“Bad faith, misunderstanding, or indifference?” Why do ransomware teams falsely insist victims have “revenue?”

Valéry Rieß-Marchive has been following the ransomware attack on the Sud-Francilien hospital center in Corbeille-Essonnes by LockBit 3.0 since it was first announced and has consistently been ahead of the news pack in reporting on developments.

In his latest report, he reveals that a previous report that GIGN negotiators were able to reduce an alleged $11 million ransom demand down to $1 million was inaccurate;  the demand was always $1 million. A comment by a LockBit negotiator aware of the false report and a preview of LockBit’s listing for the hospital support LeMagIT’s reporting.

But Rieß-Marchive’s report today also addresses an issue this site and others have pointed out in other attacks:  attackers claim that a victim can afford to pay a particular ransom amount because they have “x amount of revenue,” as seen on Zoominfo.  The threat actors ignore claims that Zoominfo’s “revenue” figures are not commercial revenue figures and that public entities — such as school districts and public hospitals — do not have disposable revenue or funds that can be used in a discretionary manner.

In today’s report, Rieß-Marchive includes snippets from the chat log between LockBit and the hospital and asks whether it is “Bad faith, misunderstanding, or indifference?” on the threat actor’s part.

By now, I think the answer is clear.

Read his coverage at LeMagIT.

About the author: Dissent

Comments are closed.