Keys to LockBit's Success: Self-Promotion, Technical Acumen
Dominant Ransomware Group Remains Highly Active, Has Enjoyed Unusual LongevityWhen the Conti ransomware brand imploded earlier this year, the big question was who would seize its position and become the world's worst - or best, depending on perspective - criminal encryption gang.
See Also: Live Webinar | Crack Asia’s Code on Ransomware: Empowering Your Last Line of Defence
One clear winner has emerged: LockBit. It claims more victims on its data leak site than any other group. Its malware is technically sophisticated. Its focus on self-promotion and keeping affiliates happy has vaunted it to the bottom - or top - of the list.
LockBit even took what might be called a celebratory bow earlier this month with the release of LockBit 3.0.
The group announced it would pay a bug bounty of up to $1 million to any researchers who sold them zero-day vulnerabilities to exploit. It practically issued a challenge, saying the largest payout is reserved for anyone who reveals the real identity of the group's affiliate program boss. And it trumpeted its mission to "Make Ransomware Great Again!"
Whatever the group is doing seems to be working. "It's certainly one of the more active groups now," says Lisa Sotto, partner and chair of the global privacy and cybersecurity practice at Hunton Andrews Kurth LLP. "They have gotten more sophisticated, and they are announcing to the world that they have achieved a new and higher level of sophistication in their exploits."
Threat intelligence firm Trellix says LockBit is the most common ransomware strain, accounting for 26% of the total attacks during the first three months of this year, followed by Conti at 13%, BlackCat at 11% and Ryuk at 10%.
Another view of its success comes from counting victims listed on ransomware groups' data leak sites. During this year's first quarter, LockBit listed 220 victims, nearly double Conti, which was in second place with 117 victims, cybersecurity firm Trend Micro reports.
But counting victims on a data leak site doesn't show the whole picture. For starters, it's a list of alleged victims who didn't pay a ransom versus ones who did. Also, not all ransomware or ransomware-as-a-service groups run data leak sites. "Leak site postings shouldn't be assumed to indicate a group's activity levels. Some operations post only a minority of their nonpaying victims, while others falsely list companies that haven't been hit," says Brett Callow, a threat analyst at cybersecurity firm Emsisoft.
For example, LockBit has falsely listed Mandiant as being a victim, and on Monday, it listed Italy's Revenue Agency. But Italian media reported that the latter victim instead appeared to be Italian IT services firm GESIS.
"That said, LockBit is certainly one of the busier operations," Callow says. "The reason for this is probably that it's one of the more stable RaaS operations, which has enabled it to attract affiliates from now-defunct operations."
Technical Sophistication
Successful ransomware groups are typically unbridled self-promoters. Hype is meant to scare fresh victims into quietly paying a ransom, as quickly as possible. Brand awareness helps groups recruit highly skilled affiliates, who take the group's ransomware and use it to infect more victims.
One of the ways LockBit tries to differentiate itself from competitors continues to be the sophistication of its ransomware code. Namely, the gang promises that its code will encrypt faster and be tougher to detect and block than the code of rivals.
LockBit offers affiliates two different versions of Windows crypto-locking malware, "written by different programmers, allowing you to encrypt the network twice, if time allows," it says. "It will be useful for paranoiacs who doubt the reliability and implementation of the cryptographic algorithm," or if both get used on a network, to offer free decryption of one of the strains - but not the other - perhaps as a token of goodwill.
Version 3 of LockBit appears to have been overhauled in part by adapting other ransomware source code. Security researchers have found numerous similarities between LockBit and BlackMatter ransomware - a variant of DarkSide, since relaunched as BlackCat or Alphv.
On Wednesday, a known LockBit representative, a claimed former member of Conti who goes by LockBitSupp, "admitted purchasing the source code of the BlackMatter ransomware and improving it for LockBit 3.0," threat intelligence firm Kela reports. Tellingly, LockBit also refers to version 3 of its ransomware as LockBit Black.
Among the similarities, Kela says: "LockBit 3.0 code is based on the source code of BlackMatter ransomware; LockBit 3.0 and BlackMatter share the same API harvesting tactic; they both implement the same anti-debugging technique; share similar routines for privilege escalation; use a Base64-encoded hash string as the encrypted file name extension, ransom note name, wallpaper and icon name."
Unusual Longevity
LockBit enjoys unusual longevity, and the group doesn't fail to highlight this stability in its pitch to prospective affiliates.
"We have been working for 3 years … and so far we have not been caught by the FBI," LockBit's site says. "If they couldn't catch us in 3 years, they probably never will, and we will keep working."
Experts agree. "Short of intervention by law enforcement, we expect to see LockBit around for the foreseeable future and further iterations of what is undoubtedly a very successful RaaS operation," cybersecurity firm SentinelLabs says.
Ransomware-as-a-service operations are only as good as the collective might of the affiliates they recruit. The better the affiliate, the more reliable it is at taking down targets, including big game. Accordingly, there's fierce competition between ransomware operations to recruit the most skilled affiliates - or in LockBit-speak, "pentesters."
LockBit so far hasn't come out in support of Russia's invasion of Ukraine, unlike Conti, which paid a price as many victims then refused to pay.
LockBit claims to be apolitical. "We are located in the Netherlands, completely apolitical and only interested in money," it says on its website.
In reality, experts say, most if not all dominant strains of ransomware are run by Russian-speaking attackers, many of whom are likely located in Russia or former Soviet satellites. Experts say they must abide by certain rules, as LockBit appears to do, such as never crypto-locking systems in Russia. In some cases, groups may also be called on to do favors for the government.
Customer Focus
LockBit takes pains to appeal to affiliates via a dedicated page on its site. "The page is peppered with people-pleasing language designed to signal the gang's trustworthiness and willingness to listen," says cybersecurity firm Malwarebytes.
As LockBit tells prospective affiliates: "If you do not find one of your favorite features, please inform us, maybe we will add it especially for you."
The group clearly trades on its reputation. "We have shown everyone that it is safe to cooperate with us," it says. "We have never cheated anyone and always fulfill our agreements."
Such claims stand in stark contrast to some other, former ransomware bigwigs, such as the now-defunct REvil - aka Sodinokibi - operation. Reverse engineers working for the Exploit cybercrime forum last year discovered that REvil's developers had added a backdoor to the crypto-locking malware, enabling them to cut out affiliates and negotiate directly with victims. Presumably, affiliates were never told these victims had paid a ransom, since every ransom went first to the operators.
LockBit Affiliates Keep 80%
From a business standpoint, LockBit seems to have organized its operations to avoid any question that it would try or be able to run such scams. For starters, while many groups' operators handle communications with victims, LockBit instead has affiliates do so.
"You personally communicate with the attacked companies and decide yourself how much money to take for your invaluable pentest work, which should surely be generously paid," LockBit tells affiliates, noting that whatever price they set, LockBit gets a 20% cut of every ransom paid.
Affiliates are instructed to transfer to LockBit its cut after any ransom payment, except for any ransom payments that exceed $500,000. In that case, to avoid LockBit operators getting scammed, "you give the attacked company two wallets for payment - one is yours, to which the company will transfer 80%, and the second is ours for 20%," LockBit says.
If prospective affiliates think that LockBit keeping 20% is too much, the operators offer this self-serving advice: "You should not deny yourself the pleasure of working with us. Just increase the amount of ransom by 20% and be happy."