A recent listing on LockBit’s leak site about Crinetics Pharmaceuticals seemed unusual. It included a disclaimer: “Those responsible for the exfiltration of data belonging to this victim have no association, indirect or direct, with the Lockbit group.”
If those who exfiltrated the data had no association with LockBit, why was the listing on LockBit’s site?
Trying to Avoid the Sanctions List
A source involved with the incident explained the disclaimer to DataBreaches. He said the attack was by “the group with no name,” and the disclaimer was because LockBit is on the sanctioned list. He told DataBreaches, “They wanted the victim to be able to pay them.”
“So why post it on LockBit at all?” DataBreaches asked.
“Alphv is down,” he answered, implying that it would have appeared on AlphV’s site if law enforcement had not seized it.
“So.. any leak site in a storm?” DataBreaches asked.
“Yes,” he replied.
Other than the disclaimer, there was nothing unusual at that point. Then, The Record reported on the listing and published a statement they obtained from Crinetics. What happened next was surprising.
Threat Actors Break Off Negotiations
In response to the article, the threat actors removed the original listing and replaced it with a statement that began:
We have failed to reach an agreement with the Crinetics organization, given their unscrupulous behavior. We clearly instructed the victim to not engage in talks with the media, this includes responding to the media regarding this breach. Crinetics chose to disobey these demands and provided a statement to Recorded Future, downplaying the incident as well as the data. We therefore refused to accept their measly $1.8m USD offer and have ceased communications.
A chat log posted on the leak site seems to confirm their claim about breaking off negotiations. The log indicates that after the threat actors saw the statement, the negotiator told Crinetics they would have 15 minutes to pay the original $4 million demand, or the negotiations would be over.
The Crinetics negotiator seemed stunned, allegedly responding, “Are you really willing to gain nothing from this?” When the threat actors’ negotiator said they were willing to walk away to set an example for future victims, the Crinetics negotiator allegedly replied, “We are baffled to say the least. You are really willing to walk away from $1.8 million?”
DataBreaches was equally baffled, but the source, who was involved in the negotiations, insisted it was all true. DataBreaches asked him bluntly, “Are you that rich?”
“We have to set an example from these thugs. It’s not about being rich,” he answered. “We cannot let these thugs and animal abusers get away with downplaying incidents and lowballing.”
[Note: The reference to “animal abusers” was to external links he had sent DataBreaches containing criticisms about Crinetics’ involvement in animal testing. The threat actors knew about the animal testing issue from their research on their target, but the source was clear that it was in no way connected to their decision to attack Crinetics. Crinetics is a pharmaceutical firm that develops therapies for people with endocrine diseases.]
Data for Sale
According to their negotiator, the “group with no name” did not encrypt Crinetic’s files or delete any files from their servers. The listing does not reveal how much data they exfiltrated. DataBreaches contacted Crinetics on March 20 and again on March 26, seeking clarification about the attack and their reaction to the threat actors’ claims. They did not reply to either inquiry.
The threat actors initially gave Crinetics until March 23 to pay. That changed after they broke off negotiations. Since then, they have reset the deadline a few times, but there still has been no proof of claims. The countdown clock currently shows a deadline of April 9, but anyone can purchase all the data for $700,000 or delete it for that price.
Why has there been no proof of claim or leak? Is LockBit having problems leaking data again, or is there another explanation? DataBreaches was assured several times over the past few weeks that the data would be uploaded and available for this site to inspect, but it has not happened.
The threat actors claim they rejected a $1.8 million offer, but no one seems to have offered them even $700,000. Are they really still willing to walk away to “set an example” for future victims?
Time will tell. In the interim, DataBreaches reminds readers that this is an unconfirmed breach.
Update: Perhaps the explanation for the lack of proof of claim or a leak can be found in this article: LockBit Scrambles After Takedown, Repopulates Leak Site with Old Breaches. It discusses a new Trend Micro report and writes, in part:
Trend Micro also found that 7% of the post-Operation Cronos uploads had quickly been removed.
“14 victims were still not published and we did not find any public data other than the posts on the LockBit site that claim to verify the actual attack dates,” added the report.