LockBit holds 33TB of stolen data and its ransom deadline is up: What’s next and is it real or hoax?

The notorious — and notoriously aggressive — ransomware gang LockBit is top of the cybersecurity headlines once again, after its bold claim that it successfully hacked 33 terabytes of sensitive data from the Federal Reserve. Further, the group has insinuated that the feds offered up just $50,000 to keep it from leaking that data — which LockBit has purportedly just done because its demands were not met. 

LockBit mocked and taunted government negotiators on its leak site, saying: “33 terabytes of juicy banking information containing Americans’ banking secrets. You better hire another negotiator within 48 hours, and fire this clinical idiot who values Americans’ bank secrecy at $50,000.”

The claim comes just months after an international task force took down the group’s infrastructure (34 servers and 14,000 accounts) and authorities arrested its top alleged leaders. Considering this toppling, many industry experts and watchers are skeptical of whether the claim is true — but given the group’s past tactics, it’s not out of the realm of possibility, either. 

“At this stage we sense that LockBit’s announcement might be a hoax,” said Aviral Verma, lead threat intelligence analyst for Securin. “The group has not published any samples of stolen data, against their usual MO.”

Early reports seem to indicate just that, with the just-leaked data believed to have come from a bank that was recently penalized by the Federal Reserve for “deficiencies in the bank’s anti-money laundering, risk management and consumer compliance programs.”

An attention-seeking stunt?

LockBit has historically been the “most prolific and widely-deployed ransomware strain across the globe,” explained John Hammond, principal security researcher at Huntress, whose team was an integral part of taking down the group in February. They operate with a ransomware-as-a-service model where they have commoditized their encryption tooling so that other ill-intended actors can provide new potential victims as initial access brokers.

The group’s MO is to go after high-profile targets and publicly denounce them if they refuse to pay, then leak sensitive information on their site (in the case of The Boeing Company, for instance, they shared 50 gigabytes of data). At the same time, the gang has made false claims that were quickly dismissed — for instance, against Darktrace and Mandiant cybersecurity. 

“This won’t be the first time the group has made false claims,” said Verma. “The group had even claimed the FBI as one of its victims, out of frustration post Operation Cronos (the LockBit infrastructure takedown).”

He noted that it may just be an attention seeking stunt, or even a “ploy to regain notoriety among potential affiliates.”

Following its takedown in February, LockBit appears to be “in a state of desperation,” noted Ferhat Dikbiyik, chief research and intelligence officer of Black Kite. The group could be attempting to regain its credibility and recruit affiliates by showcasing such high-profile attacks. 

“These statements could be misleading, false or grossly exaggerated,” said Dikbiyik. “I urge the community and organizations to approach these claims with extreme caution.”

It’s unusual for ransomware groups to successfully breach such significant institutions without “swift retaliation or acknowledgment,” he said. The size of the alleged breach and the “dramatic narrative” could very well be part of a broader strategy to instill fear and re-establish dominance in the cybercrime ecosystem. 

“Lockbit is known for being dramatic and has made many false hacking claims before, so we should take anything they claim with a rather large grain of salt,” said Chester Wisniewski, global field CTO at Sophos. “Unless the Fed confirms the breach, this is purely conjecture and we should all just move along and stop giving them the attention they so desperately crave.”

Dismissive, comical response

On its leak site, LockBit scoffs at the piddling payout and lays out the structure of the Federal Reserve for context, noting that it distributes money through 12 banking districts across the U.S., including major cities Boston, NYC, Philadelphia, Richmond, Atlanta, Dallas, Saint Louis, Cleveland, Chicago, Minneapolis, Kansas City and San Francisco. 

“The $50,000 offer from the U.S. negotiator was perceived as an insult, considering the true value of the 33 terabytes of data they claimed to have stolen,” said Peter Avery, VP of security and compliance at Visual Edge IT. 

This data likely includes sensitive information about citizens, banking details, wiring numbers and possibly encryption keys that could be worth hundreds of millions of dollars, he noted. The group’s response was “not only dismissive but almost comical.” 

“LockBit has made at least half a billion dollars so far, so they’re going to laugh at the small payments offered by one of the most strategically important financial institutions on the planet,” agreed Matt Radolec, VP for incident response and cloud operations at Varonis. 

If the claims are true, the gang will “likely stick around for the long game” and negotiate with the feds, he predicted, also warning that “they typically mean it when they say they will leak data.” 

This, he noted, should leave us asking: “Why does the Federal Reserve value this data so little?”

If it is true…

An attack on government infrastructure isn’t unprecedented — governments have long been top targets of ransomware gangs, as they often hold very sensitive data and tend to have hybrid cloud and on-prem environments that increase their attack surface, said John Paul Cunningham, CISO at Silverfort. 

“If LockBit did indeed execute this attack, it’s likely to affect the Federal Reserve’s availability and viability of its entire technology ecosystem,” he said. But it is also in the crosshairs of law enforcement, as evidenced by its recent takedown. “If this latest attack is proven true, LockBit’s freedom will be numbered in the weeks to come.”

Hammond noted that an intrusion or compromise of an organization in the Federal Reserve’s position might mean “just outright chaos.” Without historical precedent it is tough to say for sure, he noted, but it’s certainly easy to imagine: banking systems may need to shut down, monetary policy could be unreliable, prices and interest rates may be destabilized or trust in consumer protection would be degraded.

“Considering the size and scale of the Federal Reserve and the potential impact, it’s an odd line between what might be a reality or what could just be exaggerated paranoia,” said Hammond.

Without confirmation from the Federal Reserve, we have to take LockBit’s operators at their word, noted Marc Laliberte, director of security operations at WatchGuard Technologies. 

“It is within the realm of possibility — perhaps even likely, given the group’s track record — that they have successfully stolen 33 terabytes of banking information,” he said. 

Ultimately, this puts the Federal Reserve in a difficult position faced by thousands of private organizations every year: Do they pay the ransom and trust that the group stays true to its word and deletes the stolen data? Or, do they accept that the data is already lost and not give into LockBit’s demands?

“Right now, only the Federal Reserve and its government partners like CISA and the FBI know the credibility of LockBit’s claims, and the true risk of the allegedly stolen data becoming public,” said Laliberte. “It is now in these teams’ hands to make a business decision on whether to pay the extortion, or not.”