High-profile ransomware attacks have become a fact of life in recent years, and it’s not unusual to hear about major monthly attacks perpetrated by Russia-based gangs and their affiliates. But since late 2019, one group has been steadily making a name for itself on a multi-year rampage that has impacted hundreds of organizations around the world. The LockBit ransomware gang may not be the most wildly unhinged of these criminal groups, but its callous persistence, effectiveness, and professionalism make it sinister in its own way.
One of the most prolific ransomware groups ever, the LockBit collective has attempted to maintain a low profile in spite of its volume of attacks. But as it has grown, the group has gotten more aggressive and perhaps careless. Earlier this month, the LockBit malware was notably used in an attack on the United Kingdom’s Royal Mail that hobbled operations. After other recent visible attacks, like one on a Canadian children’s hospital, all eyes are now on LockBit.
“They are the most notorious ransomware group, because of sheer volume. And the reason for their success is that the leader is a good businessman,” says Jon DiMaggio, chief security strategist at Analyst1 who has studied LockBit’s operations extensively. “It’s not that he’s got this great leadership capability. They made a point-and-click ransomware that anyone could use, they update their software, they’re constantly looking for user feedback, they care about their user experience, they poach people from rival gangs. He runs it like a business, and because of that, it is very, very attractive to criminals.”
For the Royal Mail, LockBit was a chaos agent. On January 11, the UK postal service’s international shipping ground to a halt after being hit with a cyberattack. For more than a week, the company has told customers not to send new international parcels—adding further disorganization after workers went on strike over pay and conditions. The attack was later linked to LockBit.
Just before Christmas, a LockBit member attacked the SickKids hospital in Canada, impacting its internal systems and phone lines, causing delays to medical images and lab tests. The group quickly backtracked after the attack, providing a free decryptor and saying it had blocked the member responsible. In October, LockBit also demanded an unusually high $60 million payment from a UK car dealership chain.
Adding to its infamy, LockBit is also one of the most prolific and aggressive ransomware groups when it comes to targeting manufacturing and industrial control systems. Security firm Dragos estimated in October that in the second and third quarters of 2022, the LockBit malware was used in 33 percent of ransomware attacks on industrial organizations and 35 percent of those against infrastructure.
In November, the US Department of Justice reported that LockBit’s ransomware has been used against at least 1,000 victims worldwide, including in the United States. “LockBit members have made at least $100 million in ransom demands and have extracted tens of millions of dollars in actual ransom payments from their victims,” the Justice Department wrote. The FBI first began investigating the group in early 2020. In February 2022, the agency released an alert warning that LockBit “employs a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense.”
LockBit emerged at the end of 2019, first calling itself “ABCD ransomware.” Since then, it has grown rapidly. The group is a “ransomware-as-a-service” operation, meaning that a core team creates its malware and runs its website while licensing out its code to “affiliates” who launch attacks.
Typically, when ransomware-as-a-service groups successfully attack a business and get paid, they’ll share a cut of the profits with the affiliates. In the case of LockBit, Jérôme Segura, senior director of threat intelligence at Malwarebytes, says the affiliate model is flipped on its head. Affiliates collect payment from their victims directly and then pay a fee to the core LockBit team. The structure seemingly works well and is reliable for LockBit. “The affiliate model was really well ironed out,” Segura says.
Though researchers have repeatedly seen cybercriminals of all sorts professionalizing and streamlining their operations over the past decade, many prominent and prolific ransomware groups adopt flamboyant and unpredictable public personas to garner notoriety and intimidate victims. In contrast, LockBit is known for being relatively consistent, focused, and organized.
“Of all the groups, I think they have probably been the most businesslike, and that is part of the reason for their longevity,” says Brett Callow, a threat analyst at the antivirus company Emsisoft. “But the fact that they post a lot of victims on their site doesn’t necessarily equate to them being the most prolific ransomware group of all, as some would claim. They are probably quite happy with being described that way, though. That’s just good for recruitment of new affiliates.”
The group certainly isn’t all hype, though. LockBit seems to invest in both technical and logistical innovations in an attempt to maximize profits. Peter Mackenzie, director of incident response at security firm Sophos, says, for example, that the group has experimented with new methods for pressuring its victims into paying ransoms.
“They've got different ways of paying,” Mackenzie says. “You could pay to have your data deleted, pay to have it released early, pay to extend your deadline,” Mackenzie says, adding that LockBit opened its payment options to anyone. This could, theoretically at least, result in a rival company buying a ransomware victim’s data. “From the victim's perspective, it's extra pressure on them, which is what helps make people pay,” Mackenzie says.
Since LockBit debuted, its creators have spent significant time and effort developing its malware. The group has issued two big updates to the code—LockBit 2.0, released in mid-2021, and LockBit 3.0, released in June 2022. The two versions are also known as LockBit Red and LockBit Black, respectively. Researchers say the technical evolution has paralleled changes in how LockBit works with affiliates. Prior to the release of LockBit Black, the group worked with an exclusive group of 25 to 50 affiliates at most. Since the 3.0 release, though, the gang has opened up significantly, making it harder to keep tabs on the number of affiliates involved and also making it more difficult for LockBit to exercise control over the collective.
LockBit frequently expands its malware with new features, but above all, the malware’s characteristic trait is that it's simple and easy to use. At its core, the ransomware has always offered anti-detection capabilities, tools for circumventing Microsoft Windows defenses, and features for privilege escalation within a compromised device. LockBit uses publicly available hacking tools when it can, but it also develops custom capabilities. The 2022 FBI report noted that the group sometimes uses previously unknown or zero day vulnerabilities in its attacks. And the group has the capability to target many different types of systems.
“It's not just Windows. They'll attack Linux, they'll go after your virtual host machines,” Mackenzie says. “They offer a solid payment system. There's a lot of backend infrastructure that comes with this. It's just a well-made product, unfortunately.” In October, it was reported that LockBit’s malware was deployed after a zero day was used to hack Microsoft Exchange servers—a relatively rare occurrence when it comes to ransomware gangs.
“Theer are additional features that make the ransomware more dangerous—for example, having worm components to it,” Segura adds. “They've also discussed things like doing denial-of-service attacks against victims, in addition to the extortion.”
With the release of LockBit 3.0, the group also signaled its intention to evolve. It introduced the first ransomware bug bounty scheme, promising to pay legitimate security researchers or criminals who could identify flaws in its website or encryption software. LockBit said it would pay anyone $1 million if they could name who is behind LockBitSupp, the public persona of the group.
The core members at the top of LockBit seem to include its leader and one or two other trusted partners. Analyst1’s DiMaggio, who has tracked the actors for years, notes that the group claims to be based in the Netherlands. Its leader has said at various times that he personally operates out of China or even the United States, where he has said he is a part owner of two restaurants in New York City. LockBit members all seem to be Russian-speaking, though, and DiMaggio says that while he cannot be certain, he believes the group is based in Russia.
“The leader doesn’t seem to have any concern about being arrested. He thinks he’s a supervillain, and he plays the part well,” DiMaggio says. “But I do believe he has a healthy concern that if the Russian government were to get their hooks in him, he would have to make the decision to turn over most of his money to them or do work for them like helping them with the Ukraine war.”
Despite LockBit’s relative professionalism, the group has, at times, slipped into showboating and bizarre behavior. During desperate efforts to get attention—and attract affiliates—in its early months, the criminal group held an essay-writing competition and paid prizes to the winners. And in September 2022, the group memorably posted a message on a cybercrime forum claiming it would pay anyone $1,000 if they got the LockBit logo tattooed on themselves. Around 20 people shared photos and videos with their feet, wrists, arms, and chests all branded with the cybercrime gang’s logo.
LockBit’s meteoric rise and recent attacks against high-profile targets could ultimately be its downfall, though. Notorious ransomware groups have been infiltrated, exposed, and disrupted in recent years. Before Russia’s full-scale invasion of Ukraine in February 2022, the Russian Federal Security Service (FSB) arrested high-profile REvil hackers, although the group has since returned. Meanwhile, the US military hacking unit Cyber Command has admitted to disrupting some ransomware groups. And a Ukrainian cybersecurity researcher contributed to the downfall of the Conti ransomware brand last year after infiltrating the group and publishing more than 60,000 of the group’s internal chat messages.
These deterrent actions appear to be having some impact on the overall ransomware ecosystem. While it is difficult to determine real totals of how much money ransomware actors take in, researchers who track cybercriminal groups and those who specialize in cryptocurrency tracing have noticed that ransomware gangs seem to be taking in less money as government enforcement actions impede their operations and more victims refuse to pay.
The screws are already turning on LockBit. An apparently disgruntled LockBit developer leaked its 3.0 code in September, and Japanese law enforcement has claimed it can decrypt the ransomware. US law enforcement is closely watching the group as well, and its recent attacks can only have raised its profile. In November 2022, the FBI revealed that an alleged LockBit affiliate, Mikhail Vasiliev, 33, had been arrested in Canada and would be extradited to the US. At the time, deputy attorney general Lisa O. Monaco said officials had been investigating LockBit for more than two and a half years.
“I think LockBit is going to have a rough year this year and potentially see their numbers go down,” Analyst1’s DiMaggio says. “They are under a lot of scrutiny now, and they also may have lost their main developer, so they could have development issues that bite them in the ass. It’ll be interesting to see. These guys don’t care about anyone or anything.”
LockBit has seemingly been so dangerous and prolific because it maintained standards for the types of targets its affiliates could hit and avoided attracting too much attention while casting a wide net. But times have changed, and shutting down the UK’s international mail exports for more than a week isn’t exactly keeping a low profile.
“They do have a bit of a PR problem when it comes to their affiliates at this point, because they obviously can't seem to handle them very well,” Malwarebytes’ Segura says. “The bragging, hitting some pretty critical infrastructure, and high-visibility targets is a very dangerous game they're playing. LockBit has a big target on its back right now.”
