China and the US were hardest-hit by the LockBit ransomware group between December 2024 and April this year, research shows, with affiliates targeting 156 organizations in all.
Trellix Advanced Research Center has released its analysis of the LockBit SQL database dump it observed in May, noting that China was probably the greatest focus because of its large industrial base and manufacturing sector.
“Unlike BlackBasta and Conti RaaS groups that occasionally probe Chinese targets without encrypting them, LockBit appears willing to operate within Chinese borders and disregard potential political consequences, marking an interesting divergence in their approach,” the researchers said.
Meanwhile, affiliates such as BaleyBeach, umarbishop47, and btcdrugdealer were active in the US, where attacks appeared to be more spread out among affiliates, suggesting a more opportunistic approach rather than specialized targeting.
Taiwan was the third most-targeted country, followed by Brazil and Turkey. One group, Swan, had a broad geographic reach, targeting multiple European countries including Austria, Czech Republic, and Switzerland.
This, researchers pointed out, indicates sophistication in the group’s ability to navigate different regulatory environments.
“The victimology data reveals some unexpected targeting patterns. It’s particularly surprising to see such a concentrated effort on Chinese and Taiwanese organizations,” the researchers said.
“Unlike other ransomware groups that might shy away from such politically sensitive targets, LockBit appears to have operated with a different calculus.”
LockBit affiliates are diversifying targets
Manufacturing was the most frequently targeted sector, followed by consumer services, the finance sector, and government services.
After analyzing LockBit negotiation chats, Trellix researchers discovered 18 confirmed payments to cryptocurrency wallets believed to be under the control of LockBit affiliates, netting them around $2,337,000.
“The data paints a picture of varying strategies, with initial ransom demands ranging from modest to exorbitant. What’s clear is that substantial discounts were the norm, often between 10% and 80%, highlighting the haggling that goes on behind the scenes of these cyber extortion attempts,” researchers said.
“Affiliate success within LockBit varied significantly, indicating differences in skill and potentially specialization in specific familiar industries and/or countries.”
The LockBit owner appears to have been charging affiliates 20% of ransom payments, adding up to around $456,000 over the period.
It made a lot less from auto-registration invitations, though – around $10,000 to $11,000.
“The assertion made by LockBit on the RAMP underground forum, which claimed monthly earnings of $100,000 from auto-registration, is thus considered to be significantly exaggerated,” the researchers said.
LockBit is still causing havoc
LockBit was once one of the most prolific and successful ransomware-as-a-service groups, but was disrupted early last year by international law enforcement bodies.
Since then, a number of group members and affiliates have been arrested.
The group’s exaggerated claims of earnings, researchers said, shows how cyber criminals are inclined to hype up their successes and downplay their failures.
“What this leak truly shows is the complex and ultimately less glamorous reality of their illicit ransomware activities,” they said.
“While profitable, it’s far from the perfectly orchestrated, massively lucrative operation they’d like the world to believe it is.”
