Black Hat Europe 2025 | Keynote: Inside the Ransomware Machine
Description
Max Smeets delivers a high-impact keynote at Black Hat Europe 2025, revealing internal data from the LockBit ransomware operation. The talk explores the socio-technical dynamics of ransomware-as-a-service, the impact of law enforcement takedowns, and the psychological 'trust paradox' between attackers and victims.
Decoding the Ransomware Machine: Insights from LockBit and Operation Kronos
The golden age of the ransomware 'gold rush' may be evolving, but the business model behind these digital cartels remains one of the most significant threats to global security. At Black Hat Europe 2025, Max Smeets, author of Ransom War, shared a technical and psychological deep dive into the world’s most notorious Ransomware-as-a-Service (RaaS) group: LockBit. Using data seized by the National Crime Agency (NCA) during Operation Kronos, Smeets provides a rare glimpse into the negotiation portals, affiliate structures, and the eventual collapse of a cybercriminal empire.
The Rise and Fall of LockBit
LockBit emerged in 2019 and quickly rose to dominance by refining the RaaS model. By 2022, it had become the most prolific ransomware strain in the world. However, in February 2024, the landscape changed when the NCA, working with international partners, executed Operation Kronos. This wasn't just a server seizure; it was a psychological operation designed to destroy the one thing a ransomware group cannot survive without: its reputation.
Traditionally, the cybersecurity community focuses on the 'how' of an attack—the initial access vectors like phishing or RDP brute-forcing. Smeets, however, focuses on the 'aftermath'—the business logic and the negotiation phase where the real damage is often done or mitigated.
Technical Deep Dive: The RaaS Infrastructure
The Affiliate Pyramid and Negotiation Logic
LockBit functioned as a platform. The administrators provided the locker and the leak site, while affiliates provided the access. Data analysis from LockBit 3.0 reveals a fascinating funnel:
- Onboarding: Roughly 200 affiliates were active at the peak.
- Payload Generation: Around 150 affiliates created at least one custom ransomware build.
- Active Exploitation: A smaller subset actually entered negotiation chats with victims.
- The Payout: Only 80 distinct affiliates ever received a confirmed payment.
This distribution shows that RaaS is a 'winner-take-all' economy. A few highly productive affiliates generate the bulk of the revenue, while most others fail to convert their access into cash. Furthermore, the negotiations are surprisingly standardized. Most affiliates use a pre-set playbook: threatening GDPR fines, offering a 'free decryption' of two files to prove capability, and offering 'discounts' capped at 20% by the primary administrator, 'LockBitSupp' (Dmitry Khoroshev).
The Trust Paradox
In cybercrime, reputation is the only currency. This is the 'Ransomware Trust Paradox.' For a victim to pay, they must believe that the attacker will honor their word. If a group develops a reputation for not providing decrypters or for leaking data anyway, the incentive to pay vanishes.
Operation Kronos exploited this by hijacking LockBit’s own leak site to post evidence that the group had retained data they claimed to have deleted. This destroyed the trust required for future negotiations. In the subsequent 'LockBit 4.0' era, despite the administrator's attempts to rebuild, only eight affiliates have managed to secure payouts, a staggering 90% decrease in operational efficiency.
The Streisand Effect in Ransomware
Perhaps the most counterintuitive finding in Smeets’ research is the 'Ransomware Streisand Effect.' Many companies pay ransoms under the guise of 'reputation management,' hoping to keep the breach out of the news. However, Smeets' analysis of the largest 100 payouts shows that victims who paid actually received more media coverage than those who refused.
The logic is simple: the payment itself is a news story. A million-dollar transfer to a criminal organization is a 'hook' for journalists in a way that a technical breach often isn't. Paying doesn't buy silence; it often buys a larger headline and signals a complete loss of internal control.
Mitigation and Defense: Beyond the Firewall
For defenders, the takeaways are clear:
- Rethink the 'Pay to Hide' Strategy: Data shows that payment does not guarantee confidentiality and often increases public scrutiny. Companies should prioritize transparency over extortion payments.
- Reputational Intelligence: Monitor the 'trust rating' of specific ransomware strains. If a group (like the current iteration of LockBit) is known to have compromised integrity, there is zero business case for payment.
- Focus on Data Exfiltration: As encryption becomes easier to defeat with modern backups, attackers are pivoting to 'pure' extortion (Compromat). Defensive strategies must shift from just 'restoring from backup' to preventing the initial exfiltration of sensitive files.
Conclusion: The Future of Digital Extortion
The era of simple 'lock and pay' is transitioning into a complex world of digital blackmail. As Smeets points out, ransomware is now digital extortion by another name. The success of Operation Kronos proves that the best way to fight a RaaS organization is to treat it like a business: attack its supply chain, destroy its brand, and eliminate its market trust. For organizations globally, the message is clear: the machine is powerful, but it is built on a fragile foundation of criminal trust that is increasingly easy to break.
AI Summary
In this Black Hat Europe 2025 keynote, Max Smeets, Co-Director of Virtual Routes, provides an unprecedented look inside the inner workings of the ransomware economy. The presentation is built on unique access to leaked data from the LockBit ransomware group, specifically comparing the organization before and after the National Crime Agency's (NCA) 'Operation Kronos.' Smeets begins by framing ransomware not just as a technical hurdle, but as a political and societal crisis that has cost economies billions, citing the recent £1.9 billion impact of the Jaguar Land Rover case in the UK. The core of the research revolves around ten key observations derived from supervised access to LockBit’s negotiation chats and affiliate data. One of the most striking findings is the 'Affiliate Pyramid,' which shows that while LockBit had nearly 200 affiliates, only a small fraction (around 80) ever successfully secured a payment. Smeets debunks the myth of the 'master negotiator' affiliate, noting that payouts are driven more by the severity of the initial encryption and data theft rather than the specific language used in negotiation portals. He also highlights that ransomware pricing remains surprisingly crude, often based on basic revenue estimates from tools like ZoomInfo rather than deep financial analysis of the victim. A significant portion of the talk is dedicated to the 'Ransomware Trust Paradox.' For a ransomware group to be profitable, they must convince victims that paying will actually result in data recovery and the cessation of leaks. Smeets explains how Operation Kronos systematically dismantled this trust by taking over LockBit's own infrastructure to announce that the group had lied about deleting data. This reputational damage proved more effective than technical takedowns alone, as evidenced by the massive drop-off in activity in LockBit 4.0 compared to LockBit 3.0. Finally, Smeets introduces the concept of the 'Ransomware Streisand Effect.' Through data analysis, he discovered that victims who pay ransoms often end up with more media exposure than those who don't. The act of payment itself becomes a headline, signaling a loss of control to the public and investors. He concludes that as defensive measures and law enforcement efficacy improve, the ransomware model is shifting toward pure digital extortion (Compromat) where encryption is secondary to the threat of public data release.
More from this Playlist
