Shostack + Friends Blog


Lockbit, a study in public health

Why is it hard to count lockbit infections? A headline about 7,000 lockbit keys

I was surprised to see the headline FBI recovers 7,000 LockBit keys, urges ransomware victims to reach out. I didn't think there were that many victims. Some somewhat lazy searching reveals:

So what’s going on? Does Lockbit generate more than one key per victim? Are the public numbers really as little as 1/4 of the incidents? Ransomware is front and center in a lot of conversations about cybersecurity, I thought we had a better handle on it. More, I expected some of the numbers to be exaggerated, not reduced.

In the world of public health, we have statistical systems set up to capture data, analyze it, and release it. That enables me to go to an institution, see an authoritative number, and proceed. Maybe the institution is wrong, and maybe there’s methodology critiques. But for us to be so far off on how many victims there are of a major, well-reported issue is concerning.

Jason Healey has been asking 'are we winning' and if our data is off by this much, it's hard to judge.