Lockbit, a study in public health
Why is it hard to count lockbit infections?
I was surprised to see the headline FBI recovers 7,000 LockBit keys, urges ransomware victims to reach out. I didn't think there were that many victims. Some somewhat lazy searching reveals:
- CISA (with other agencies) said 1,700 in Understanding Lockbit (June, 2023)
- Department of Justice said “more than 2,500 victims” in U.S. Charges Russian National with Developing and Operating LockBit Ransomware (Sept 2019-May 2024)
- Secureworks reports “over 2,350 victims” in Unpicking LockBit — 22 Cases of Affiliate Tradecraft (“between the LockBit leak site's inception and the end of 2023”)
- Wired says “over 3,000” quoting Recorded Future in A Global Police Operation Just Took Down the Notorious LockBit Ransomware Gang (no timeline)
So what’s going on? Does Lockbit generate more than one key per victim? Are the public numbers really as little as 1/4 of the incidents? Ransomware is front and center in a lot of conversations about cybersecurity, I thought we had a better handle on it. More, I expected some of the numbers to be exaggerated, not reduced.
In the world of public health, we have statistical systems set up to capture data, analyze it, and release it. That enables me to go to an institution, see an authoritative number, and proceed. Maybe the institution is wrong, and maybe there’s methodology critiques. But for us to be so far off on how many victims there are of a major, well-reported issue is concerning.
Jason Healey has been asking 'are we winning' and if our data is off by this much, it's hard to judge.