The Relentless Threat of the LockBit Ransomware Gang

LockBit emerged in late 2019, first calling itself “ABCD ransomware.” Since then it has grown rapidly. The group is a ransomware-as-a-service operation, which means that the core team builds its malware and runs its website, licensing its code to “affiliates” who launch the attacks.

Typically, when ransomware groups successfully attack a business and get money, they share some of the profits with affiliates. In the case of LockBit, Jérôme Segura, Senior Director of Threat Intelligence at Malwarebytes, says the partnership model has been turned on its head. Affiliates receive payment directly from their victims and then pay a commission to the core LockBit team. The framework seems to work well and is reliable for LockBit. “The affiliate model was really well tuned,” says Segura.

Although researchers have repeatedly seen how cybercriminals of all kinds have professionalized and streamlined their operations over the past decade, many well-known and prolific ransomware groups use vivid and unpredictable public images to gain notoriety and intimidate victims. On the contrary, LockBit is known for being relatively consistent, focused, and organized.

“I think they were the most businesslike of all the groups, and that’s one of the reasons for their longevity,” says Brett Callow, threat analyst at antivirus company Emsisoft. “But the fact that they post a lot of victims on their site does not necessarily mean that they are the most prolific ransomware group of all, as some claim. However, they are probably quite content to be described in this way. It’s just good for recruiting new partners.”

However, the group is certainly not all publicity. LockBit appears to be investing in both technical and logistical innovation in an attempt to maximize profits. Peter McKenzie, director of incident response at security firm Sophos, says, for example, that the group has experimented with new methods of pressuring its victims to pay a ransom.

“They have different payment methods,” McKenzie says. “You can pay to delete your data, pay to publish early, pay to renew,” MacKenzie says, adding that LockBit has opened up its payment methods to everyone. This could, at least in theory, lead to a rival company buying the ransomware victim’s data. “From the victim’s point of view, it’s additional pressure on them, which helps get people to pay,” says McKenzie.

Since the debut of LockBit, its creators have spent a lot of time and effort developing their malware. The group has published two big code updates – LockBit 2.0 released mid 2021 and LockBit 3.0 released June 2022. These two versions are also known as LockBit Red and LockBit Black respectively. The researchers say the technical evolution has paralleled changes in how LockBit works with affiliates. Prior to the release of LockBit Black, the group worked with an exclusive group of 25 to 50 partners maximum. However, after the release of 3.0, the gang expanded significantly, making it difficult to keep track of the number of affiliates involved, as well as making it harder for LockBit to control the collective.