a sandstorm: navigating the name chaos of cybercrime
Did you know that the LockBit gang is not usually behind a LockBit attack? We explain why and shed light on confusing naming conventions.
(Image: erstellt mit Bing Image Creator durch ovw)
Anyone who regularly reads IT security news will be familiar with LockBit. Of course, it's an extremely successful ransomware that recently led to the arrest of several people and the indictment of a suspected developer. And yet it is still active and recently ravaged the networks of over 40 schools.
The fact that we at heise security, as well as other media, equate the wire-running gang as "Lockbit" by name with the malicious code is obvious and can help with attribution. But if you take a closer look, this equation creates confusion and, in the worst case, can even distract from the real perpetrators.
If you are now confused or at least curious, you should definitely read on. In this article, we explain the pitfalls of naming cybercrime groups. And we look at how security software manufacturers, knowledge databases and journalists can help to sort out the existing naming chaos.
DIY crimeware: "Who did it?"
To better understand the fundamental problem, it is worth taking a look at the beginnings of cybercrime. Back then, burned-out villains were looking for ways to boost their bank balance. To this end, from the early 2000s onwards, they increasingly relied on programming crimeware – including ransomware, but also Infostealer for tapping into banking data and other sensitive information.
Malicious code development, attack planning and execution were initially concentrated in the hands of a single person or gang. As a result, antivirus manufacturers and the press became accustomed to referring to these groups by their crimeware names. After all, there was no reason for a separate name.
However, this changed from the 2010s onwards, when criminals without programming and malware knowledge also wanted to profit from the increasingly lucrative business. As a result, the first crime toolkits such as ZeuS and SpyEye appeared on the underground markets. Modular systems that made it possible for virtually anyone to launch attacks without any special prior knowledge.
This meant that it was no longer the developers of the code who were responsible for specific campaigns, but their customers.
Today: Affiliates as the real players
From this point onwards, the practice of choosing unique names for all groups involved gradually became established among security software manufacturers. This is because a phrase such as "ZeuS gang attack" would not only be incorrect in the case of the scenario just described, but would also distract from the toolkit buyers as the real perpetrators.
(Image:Â Screenshot / cynet.com)
In today's fully professionalized crimeware business, attack tools like LockBit are marketed on an "as-a-service" model. A group like the LockBit gang provides the blackmail tool along with the complete infrastructure and collects commissions in return. But it is the tenants of this structure, also known as affiliates, who then use it to extort millions. A LockBit spokesperson, who reported hundreds of affiliates worldwide some time ago, gives an idea of the level of interest.
Without a clear distinction between the LockBit group as a ransomware-as-a-service (RaaS) provider and the affiliates operating in each case, the latter could hide behind the rented LockBit tool. And they could ultimately get out of the affair undetected by flexibly replacing it with another one. Such changes are not only common when a specific crimeware offering is "smashed": changing attack targets also often require strategies and tools to be adapted.
