LockBit held victims’ data even after receiving ransom payments to delete it

As part of the takedown of ransomware gang LockBit this week, law enforcement officials said they discovered that the criminals were actually holding on to data they had pledged to delete after receiving a ransom payment.

LockBit was “the most prolific and harmful ransomware group” operating over the last four years, according to Graeme Biggar, the director general of Britain’s National Crime Agency (NCA), victimizing thousands of organizations globally.

The criminal enterprise monetised hackers’ access to victim’s computer networks by encrypting the devices on the network and/or stealing data from it, and demanding an extortion payment to provide a decryption key and to delete the data.

In its extortion note, the gang regularly stated: “If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future.”

Officials have consistently warned against making such an extortion payment, arguing that it both funds the criminal ecosystem, that there is no guarantee the decryption key will be effective due to sloppy coding, and that the criminals’ mere promise to delete victim data should not be trusted.

This last point has been underlined by the NCA-led operation, which discovered “some of the data on LockBit’s systems belonged to victims who had paid a ransom to the threat actors.” The NCA said this was evidence “that even when a ransom is paid, it does not guarantee that data will be deleted, despite what the criminals have promised.”

Read More: LockBit affiliates arrested in Ukraine, Poland

The agency plans to release additional information resulting from the intelligence it gleaned from the takedown over the rest of the week, including about administrator LockbitSupp and the gang’s finances.

Speaking to journalists in London on Monday about the global issue of ransomware, Biggar said: “The ransomware threat is significant, and 2023 was the highest number of attacks and the most money taken.

“LockBit may seek to rebuild their criminal enterprise. However, we know who they are, and how they operate. We are tenacious and we will not stop in our efforts to target this group and anyone associated with them.”