This research is the result of our collaboration with the National Crime Agency in the United Kingdom, who recently took action against LockBit as part of an international effort resulting in the disruption of the group’s infrastructure and undermining of its operations. More details can be found on their website here.
LockBit is a Ransomware-as-a-Service operation (RaaS) that has been involved in numerous security incidents for organizations globally over the years. By offering LockBit as a RaaS, its developers can provide it to other criminals for their own operations. In a typical RaaS setup, earnings are split between both the developers and their affiliates after the ransom has been negotiated and paid. LockBit normally charges a 20% share of the ransom per paying victim, with the remaining 80% going to the affiliate. However, if LockBit itself is the one carrying out the negotiations, this fee goes up to 30 to 50%. In November 2023, the group introduced new recommendations for ransom values based on the revenue of the victim, forbidding discounts above 50%.
From a purely technical side, what made LockBit special compared to other competing ransomware packages was that it used to have self-spreading capabilities. Once a host in the network becomes infected, LockBit is able to search for other nearby targets and to try and infect them as well, a technique that was not common in this kind of malware.
From a criminal group perspective, LockBit was known to be innovative and willing to try new things (though less so in recent times, as we will see in this entry). For instance, they came up with a public contest — a “bug bounty” — to find new ideas from the cybercriminal community to improve their ransomware. This group also developed and maintained a simple point-and-click interface that allowed a cybercriminal to choose various options before compiling the final binary for the attack, therefore lowering the technical barrier of entry for their criminal affiliates.
The group also promoted themselves through stunts in the cybercriminal community, such as paying people to get LockBit tattoos and even offering a US$1 million bounty for anyone who could find out the real-world identity of LockBit’s gang leader (an individual or group known by the online nickname “LockBitSupp”).
As part of this innovative streak, LockBit has published several versions of their ransomware, from the initial v1 (January 2020) to LockBit 2.0 (nicknamed “Red”, from June 2021), then to LockBit 3.0 (nicknamed “Black”, from March 2022). In October 2021, the threat actor introduced LockBit Linux to accommodate attacks on Linux and VMWare ESXi systems. Finally, an intermediate version, nicknamed “Green,” that incorporated code apparently inherited from the defunct Conti ransomware, emerged in January 2023. However, this version was not identified as a new 4.0 version.
Leave a Reply