In November, the US Department of Justice reported that LockBit’s ransomware has been used against at least 1,000 victims worldwide, including in the United States. “LockBit members have made at least $100 million in ransom demands and have extracted tens of millions of dollars in actual ransom payments from their victims,” the Justice Department wrote. The FBI first began investigating the group in early 2020. In February 2022, the agency released an alert warning that LockBit “employs a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense.”
LockBit emerged at the end of 2019, first calling itself “ABCD ransomware.” Since then, it has grown rapidly. The group is a “ransomware-as-a-service” operation, meaning that a core team creates its malware and runs its website while licensing out its code to “affiliates” who launch attacks.
Typically, when ransomware-as-a-service groups successfully attack a business and get paid, they’ll share a cut of the profits with the affiliates. In the case of LockBit, Jérôme Segura, senior director of threat intelligence at Malwarebytes, says the affiliate model is flipped on its head. Affiliates collect payment from their victims directly and then pay a fee to the core LockBit team. The structure seemingly works well and is reliable for LockBit. “The affiliate model was really well ironed out,” Segura says.
Though researchers have repeatedly seen cybercriminals of all sorts professionalizing and streamlining their operations over the past decade, many prominent and prolific ransomware groups adopt flamboyant and unpredictable public personas to garner notoriety and intimidate victims. In contrast, LockBit is known for being relatively consistent, focused, and organized.
“Of all the groups, I think they have probably been the most businesslike, and that is part of the reason for their longevity,” says Brett Callow, a threat analyst at the antivirus company Emsisoft. “But the fact that they post a lot of victims on their site doesn’t necessarily equate to them being the most prolific ransomware group of all, as some would claim. They are probably quite happy with being described that way, though. That’s just good for recruitment of new affiliates.”
The group certainly isn’t all hype, though. LockBit seems to invest in both technical and logistical innovations in an attempt to maximize profits. Peter Mackenzie, director of incident response at security firm Sophos, says, for example, that the group has experimented with new methods for pressuring its victims into paying ransoms.