LockBit’s Conversation on XSS Forum with an Initial Access Broker

Gradient blue background. There is a light orange oval with the white text "BLOG" inside of it. Below it there's white text: "LockBit's Conversation on XSS Forum with an Initial Access Broker" with a light orange arrow pointing down.

In February of 2024, admins of the Russian hacking forum XSS banned the primary LockBit account active on the forum. The ban was the result of a dispute between LockBit, and an initial access broker operating under the username “aa.” 

The following is a conversation between AA and LockBit, posted on XSS as aa sought arbitration to force LockBit to pay:

Initial discussion about unauthorized access to a company network with domain admin privileges. The threat actor “aa” has provided illicit access details.

[15:02:42] aa: Greetings. There’s good access.

[15:02:45] aa: (Description of Access1)

[15:03:31] aa: Their main domain is going. There’s no branch or anything like that.

[15:04:09] aa: There are still accesses of that order. All with domain admins.

[22:05:42] LockBitSupp: Hello, and all with such antiviruses that you can’t turn off?

[22:06:30] aa: Hello. They are bigger there, everywhere there’s usually EDR but this one was the most annoying) I can check if necessary.

[22:07:32] aa: But not on the others, not on cortex.

[22:09:20] aa: link if anything

[22:18:44] LockBitSupp: Got a host checker?

[22:22:34] aa: Didn’t quite understand the question.

[22:23:34] LockBitSupp: Is there internet there? Have you been inside or not?

[22:26:14] aa: YES

[22:26:20] aa: Went in

[22:26:32] aa: There’s no internet

[22:26:38] aa: At least not on the DC

[22:27:50] LockBitSupp: Well, let’s see that access now

LockBitSupp instructs aa not to access the domain controller directly as it may alert the company. aa provides additional compromised access credentials.

[22:28:36] LockBitSupp: but in general, you should never go into the DC because they’ll kick you out within an hour

[22:29:37] aa: Well, it’s been down for 3 weeks with me

[22:29:58] LockBitSupp: give access faster

[22:30:21] aa: Access1 creds

[22:30:30] aa: Access1

[22:30:49] aa: Might not be able to enter from Windows but you probably know this joke

[pending] : 2023-12-22

[00:08:16] aa: ?

[07:36:46] LockBitSupp: managed to get in, send everything you have on the network if there’s any info, and I’ll start working on it

[16:58:10] aa: Hello. No info, I just raised the rights and didn’t look further. There’s an LDAP dump if needed.

[16:59:01] aa: If you have commands of that level, I can give about 5 more similar ones, all with DA. But everything should be simpler.

[pending] : 2023-12-24

[17:44:37] aa: Hello. Any news?

[17:58:54] LockBitSupp: Hello, no news yet, the network is being worked on.

[17:59:45] aa: By the way, I wanted to just sell it) But if along the way I didn’t sell but gave it away, what’s the percentage at least?

[18:01:18] LockBitSupp: Let’s at least finish and get the payment first) then we’ll decide if anything)

[18:01:28] LockBitSupp: You don’t think every network pays)

[18:04:16] aa: Yeah, I know it all, just as I know how hard it is to make a big network pay even a little bit. That’s why I just wanted to sell it, but okay, I’ll wait then.

[18:06:19] LockBitSupp: Just buying is also not very interesting, especially from an unverified supplier, you never know how many hands the network has been sold through.

[pending] : 2023-12-25

[16:31:34] aa: Hello. There’s also Access2 that goes in. DA the same.

[16:32:13] aa:

[16:32:19] aa:

[16:33:32] aa:

[17:57:39] LockBitSupp: Hello, getting more interesting, where do you get them from?

[17:58:37] aa: I have my own things. And I raise the rights further already.

[17:58:59] LockBitSupp: Why don’t you want to cover yourself? Steal the data?

[18:15:36] aa: (Personal)

[18:17:20] LockBitSupp: Alright

In the following segment, LockBitSupp and aa discuss the distribution of aa’s illicitly obtained access to various company networks among trusted LockBit affiliates. aa mentions a high-value network (“Access3”) with domain admin privileges, but notes that the credentials need to be updated regularly. LockBitSupp advises against letting accesses expire and suggests immediately sharing them with proven affiliates who have successfully earned millions from attacks. They agree to start by providing a smaller network (“Access4”) to an eager affiliate as a test, with aa supplying the credentials and LockBitSupp offering data dumps to facilitate the attack.

[18:17:20] LockBitSupp: Alright, let’s try to do something with this, top affiliates are offline right now, if you want you can pass me the access directly, as soon as they log in I’ll give it to them for work if they agree so we don’t waste time and don’t wait for your online.

[18:19:23] aa: There’s a nuance, you’ll need to wait for me) The entry will be specific but the network is top. But I need to keep updating the creds for them.

[18:19:37] LockBitSupp: +

[18:19:59] LockBitSupp: then we’ll wait until the top advertisers respond.

[18:21:39] aa: If there are good advertisers with a guarantee through you, I can supply very good material and simpler ones too. Because I’m currently on

[18:23:59] LockBitSupp: I don’t give material to those I don’t trust, I only give it to people proven over the years and only those who have been paid millions of dollars, I trust them.

[18:24:47] aa:

[18:25:03] aa: I’m on a new one since November.

[18:27:28] LockBitSupp: Look, you decide for yourself, if there are simpler accesses without EDR I can give to other affiliates who are less loaded and have less skill, but they also have been paid millions of dollars.

[18:28:51] aa:

[18:28:53] LockBitSupp:

[18:29:07] LockBitSupp:

[18:30:55] aa: Then a little later from the next batch, I’ll write to you about what there is and we’ll look at it already.

[18:31:20] LockBitSupp: what’s that accent?

[18:31:42] aa:

[18:32:20] aa:

[18:33:49] LockBitSupp: We can actually stream and distribute all your accesses to different advertisers to process everything simultaneously.

[18:33:49] aa: Access3 I have now for instance. But it’s very big. And yes, with DA included too, true DA is in trust.

[18:35:44] LockBitSupp: No need to wait for the access to die, gotta do something with it)

[18:36:43] aa: That’s what I’ve been doing for a year now))

[18:37:00] aa: I can list for you how much everything has died on me. I take DA so it could be recovered.

[18:37:10] aa: Doesn’t always work out.

[18:37:20] LockBitSupp: What are you doing? Waiting for accesses to die?

[18:37:32] aa: Yes.

[18:37:57] LockBitSupp: Don’t do that, I’m at your service.)

[18:39:38] aa: I didn’t give Access3.

[18:39:46] aa:

[18:40:42] aa: You’re everywhere too.

[18:41:11] LockBitSupp: Let me distribute all your networks to advertisers, why wait until they die.

[18:41:54] aa: Are there people of such level?

[18:42:05] aa: Just not to be offended by it.)

[18:42:52] LockBitSupp: Listen, how would I know what level they are, I see thousands of chats, see who regularly gets payouts, who attacked whom, if payouts are coming, it means they’re with hands.

[18:43:28] LockBitSupp: Let’s give this one to a person now, he asks, will try to make it as good as possible, let’s start with a little.

[18:45:19] aa: Let’s say the only hemorrhoid?)

[18:45:59] aa: I have one such hemorrhoid. But she’s classy from the point of view of payouts.

[18:46:10] LockBitSupp: Well, let’s give access faster while the advertiser is hot on the connection he’s about to start on this one, if he successfully copes we’ll give him a bigger network.

[18:47:40] aa: Access4 let’s try this one so the entrance would be problem-free?

[18:47:46] aa: Access4

[18:48:00] aa: Access4

[18:48:18] aa: Maybe you’ll trust me and I’ll explain.

[18[18:48:18] aa: Maybe then you will trust me and I will explain.

[18:48:20] LockBitSupp: Let’s take anyone while the advertiser is hot and ready to fight.

[18:49:52] aa: Access4

[18:50:06] aa: Access4

[18:50:11] aa: He is also the admin there.

[18:50:24] aa: Access4

Access4

[18:50:26] aa: Access4

[18:50:54] aa: These are others who got caught with open passwords might be needed suddenly.

[18:50:58] aa: Access4

[18:52:24] LockBitSupp: Is this all the info?

[18:52:50] aa: Access4

[18:53:25] LockBitSupp: I’ll give you all the dumps so that it would be less work for him and less exposure.

File sharing:

Private note service:

In this part of the conversation, LockBitSupp and aa continue to coordinate attacks on various company networks. aa provides additional credentials and sensitive data for “Access4”, while LockBitSupp requests more small-scale accesses for other affiliates and informs aa that a major affiliate is ready to handle a large-scale intrusion. aa shares cookie-based access for “Access2” and access to “Access5”, which does not require special entry methods. LockBitSupp assigns affiliates to work on the new accesses, manages the ongoing negotiations for “Access1”, and keeps aa updated on the progress of the attacks, including data theft and any issues encountered.

[20:05:24] aa: Access4

[20:05:27] aa: ntds

[20:06:25] aa: Access4

[pending] : 2023-12-26

[13:53:54] LockBitSupp: Do you have any more small stuff like this? I’ll distribute it to other advertisers.

[14:20:43] LockBitSupp: A major advertiser responded with two teams for a big access, give me the big access.

[16:32:50] aa: Hello, you’ll need to enter through cookies.

[16:33:42] aa: Access2

[16:34:07] aa: Access2

[16:34:35] aa: Access2

[16:34:59] aa: Access2

[18:59:48] LockBitSupp: So what is this corp?

[19:07:33] LockBitSupp: Ah, I get it, this is Access2.

[21:48:11] aa: Were you able to enter?

[21:48:30] aa: Access5

[21:48:39] aa: But there you can enter without any trouble.

[22:08:37] LockBitSupp: Haven’t entered yet, the advertiser says they are breaking down two major corps and will only be free in mid-January, wrote to another advertiser (I’ll tell you when you need to make a proxy)

Let’s try to set up Access5 for someone too.

[pending] : 2023-12-28

[14:33:23] aa: Hello, did you do anything?

[23:04:38] LockBitSupp: Hello, in the process.

[23:09:10] LockBitSupp: Make me a new proxy for Access2, another experienced advertiser appeared online and seems ready to start working.

[23:30:06] aa: Access2

[23:30:58] aa: If the advertiser is on the connection, I can issue it. Or we can agree on a specific time when everyone will be online.

[pending] : 2023-12-29

[09:56:48] LockBitSupp: Go ahead and issue fresh cookies or whatever, I told him to be on connection so nothing dies.

[20:39:06] LockBitSupp: Access2

[pending] : 2024-01-03

[03:59:36] aa: Hello

[03:59:40] aa: Any news?

[13:33:10] LockBitSupp: Hello, negotiations are still only about Access1 (how much should we ask, do you think? the advertiser says he deleted backups) but didn’t steal as much data for the blog as he wanted because there was something wrong with the internet and he says there was no opportunity to steal a lot.

The rest are in work (data is being stolen and all that advertisers have written to me lately)

Access1

In this part of the conversation, LockBitSupp and aa continue to coordinate attacks on various company networks. aa provides additional credentials and sensitive data for “Access4”, while LockBitSupp requests more small-scale accesses for other affiliates and informs aa that a major affiliate is ready to handle a large-scale intrusion. aa shares cookie-based access for “Access2” and access to “Access5”, which does not require special entry methods. LockBitSupp assigns affiliates to work on the new accesses, manages the ongoing negotiations for “Access1”, and keeps aa updated on the progress of the attacks, including data theft and any issues encountered.

[13:33:41] LockBitSupp: Now the moment has come to write a price to the target, your opinion?

[pending] : 2024-01-04

[13:09:38] LockBitSupp: Where did you disappear? The advertiser is itching, ready to work.

[13:43:06] LockBitSupp: Report by one of your companies from another advertiser.

Access3

[13:46:13] LockBitSupp: Stolen by them.

[15:53:32] aa: Hello. Today I’ll drop everything, I keep being distracted.)

[15:53:43] aa: Just about to write you messages and I get distracted again

[15:53:43] aa: Just about to write you messages and I get distracted again.

[15:54:00] aa: Thanks for proving I’m not a fool and everything can be done properly.

[16:00:31] LockBitSupp:

[16:01:14] aa: 5 minutes.

[16:04:32] aa: Access2

[16:07:01] aa: Access2

[16:07:10] aa: Access2

[16:08:07] LockBitSupp: What do you think about the ransom for Access1?

[18:02:23] aa: There’s nothing critical here, right? (the amount)

[18:05:08] aa: Were you able to get in there?

[18:42:57] LockBitSupp: Got in, there’s Falcon, what are we supposed to do with this network?

[18:54:38] LockBitSupp: So, he’ll try to do what he can to at least steal data, because this is one of the toughest AVs, are all your networks like this? Without AV you do it yourself?

[18:56:30] LockBitSupp: Give me some smaller accesses too so the other advertisers don’t get bored.

[19:19:21] aa: Not all.

Automate Your Threat Exposure Management

Integrate the world’s easiest to use and most comprehensive cybercrime database into your security program in 30 minutes.

[19:20:58] aa: But I wanted to give away a classy access. ACCESS3. There you can normally enter without cookies.

[19:21:10] aa: There’s just a little bit left undone. I only took one domain.

[19:21:14] aa: There are 7 of them.

[19:21:22] aa: And there the AV is simpler I think.

[19:21:29] aa: Sophos if I’m not mistaken.

[19:22:33] LockBitSupp: Well, give me that honey.

[19:25:00] aa: Just so you know, I don’t understand AV and backups beyond that. I always just handed them off and sometimes pumped data. Theoretically, I know, but especially with major AVs, I’ve never encountered it. So don’t pressure me about Falcon ;)

[19:25:12] aa: 10 minutes and I’ll upload, I have a lot of info on it.

[19:26:03] LockBitSupp: I’m not pressuring, I’m just telling you few can handle them, AV lights you up at any noise.

[19:26:41] LockBitSupp: Just in case you think we’re supermen and omnipotent, now we’ll kill the network and you’ll say what assholes messed up my network ;)

[19:32:11] aa: You’ve already done what would have killed everything for me.

[19:35:30] aa: ACCESS3

[19:41:13] aa: ACCESS3

[19:41:50] aa: ACCESS3

[19:42:32] aa: ACCESS3

[19:47:22] aa: And for medium ones, I get networks about once a month in batches. I gave away the average ones in November and December, unfortunately to the wrong people.

[19:59:47] aa: Can’t I accidentally have access to the chats? Just nice to watch the negotiations.

[pending] : 2024-01-05

[09:47:21] LockBitSupp: So what is this access you dropped? Not very clear.

You can have access to the chats but then you’ll be knocking the victim out of the chat, I could give you chat IDs of the victims and all, you would watch their chats from their side, but when you enter the chat they will be kicked out and they may panic that someone else has access to the chat, like it’s not private and all that.

[10:52:31] aa: ACCESS3

[10:53:04] aa: ACCESS3

[10:56:45] aa: But I have DA only in one trust. I immediately dropped ntds to make it easier.

[10:56:55] aa: ACCESS3

[10:59:45] aa: I can take DA in all domains. But it will be a bit risky and complicated. Because I can’t even load BloodHound because of the network size.

[11:00:46] aa: It would just be better and more chances if a more experienced person takes over.

[11:20:02] LockBitSupp: We’ll wait with ACCESS3, the advertiser said he’ll be free on the 8th and ready to take over.

[11:20:41] aa: And how much did[11:20:41] aa: And how much did Access1 say?

[11:21:12] LockBitSupp: Figures.

[11:21:24] aa: I always estimate very low.))

[11:22:26] LockBitSupp: Well, that’s a margin for a discount.

[11:23:08] LockBitSupp: Still no response yet.

[pending] : 2024-01-08

[10:11:14] LockBitSupp: Need new ones for Access2.

[16:29:29] aa: Hello.

[16:29:33] aa: Will do now.

[16:38:30] aa: Access2

[16:39:52] aa: Any news on the others?

[20:34:20] LockBitSupp: No news on the others yet.

[20:34:48] LockBitSupp: Work is being done, you understand the process isn’t quick, haste isn’t needed here.

[20:35:05] LockBitSupp: The main thing is the result, not the speed.

[20:40:04] aa: Did you get in?

[20:40:21] aa: I’m more about new messages from Access1.

[21:00:48] LockBitSupp: Negotiations with Access1…

Nothing significant, now giving them another list, the advertiser managed to steal very few files, they seem to realize this, so the chances of success aren’t great, but I’m trying to get through by bluffing.

In this part of the conversation, LockBitSupp and aa discuss the ongoing ransom negotiations and the challenges faced in the various attacks. The ransom negotiations for “Access1” are not progressing well due to the affiliate’s inability to steal a significant amount of data, while issues with credentials and security measures hinder progress on “Access2” and “Access3”. LockBitSupp declines an initial ransom offer for “Access1”, aiming to negotiate a higher amount, and expresses his desire to make the first payment to aa to establish trust for future collaboration. aa encourages accepting the current offer, believing that a payout will motivate him to provide more high-value targets. LockBitSupp reassigns affiliates to tackle the challenges posed by each network and keeps aa informed about the progress of the attacks, including the status of ransom negotiations, data theft, and any obstacles encountered, such as antivirus software and firewalls.

[21:00:48] LockBitSupp: Access2 isn’t working, just checked, give me a new one, make sure it’s working.

[21:13:24] aa: Access2

[21:13:41] aa: Access2

[21:17:57] aa: Plus, as I understand, the affiliate also didn’t take the most up-to-date data. Did the affiliates take Access3?

[21:18:28] aa: I just understand well how to do them correctly with Access3.

[21:19:40] LockBitSupp: It doesn’t matter what the partner took, nothing can be changed now, he complained that a firewall or something did not allow him to go wild, and can you steal data yourself? or don’t you even try? any advice? very curious.

[21:42:54] aa: Access3

[21:44:09] aa: Access3

[21:45:27] LockBitSupp: Got it, will give the advertiser separate instructions on data for Access3, but locking it for order won’t hurt anyway.)

[22:13:08] LockBitSupp: You promised me Access3.

[pending] : 2024-01-09

[16:08:01] aa: Access3

[16:08:14] aa: Can’t find the second one yet.

[pending] : 2024-01-10

[23:08:16] LockBitSupp: Access3 VPN died, do you have more creds?

[pending] : 2024-01-11

[12:37:09] aa: I have a lot. I will check it out, it has been living with me for a long time.

[12:57:00] aa: Access3

[12:57:36] aa: Any movement on the negotiations and other networks?

[14:53:13] LockBitSupp: They offered for Access1…

Access1

I declined, it’s quiet on the others, remind me please of the list of other sites so I can nudge the advertisers and ask what’s up with those networks.

[15:50:43] aa: Access2 Access4

[15:51:55] aa: Don’t you want to agree by any chance? You yourself say that the advertiser didn’t take the data quite right. Plus, the amount isn’t so bad for a network that’s not fully done.

[15:53:23] aa: Just getting a payout I would bring you another 10 like that and we would earn more and I can bring you networks for PR too if needed.

[15:58:02] aa: Access4 seems to be done too if I remember correctly.

[16:03:25] LockBitSupp: Access2 one advertiser seems to have given up, nothing is working out for him, give it another try I’ll give it to another advertiser.

Access4 no contact yet, calling didn’t help, we’ll wait another week if they don’t get in touch we’ll publish in the blog, then they might come running.

I don’t want to agree on Access1, I’ll try to squeeze out a bit more money. I also want to make the first payment with you so we can then take on other targets seriously and distribute all your targets to other advertisers for payments on a flow basis.

[23:02:27] LockBitSupp: Accepted, handed off for work,

there was also an error in communication, so there are 3 networks in contact, as soon as anyone pays we will start talking about money, for now, I’m trying to get a payment from someone.

[23:03:18] LockBitSupp: Access6

[23:07:19] aa: That’s not my network))

[23:08:26] aa: There should be significantly more servers

[23:09:38] aa: Access6 has 2200 servers according to LDAP, there should be more, there were about 30 controllers

[23:13:50] aa: Can you send the correspondence with Access1, I’m very worried, especially since they offered money

[pending] : 2024-01-19

[15:59:32] LockBitSupp: 2200 devices not servers, I can send the correspondence but why do you need it? You will worry even more if you see it, I can conduct correspondence for months, and you will write to me every day to send the correspondence and worry and worry and worry again

[16:01:17] aa: I’m telling you I’m worried, it’s just nice for me to watch, since I can’t organize access anyway, so I’m just curious about how the negotiations are going

[16:02:38] aa: I would still like to see, I won’t bother you every day)

Access1 correspondence

[16:09:51] aa: thank you

[pending] : 2024-01-23

[20:53:57] aa: Hello, can you tell if Access6 and Access2 were made?

[pending] : 2024-01-24

[14:59:17] LockBitSupp:

They wrote about Access6 today

Access2 no one can do, I’m asking for permission to transfer Access2 to someone I don’t trust, i.e., the person might scam the access

the problem is with Falcon, it’s tough with it

there are no problems with cookies, without Falcon it would be easier

let’s see what else you have, not to let the goods go to waste

[pending] : 2024-01-25

[23:54:16] aa: Hello again, you can transfer Access2 at your discretion, it will die sooner or later when passwords are updated.

[23:54:50] aa: Access2t

[pending] : 2024-01-26

[20:43:56] LockBitSupp: Access2

[23:12:23] aa: Access7

[23:12:48] aa: Access7

[23:13:00] aa: Access7

[23:16:33] aa: Access7

[23:17:04] aa: Access2 is dead, if NTDS is left I can probably recover it

[23:20:25] aa: Any news on the negotiations?

[pending] : 2024-01-28

[14:41:13] LockBitSupp: Hello

1. The very first access you gave me, Access1, paid a ransom after a month of negotiations, since originally you came to me to sell it, there can’t be a fixed percentage, I can pay as for purchased access, how much did you want to sell it for?

2. As I said after the first payment we can move on to more serious cooperation, as you are now a verified person give me your tox I’ll add you to tox for verified people

3. Access4 is in the process of negotiations, still water

4. Access6 is in the process of negotiations, still water

5. Did you manage to regain access to Access2?

6. Now we can discuss more detailed conditions of permanent work if you’re interested, scaling up the work and financial questions

In this part of the conversation, LockBitSupp and aa negotiate the terms of their partnership, focusing on the percentage of ransom payments aa will receive for providing illicit access to corporate networks. LockBitSupp proposes a tiered payment structure, starting at 10% and increasing by 1% for each successful ransom, up to a maximum of 20%, encouraging aa to provide more accesses to maximize profits. aa argues for a fair, fixed percentage, considering the value he provides by including domain admin privileges. He expresses concern about the terms offered, finding them unfair given the quality of the accesses he provides. The conversation concludes without a clear resolution, highlighting the complex dynamics and negotiations involved in the ransomware-as-a-service (RaaS) model, where access brokers, affiliates, and operators must agree on payment terms and navigate a high-risk, high-reward criminal ecosystem.

[14:41:13] LockBitSupp: you said you want 25%, I think that’s a lot to start with, I’d like you to give as many accesses as possible and constantly, and not just leave to spend money after the first large payment

therefore, I propose to do it this way

we gradually raise the percentage from 10 to 20 percent

access paid – you get 10%

the next access paid – you get 11%

the next access paid – you get 12%

the next access paid – you get 13%

the next access paid – you get 14%

the next access paid – you get 15%

the next access paid – you get 16%

the next access paid – you get 17%

the next access paid – you get 18%

the next access paid – you get 19%

the next access paid – you get 20%

[14:41:13] LockBitSupp: And so, through 10 payments, you reach the maximum level of income on your side. I, in turn, guarantee you control and that no one among the pentesters will cheat you out of money. From you, maximum effort and an increase in the volume of supplies are required to maximize our profit. For example, instead of doing 5 accesses a month, aim for 50 or more. You can also give accesses that are not too lucrative. I have advertisers of different ranks, some more experienced, some simpler, to keep everyone busy.

7. Sangwing has been handed over for work.

[15:33:59] aa: Hello, selling implies immediate money))) Not when the network pays. Let’s agree on a fair and normal percentage and work at a normal pace.

[15:37:20] aa: I give access immediately with domain admins in the package, doing half the work for your workers, meaning the access goes 100% straight to work (you know the problem with this). Another contact.

[15:43:54] aa: About Access2, I told you wrong, did the advertisers not have ntds? Because I didn’t take it off there due to AV so as not to alert, because I don’t know ways to do this without an alert with such AV, shadow copying there will also alert if done.

[15:44:47] aa: And I will never have 50, but I will have 5 guaranteed ones that can be calmly set and worked on, with rights that won’t die in 2 days.

[15:46:12] aa: I always worked quietly but on more or less good targets and top countries, let’s say more precisely.

[16:28:05] aa: If anything, the domain admin on Access1, there the point of entry had no rights at all.

[16:45:23] aa: It feels like I just threw you a random access from the logs, but it’s far from that.

[16:54:50] aa: Contact.

[16:55:31] aa: Please add, because I am very concerned about our cooperation.

[17:58:06] aa:

> [18:04:16] aa: Yes, I know everything, also know how hard it is to make a big network pay even a little bit. That’s why I just wanted to sell, okay, I’ll wait then.

> [18:06:19] LockBitSupp: Just buying is also not very interesting, especially from an unverified supplier, you never know how many hands the network has been sold through.

[17:58:21] aa: I accidentally attached the link))

[17:59:07] aa: You yourself refused to buy, so I absolutely do not understand your statement now.

[21:14:18] aa: Let’s negotiate more properly please, because the terms you’re offering are absolutely unfair to me and my work.

[21:18:57] LockBitSupp: Why does selling imply immediate money, not when the network pays? I often write that I am ready to pay only if the network pays a ransom. If it doesn’t, it ends up in the blog, and many are okay with this because accesses die and they can’t work them themselves. To my knowledge, there are no specific international standards or rules on how to pay or buy networks, everything is individual as you negotiate. I initially told you let’s work your networks as best as we can, after the first payment we will discuss all the financial issues and conditions, because every day about 10 people write to me and push their endless accesses. Since I’ve verified you, I am now ready to work with you permanently, ready to discuss.

[21:18:57] LockBitSupp: A fair and normal percentage, I offered you conditions, your task is either to agree to them, refuse them, or propose your own. The number of advertisers allows us to maintain the maximum possible pace, as long as there are free hands.

[21:18:57] LockBitSupp: The fact that you give access immediately with domain admin in the package is of course good, but as you can see there are many other factors that affect payment, and domain admin is not always a guarantee of success. Some accesses died even with domain admin, because logging into DA is always noticeable. Specifically in this case with Access1, only my negotiation skills resolved it, which I personally led for a month, but I don’t say anything to you for this, we have team work and each profession is important, your help is useful, an experienced pentester is useful, an experienced negotiator is useful, and I as a guarantor am useful. It’s hard to imagine how all this can be evaluated, you can’t pull the blanket over someone, everyone is important and needed. In essence, I can give you a panel and you can personally work accesses and take the entire ransom sum for yourself and not share with anyone. I am not against such a scenario, but you yourself said that you are not able to work alone and need an experienced team, I have assembled an experienced team and as a result, we have success. You can also give accesses without a domain admin, perhaps my pentesters can take DA just as you do if you want. The fact that you help as you can only increases the chance of payment, but sometimes it can also harm, because usually any movements on DA are very strictly controlled in proper companies, of course where there are screw-ups no one will notice anything.

[21:18:57] LockBitSupp: About Access2, everything is very difficult, I am sure that no one could take anything there because there is a malicious AV.

50 accesses from you are my dreams, you can give as many as you have, as you like. My task as the head of an organized crime group is to load all free hands with work to maximize profit, so I take accesses from all sources.

I don’t know where you get accesses, from logs or somehow cunningly mine them, it’s your concern and I am ready to pay you for it, now we are discussing this topic.

[21:18:57] LockBitSupp: Again, I refused not only to buy but also to discuss any percentage, I said that only after the first payment we will discuss all financial issues and close cooperation if we can agree, usually when it comes to sharing the loot there are quarrels. You could have just given me nothing if you didn’t get a clear agreement, but you decided to hand over access for work because you understood that it could just die and you wouldn’t earn anything, as it was with many of your other accesses. Now we are engaged in discussing the most clear and transparent conditions that will suit both of us, as soon as we agree we move forward.

[21:18:57] LockBitSupp: Where do you see the injustice? What injustice?

By the way, what to say about Access1, how did we hack them? I need some information, can you disclose it or is it better not to? If it’s better not to, then we need to come up with something to tell them so it looks realistic.

[21:21:15] aa: The injustice is not giving me my percentage for the work on Access1.

[21:22:14] LockBitSupp: I added you to another Tox, we didn’t discuss a percentage with you, if I had promised you a certain percentage and then didn’t give it, that would have been injustice.

After that, we switched to another contact with LockBit and argued for a long time without coming to any conclusion. I think there is no need to send it here, I sent it to the admin, there LockBit just repeats the same thing and even sends me to write an arbitration.

Monitoring Dark Web Forums with Flare

The Flare Threat Exposure Management (TEM) solution empowers organizations to proactively detect, prioritize, and mitigate the types of exposures commonly exploited by threat actors. Our platform automatically scans the clear & dark web and illicit Telegram channels 24/7 to discover unknown events, prioritize risks, and deliver actionable intelligence you can use instantly to improve security.
Flare integrates into your security program in 30 minutes and often replaces several SaaS and open source tools.  Learn more by signing up for our free trial.

Share This Article

Related Content