The Unrelenting Menace of the LockBit Ransomware Gang

LockBit appeared in late 2019 and initially called itself “ABCD ransomware”. Since then it has grown rapidly. The group is a “ransomware-as-a-service” operation, meaning a core team builds its malware and runs its website, while licensing its code to “partners” who launch attacks.

When ransomware-as-a-service groups successfully attack a company and get paid to do so, they typically share a portion of the profits with the affiliated companies. In the case of LockBit, Jérôme Segura, senior director of threat intelligence at Malwarebytes, says the affiliate model has been turned on its head. Affiliates collect payments directly from their victims and then pay a fee to the core LockBit team. The structure seems to work well and is reliable for LockBit. “The affiliate model was really well ironed out,” says Segura.

Although researchers have repeatedly seen cybercriminals of all stripes professionalize and streamline their operations over the past decade, many prominent and prolific ransomware groups adopt flamboyant and unpredictable public figures to gain notoriety and intimidate victims. In contrast, LockBit is known for being relatively consistent, focused, and organized.

“I think they were probably the most factual of all the groups, and that’s one of the reasons for their longevity,” said Brett Callow, threat analyst at antivirus company Emsisoft. “But the fact that they post many victims on their website doesn’t necessarily mean they’re the most prolific ransomware group of all, as some would claim. You’re probably quite content to be described that way. This is just good for recruiting new affiliates.”

However, the group is certainly not just hype. LockBit appears to be investing in both technical and logistical innovation to maximize profits. For example, Peter Mackenzie, director of incident response at security firm Sophos, says the group has been experimenting with new methods to pressure its victims into paying ransoms.

“They have different payment methods,” says Mackenzie. “You could pay to have your data wiped, pay to release it early, pay to extend your deadline,” says Mackenzie, adding that LockBit has opened up its payment options to everyone. This could, at least in theory, result in a competitor buying a ransomware victim’s data. “From the victim’s point of view, there’s extra pressure on them, which contributes to people having to pay,” Mackenzie says.

Since LockBit’s debut, its developers have invested a lot of time and effort into developing its malware. The group released two major updates to the code – LockBit 2.0, released in mid-2021, and LockBit 3.0, released in June 2022. The two versions are also known as LockBit Red and LockBit Black, respectively. Researchers say that technological development has paralleled changes in how LockBit works with affiliates. Before the release of LockBit Black, the group worked with an exclusive group of at most 25-50 partners. However, since the release of 3.0, the gang has opened up significantly, making it harder to keep track of the number of partners involved and also making it harder for LockBit to exert control over the collective.