LockBit Ransomware Group Claims SpaceX Contractor Data TheftExtortionists With Penchant for Splashy PR Moves Call on Elon Musk to Pay Ransom
The prolific LockBit ransomware group claims to have stolen data from a supplier to Elon Musk's SpaceX, which designs, manufactures and launches rockets and spacecraft.
See Also: Threat Horizons Report
LockBit has a habit of advertising any breach that offers even a modicum of public relations potential. Not for nothing has LockBit emerged as the world's premier ransomware-as-a-service group (see: Keys to LockBit's Success: Self-Promotion, Technical Acumen).
Enter Maximum Industries, a woman-owned small business that offers "traditional and nontraditional machining processes," including a "full range of cutting and production services," in its facility located in the Dallas-Fort Worth region of Texas.
The company's website says: "We supply companies, both large and small, across a broad range of industries - including aerospace, defense, industrial, oil and gas, and medical."
LockBit on Monday posted the company to its data leak site, seizing on the fact that Maximum Industries is - it says - a contractor for SpaceX, which was founded by Musk before he became the owner of Twitter. Among his other professional obligations, the billionaire continues to serve as CEO of SpaceX and Tesla. SpaceX maintains a fleet of satellites that have been providing crucial connectivity for Ukrainian forces defending their country against the invasion launched last year by Russian President Vladimir Putin.
"Elon Musk we will help you sell your drawings to other manufacturers - build the ship faster and fly away," LockBit's listing says. "And now about the numbers: about 3,000 drawings certified by space-x engineers."
LockBit claims it will offer the information for auction in one week unless it receives a ransom payment.
None of those claims could be confirmed. Maximum Industries couldn't be immediately reached for comment. LockBit has not stated whether it also deployed crypto-locking malware in the business's network.
LockBit uses its data leak site to attempt to name and shame victims who don't quickly accede to its ransom demands. By listing a victim, the PR-savvy group hopes it will increase the pressure to pay. Payment is often proffered as a way to get a decryption tool or to get a victim's name removed from the listing of victims.
Some groups also charge a separate fee for a promise that they'll delete all stolen data. But professional ransomware responders say they know of no case in which the thieves have ever honored such a promise (see: Ransom Realpolitik: Paying for Data Deletion Is for Suckers).
If a victim doesn't pay, groups such as LockBit hope that will entice future victims to pay, so they don't face the same outcome.
Not all ransomware groups run data leak sites. Experts who track ransomware say it's not clear what percentage of nonpaying victims get added to any given site because no one knows the true number of ransomware victims. The shutdown of the Avaddon group, which released keys for victims, and the recent law enforcement takedown of Hive revealed both operations had amassed many more victims than experts suspected.
LockBit likely didn't go looking for a SpaceX contractor but rather managed to buy access to the business via an initial access broker or snared remote login credentials via a botnet (see: Targets of Opportunity: How Ransomware Groups Find Victims).
LockBit seems to view every fresh "data security event" - a term some victims now use to describe the experience of falling victim to a ransomware attack - as a shakedown opportunity. The group was recently in the headlines for crypto-locking the export division of Britain's privatized national postal service, Royal Mail (see: LockBit Group Goes From Denial to Bargaining Over Royal Mail).
At first, LockBit denied it had hit Royal Mail, only to change its tune and say one of its top business partners - affiliates, in ransomware-speak - had used its ransomware to do so. Regardless, Britain's postal service declined to pay what it characterized as an 'absurd" ransom demand.
Instead, the organization restored from backups or put workarounds in place, although it took about six weeks before full service was restored.