April 10, 2023 By Jonathan Reed 4 min read

In every industry, visionaries drive progress and innovation. Some call these pioneers “crazy.” The same rule applies to the world of cyber gangs. Most threat groups try to maintain a low profile. They don’t seem to trust anyone and want tight control over money flow.

Then along came LockBit. Not only does the group maintain a high profile, but they’ve also turned ransom monetization upside down. Thanks to their innovative approach, the group has claimed 44% of total ransomware attacks launched in 2022.

What’s the secret to LockBit’s success? How has security changed due to the gang’s appearance?

A brand new ransomware paradigm

In a matter of a few years, the LockBit ransomware gang has become one of the most notorious organized cyber groups in history. Previously referred to as “ABCD ransomware,” LockBit made its debut in late 2019 and saw a swift rise in popularity. Operating as a Ransomware-as-a-Service, the group consists of a central team that crafts the malware and manages its website. Meanwhile, the group also grants access to its code to affiliates who help execute the cyberattacks.

Affiliates are experts in various areas, such as vulnerability search or network cracking. Prior to LockBit, the payment process involved each affiliate receiving a share of the ransom at the end, sort of like an invoicing system. However, this resulted in many affiliates not being paid their fair share —  a common complaint in criminal forums.

To address this, LockBit flipped the script and placed its affiliates in charge of negotiations and payments. By doing so, trust was established and the fear of being swindled was removed. This shift, coupled with an improved ransomware product, made LockBit the preferred choice among affiliates. Due to high demand, the group is now responsible for almost half of all ransomware attacks worldwide.

A call for research papers

In June 2020, an unusual announcement appeared on Russian Dark Web forums. Among the many advertisements for illegal goods, a “Call for Papers” stood out. The gang’s leader LockBitSupp invited submissions on topics such as obtaining shells, malware coding, viruses, bot development and monetization. The call also offered a $5,000 cash prize for the best paper.

Chief security analyst at Analyst1, Jon DiMaggio, was amazed by the appearance of an academic-style call for papers in a space primarily used by cyber criminals. He viewed it as a cunning appeal to the vanity of a group that typically operates in secrecy. Despite its unconventional nature, the contest generated a significant amount of interest.

The paper contest was only the beginning of LockBitSupp’s efforts to professionalize the group, according to DiMaggio. The contest was one of many initiatives that aimed to elevate the group’s operations and standards. These efforts set LockBit apart from other, more traditional, ransomware gangs.

Read the Complete Guide to Ransomware  

LockBit goes pro

Over time LockBitSupp transformed the group’s infrastructure, recruiting developers to create user-friendly ransomware dashboards. DiMaggio was the first to report on LockBitSupp’s revolutionary approach to the ransomware payment model.

LockBit’s branding journey also included a logo. This was unusual in the ransomware world, as only a few groups like Vice Society were doing the same. The logo became the visual representation of the LockBit brand — from their leak website to ransom notes to anything else they sponsored.

They even began offering people $500 to $1,000 to tattoo the LockBit logo on their bodies. “I heard that, I’m like, there is no way anyone is going to tattoo the name of a ransomware brand and their logo on their bodies,” said DiMaggio. “And then people did. That’s just crazy to me.”

From there, LockBitSupp made his ransomware business more efficient and user-friendly with LockBit Red, also known as LockBit 2.0. He created a dashboard to keep track of attacks and added features such as push notifications and a faster data encryption process. The central management console made all elements of a ransomware attack easier to use, even for those with limited coding skills.

LockBit bug bounty

Next, LockBit 3.0 made history by launching the industry’s first bug bounty program initiated by a ransomware group. The operation invites security experts to uncover vulnerabilities and report them for rewards ranging from $1,000 to a staggering $1 million.

“We invite all security researchers, ethical and unethical hackers on the planet to participate in our bug bounty program. The amount of remuneration varies from $1000 to $1 million,” reads the LockBit 3.0 bug bounty page.

Source: Bleeping Computer

Moreover, LockBit has expanded its bug bounty program beyond just paying for discovered vulnerabilities and is now offering bounties for creative ways to enhance its ransomware operation. They even put up a $1 million cash prize for anyone who could identify LockBitSupp.

Source: Bleeping Computer

It’s big business

According to security company Dragos, the LockBit malware was responsible for a major portion of ransomware attacks on industrial organizations and infrastructure in 2022, with a staggering 33% and 35%, respectively, during Q2 and Q3.

The U.S. Department of Justice revealed in November that LockBit wreaked havoc on at least 1,000 victims globally. The Justice Department stated that LockBit’s extortionists have made at least $100 million in ransom demands and obtained tens of millions of dollars from their victims. The FBI commenced its probe into the group in early 2020, and in February 2022, it issued a cautionary alert, highlighting that LockBit utilizes a vast array of tactics, techniques and procedures (TTPs), presenting formidable hurdles for defense.

How will LockBit fail?

In Dimaggio’s highly detailed report, he predicts what might eventually happen to LockBit.

“The previous gangs that once held first place, such as Maze, REvil and Conti, all eventually fell,” Dimaggio said. “The common theme across each is that their egos grew out of control, and their greed drove them to push things too far. Eventually, they overstep and gain attention from entire governments with greater resources than traditional law enforcement.”

Only time will tell if LockBit gets taken down. But for now, shields up.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from Risk Management

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today