LockBit is currently wrestling with significant technical difficulties that are impeding its ability to effectively target victims, according to new research.
In an extensive exposé of the notorious ransomware gang’s inner workings, Jon DiMaggio, chief security strategist at Analyst, claimed that the “quality of LockBit’s operation is degrading” due to a range of factors, such as its inability to keep pace with current development needs.
DiMaggio’s investigation revealed that LockBit has been laden with difficulties in recent months, including a high-profile spat with cyber criminal counterparts, such as the Royal group.
“There is a significant delay in producing new ransomware variants, and LockBit is struggling to publish victim data, causing affiliates to leave and partner with other ransomware gangs,” DiMaggio wrote.
While LockBit has still been highly active – and successful – in recent months, the group’s development timeline suggests there could be issues with the creation of new strains.
LockBit announced a major update to its ransomware program in June 2021 with the launch of LockBit Red, also known as LockBit 2.0.
A year later, in June 2022 the group released an “even more significant” update in the form of LockBit Black. This update was believed to be created by the developer behind the DarkSide and BlackMatter ransomware strains, and included new features which “elevated LockBit to the top of the ransomware food chain”, DiMaggio noted.
However, aside from a small-scale update in the form of LockBit Green, there has been no major release by the gang since mid-2022. Furthermore, this specific update was not a unique build created by LockBit, but was instead a leaked strain from the now-defunct Conti group.
Key factors in this, DiMaggio found, were that the group has contended without developers for an extended time, which may have resulted in it missing a June 2023 ransomware development deadline.
Arrests of notable members and affiliate losses could also be contributing to the rutt that the group is currently facing, analysis indicated.
Outdated strains could hinder affiliate success
LockBit’s current predicament with strain development has placed it in a precarious position in terms of effectiveness.
Recent analysis of LockBit Black sample detections show that between 50 and 60 out of 71 security vendors can effectively detect the ransomware strain. In 2022, DiMaggio noted that fewer vendors could detect this strain due to its then-new features.
However, given there has been no significant update since LockBit Black, this could point toward lower success rates for affiliates harnessing this strain.
Similarly, DiMaggio suggested that some may still be using LockBit Black and relying on the ominous reputation that LockBit maintains to essentially scare victims into complying with demands.
“LockBit claims it is working on something new, but I have seen no evidence to support this besides claims made on underground forums,” DiMaggio wrote.
“Personally, I like to see results, not empty promises, but perhaps affiliates are content with using outdated ransomware due to LockBit’s reputation with the general public.
“Honestly, I don’t know if an update is a week or a year away, but it’s already missed the expected June release date, and all signs indicate that LockBit is having serious development issues. I won’t hold my breath.”
Cutting out the competition
Analysis of LockBit activities showed that the group also appears to be muscling in on competitor tools. A high-profile spat between figures at the Royal ransomware group and LockBit broke out after it was found that the latter had approached affiliates “trying to gain access to their builder”.
LockBit framed this incident as an attempt to “build a ransomware comparison table” for use among affiliates. However, it appears LockBit was in fact trying to steal ransomware builders from competitor groups.
“In December 2022, LockBit began a collection and theft campaign against its competitors. LockBit is willing to buy their ransomware at what it feels is fair market price. If they don’t sell, LockBit covertly tries to obtain access and steal it for himself.”
While this points toward a degree of desperation on LockBit’s part, the reality is far more sinister, DiMaggio suggested. The group appears intent on obtaining a portfolio of ransomware variants to create a “one-stop-shop” builder portal.
This overhauled ransomware as a service (RaaS) model could mean that if affiliates are unsuccessful with LockBit Black, for example, they could deploy alternative strains obtained by the group to ensure success.
In the long term, this could have serious repercussions across the space, resulting in groups such as Alphv and Royal being muscled out of potential profits.
“Consider the situation I discussed earlier where an affiliate tries to deploy LockBit Black ransomware, but defenses within the environment block it. The affiliate would often be out of luck since now they cannot encrypt target systems and data.
“Alternatively, in this same situation, well-connected affiliates with access to multiple RaaS programs could simply deploy ransomware from one of LockBit’s competitors and extort the victim. Now, LockBit gets none of the profit. Instead, his competitors, like Alphv and Royal, get richer.
“However, under LockBit’s one-stop-stop shop model, if a ransomware payload is blocked, they have several other options just a few clicks away.”
DiMaggio warned this could elevate LockBit’s position within the threat actor landscape and that the security industry is unprepared for this situation to unfold.
“By creating a “one-stop-shop,” affiliates can decide what ransom payload they wish to use. We as the security community need to be prepared for this, because it will change how we defend and mitigate ransomware threats.”
The creation of this one-stop-shop could eventually result in threat actors harnessing three specific payloads, such as LockBit Black, Royal, and Conti.
In this instance, an affected company would then require three decryption keys and be forced to comply with three ransom payments.
“Fortunately, this is not only bad for us, but it’s bad for all of LockBit’s competitors, who had to spend time and money developing their ransomware payloads,” DiMaggio said.
“You would think they would be more aggressive at deterring him from doing this. Maybe they don’t believe it can gain access to their ransomware.”
