Logo
Contact us

LockBit Ransomware: Inside the World’s Most Active Ransomware Group

1. What is LockBit?

LockBit ransomware is a ransomware-as-a-service (RaaS) group that has been active since September 2019 and has, at times, been ranked as the most prolific and destructive group. In the cybercriminal world of ransomware, LockBit has established itself as a prominent and widespread threat, posing serious challenges to organizations worldwide.

In recent times, the group has gained notoriety for its sophisticated and ruthless strains of ransomware. It infiltrates computer systems, encrypts vital data, and demands hefty ransoms, leaving victims grappling with difficult decisions. As a RaaS group, LockBit operates on a profit-sharing model, selling its services to cybercriminals, known as affiliates, who target organizations and deploy LockBit ransomware. The group is active across multiple hacking forums, including Exploit and RAMP, and maintains a ransomware leak site where it publishes data on victims.

2. Activity

According to Flashpoint data, LockBit accounted for 30.25 percent of all known ransomware attacks from August 2021 to August 2022. LockBit has been the dominant strain of ransomware over the past year. According to Flashpoint data, it accounted for approximately 21 percent of all known ransomware attacks from January 2023 to December 2023. LockBit has been active since September 2019 and has been responsible for numerous high-profile attacks, including those on the City of Tulsa, Oklahoma, and the University of California, San Francisco. The group has also targeted healthcare organizations, government agencies, and critical infrastructure, highlighting the severity of its threat

3. The Formation of LockBit

LockBit ransomware first emerged in September 2019, and was originally known as “ABCD” ransomware because the group used the file extension “.abcd virus” when performing encryptions. In January 2020, the ransomware group began operations as a ransomware-as-a-service (RaaS) and adopted the name LockBit.

The ransomware group announced the creation of its own website in September 2020 on Exploit. The website serves as a space for the ransomware group to announce recent attacks against victims and publish data of victims who did not pay the ransom. The group primarily posts in Russian and English, but according to its website, the group claims to be located in the Netherlands and to not be politically motivated.

LockBit has attacked a variety of organizations across sectors, including the education, finance, healthcare, internet software and services, and professional services sectors. A 2022 Trend Micro report stated that 80.5 percent of LockBit victims are small and medium-size businesses and only 19.5 percent of its victims are larger enterprises.

4. Related and connected groups

According to analysts at Mandiant, in June 2022 “Evil Corp” began using LockBit ransomware due to cost efficiency and as a way to bypass restrictions placed on the group by the US Treasury Department’s Office of Foreign Assets Control (OFAC).

In November 2021, the “BlackMatter” ransomware group, a variant of “DarkSide” ransomware, announced that due to law enforcement targeting, it was shutting down. BlackMatter transferred the remainder of its victims’ data to LockBit, which was to take over existing extortion demands.

In June 2020, “Maze” ransomware claimed that it was collaborating with LockBit and other ransomware groups as part of a “ransomware cartel” operation. The collaboration strove to provide different ransomware threat actors a place to publish data and share experiences.

5. The LockBit reputation

LockBit has established itself as a prolific ransomware group that maintains a relatively low profile despite the volume of attacks it carries out. They are particularly aggressive towards organizations within the manufacturing and infrastructure sectors, though they have demonstrated a willingness to attack a wide range of industries.

But while other ransomware groups may decide to grow their “brand” along with their operations by creating reputations that could be described as wild, unpredictable, or exaggerated, LockBit has largely remained focused and “businesslike” when it comes to how they run their activities.

The group continues to innovate both their methods of operation and their technical capabilities, and maintains its offering of an easy-to-use, effective malware that allows other threat actors to profit.

6. How LockBit attacks

LockBit’s ransomware operation often begins with purchasing and using app vulnerabilities, brute forcing Remote Desktop Protocols (RDP), or phishing. The actors who conduct these attacks are either full-time members of the collective or affiliates who join the collective temporarily in hopes of immediate financial gain. In addition to gaining access to entities themselves, LockBit actors may also purchase accesses from other actors. The ransomware is frequently executed using PowerShell Empire. LockBit also utilizes other malware such as Cobalt Strike and PsExec, which enables lateral movement through victims’ networks. LockBit then deletes any log files and shadow copies. Finally, LockBit encrypts data that is found saved to local and remote devices associated with the network.

7. Stages of a LockBit attack

The LockBit attack procedure centers around three main steps: Initial access, lateral movement and privilege escalation, and deployment of the ransomware payload.

Initial access

LockBit often leverages social engineering tactics, like phishing, to access user credentials and gain initial entry into an organization’s network.

Among other tactics, they may also conduct brute force attacks to identify user credentials and enter networks using these stolen passwords, or exploit vulnerabilities to gain a foothold within an organization’s network.

Lateral movement and privilege escalation

Once the attackers have gained initial access, they will attempt to expand their reach within the compromised network. Their goal is to locate sensitive data and systems to encrypt, elevate their access rights, and strengthen their control over the affected system, which allows them to move more freely within the network.

The LockBit script will also attempt to deactivate security measures and other infrastructure the organization has put in place to aid attack prevention or recovery, in order to make it more difficult for organizations to recover from an attack without paying the ransom.

Deployment of ransomware payload

After the threat actors have prepped the victim’s network for attack, they will deploy the ransomware to encrypt victims’ files and data and make the ransom demand.

LockBit ransomware stands out for its ability to spread independently; where other ransomware strains require attackers to quietly reside within an organization’s network for an extended period of time to gain access to multiple systems, LockBit enables the attacker to manually target just one system unit, which will infect other accessible units to run the script and encrypt files.

8. LockBit variants

Since LockBit’s original malware, which used the .abcd extension, the group has released several new variants of its malware: LockBit, LockBit 2.0, LockBit 3.0, and LockBit Green. According to an interview LockBit gave to the YouTube channel “Russian OSINT” in August 2021, each variation of LockBit is an evolution in encryption speed to prevent a company’s cybersecurity measures from mitigating an attack.

Following the takedown of LockBit infrastructure in February 2024 by law enforcement, it was revealed that the group was working on its next variant, dubbed “LockBit 4.0”. Further analysis of a sample of this variant revealed that it can work on multiple operating systems, and features functionality that can randomize victims’ file naming to complicate restoration efforts and includes a self-delete mechanism that overwrites LockBit’s own file contents with null bytes.

LockBit

LockBit is the first variant that succeeded the original .abcd extension used by the ransomware group. It is not clear exactly when the shift from .abcd to LockBit occurred, but LockBit was highly similar to the original. It gained notoriety for its ability to deploy its encryption process in under five minutes.

LockBit’s automatic approach to encryption functions similarly to “LockerGoga” and “MegaCortex.” This variant utilizes tools such as Windows PowerShell and Server Message Block to assist with spreading the malware.

LockBit 2.0

On February 4, 2022, the FBI released a flash report on the emergence of the second variant, “LockBit 2.0.” The report stated that the variant first appeared in July 2021. LockBit 2.0 evolved from the original LockBit variant by improving on its ability to decode strings and codes faster to avoid detection. Once the variant has established administrative privileges, the encryption process begins.

Additionally, the variant includes the ability to automatically encrypt Windows domains by exploiting Active Directory group policies and disabling Microsoft Defender. LockBit 2.0 also created an application called “StealBit,” which is a customizable configuration used to target specific file types during an attack that utilizes Bitwise operations.

In October 2021, LockBit 2.0 announced the inclusion of a subvariant that specifically targets Linux hosts and ESXi servers called “Linux-ESXI Locker Version 1.0.” This addition to the LockBit 2.0 variant can accept parameters, log information, and encrypt VMware images hosted on ESXi servers.

LockBit 3.0

LockBit 3.0 launched in late June 2022, and continues the trend of increasing encryption speed to avoid security detections. According to security researcher Arda Büyükkaya, who accessed an early sample of LockBit 3.0, the malware uses antianalysis techniques, password-only execution, and command line augmentation.

LockBit 3.0 also introduces the first recorded ransomware bug bounty program, calling for users and security researchers to report any bugs to the ransomware group in exchange for financial reward. The rewards, which range from $1,000 USD to $1 million USD, are meant to entice individuals not only to divulge vulnerabilities that LockBit can target, but also to offer LockBit ideas on how to evolve. The categories of bugs that are of interest to LockBit include the following:

  • Locker bugs
  • Tor network vulnerabilities
  • Tox messenger vulnerabilities
  • Website bugs

LockBit Green

“LockBit Green” is one of the newer ransomware variants released by the “LockBit” gang. VX-Underground revealed this variant on social media on January 27, 2023, displaying screenshots apparently received from LockBit. LockBit Green appears to be a standard ransomware variant targeting Windows environments.

Flashpoint acquired a sample of LockBit Green ransomware soon after its release. VirusTotal detections reported the sample as a “Conti” sample due to the large amount of code sharing between the two variants. For example, the command-line options are the same between Conti and LockBit Green.

Lockbit for Mac

In May 2023, Flashpoint discovered that LockBit began developing a macOS version of LockBit ransomware.

After Flashpoint’s investigation, it was found that the macOS version of the ransomware could not easily execute on macOS devices.

The binary appears to be the Linux/ESXi version of LockBit simply compiled as a Mach-O binary instead of an ELF binary, as a number of commands that the malware executes are not available in macOS. According to the ransomware’s decrypted version number, it appears to be version 1.2 of LockBit’s “Linux/ESXi locker” malware.

While the variant does not present a significant threat in its current state, the existence of a macOS LockBit binary suggests that the group is testing malware development for other operating systems, such as macOS

9 Preventing a LockBit attack

During the “Russian OSINT” interview on August 21, 2021, LockBit themselves stated that companies can mitigate the risks of being targeted by the group by hiring a full-time red team service, ensuring all employees are trained to prevent social engineering, and implementing top-quality anti-ransomware and antivirus software.

While ransomware continues to evolve, “basic” cyber defense measures can often be the most impactful. If they aren’t already, prioritize implementing fundamental prevention steps like:

  • Patch management
  • Network segmentation
  • Least privilege access
  • Strong password and MFA requirements
  • Employee education
  • Regular system backups

LockBit Now

Law enforcement did indeed seize the LockBit website in a two-pronged approach this year. Here's a breakdown of the events:

February 2024 - Operation Cronos

International collaboration led by the US Department of Justice, Europol, and the UK's National Crime Agency (NCA) took down a significant portion of LockBit's infrastructure in an operation called Cronos. This included seizing control of 34 servers, including those hosting the data leak site where stolen victim data was published. Law enforcement also obtained decryption keys, cryptocurrency wallets, and information on LockBit affiliates. Notably, they claimed to have identified the main LockBit administrator, known as "LockBitSupp". However, details about their identity remained undisclosed.

May 2024 - Revived Website and New Information

In a surprising turn of events, law enforcement revived the seized LockBit website in May. and identified the ring leader behind these attacks: Thirty-one-year-old Dimitry Yuryevich Khoroshev, aka LockBitSupp, LockBit, and putinkrab, is a resident of Voronezh, Russia. His leadership role in Lockbit’s activities led to the victimization of over 2,000 organizations and pocketing illicit ransomware proceeds of more than $100 million of the $1 billion the gang extorted out of its victims. The U.S., the UK and Australia have frozen his assets, banned his travel, and sanctioned him.

It is too soon to say if Lockbit will make a comeback, but Operation Cronos has been financially and operationally taxing, significantly slowing down the gang’s activities. It has also damaged their recruitment, as affiliates are discouraged from joining forces with a seemingly sinking ship.

Khoroshev is charged with:

  • One count of conspiracy to commit fraud, extortion, and related activity in connection with computers
  • One count of conspiracy to commit wire fraud
  • Eight counts of intentional damage to a protected computer
  • Eight counts of extortion concerning confidential information from a protected computer
  • Eight counts of extortion relating to damage to a protected computer

More articles

Crowdstrike update causes global outage

Massive IT outage worldwide with airports, businesses, broadcasters, banking and healthcare affected.

Read more

Ticketmaster hit by cyber attack

Parent company Live Nation said it had discovered "unauthorised activity" on 20 May in a third-party cloud database that mostly contained Ticketmaster data.

Read more

Contact Us

Say Hello!

Other ways to reach us