April 10, 2023 By Jonathan Reed 4 min read

In every industry, visionaries drive progress and innovation. Some call these pioneers “crazy.” The same rule applies to the world of cyber gangs. Most threat groups try to maintain a low profile. They don’t seem to trust anyone and want tight control over money flow.

Then along came LockBit. Not only does the group maintain a high profile, but they’ve also turned ransom monetization upside down. Thanks to their innovative approach, the group has claimed 44% of total ransomware attacks launched in 2022.

What’s the secret to LockBit’s success? How has security changed due to the gang’s appearance?

A brand new ransomware paradigm

In a matter of a few years, the LockBit ransomware gang has become one of the most notorious organized cyber groups in history. Previously referred to as “ABCD ransomware,” LockBit made its debut in late 2019 and saw a swift rise in popularity. Operating as a Ransomware-as-a-Service, the group consists of a central team that crafts the malware and manages its website. Meanwhile, the group also grants access to its code to affiliates who help execute the cyberattacks.

Affiliates are experts in various areas, such as vulnerability search or network cracking. Prior to LockBit, the payment process involved each affiliate receiving a share of the ransom at the end, sort of like an invoicing system. However, this resulted in many affiliates not being paid their fair share —  a common complaint in criminal forums.

To address this, LockBit flipped the script and placed its affiliates in charge of negotiations and payments. By doing so, trust was established and the fear of being swindled was removed. This shift, coupled with an improved ransomware product, made LockBit the preferred choice among affiliates. Due to high demand, the group is now responsible for almost half of all ransomware attacks worldwide.

A call for research papers

In June 2020, an unusual announcement appeared on Russian Dark Web forums. Among the many advertisements for illegal goods, a “Call for Papers” stood out. The gang’s leader LockBitSupp invited submissions on topics such as obtaining shells, malware coding, viruses, bot development and monetization. The call also offered a $5,000 cash prize for the best paper.

Chief security analyst at Analyst1, Jon DiMaggio, was amazed by the appearance of an academic-style call for papers in a space primarily used by cyber criminals. He viewed it as a cunning appeal to the vanity of a group that typically operates in secrecy. Despite its unconventional nature, the contest generated a significant amount of interest.

The paper contest was only the beginning of LockBitSupp’s efforts to professionalize the group, according to DiMaggio. The contest was one of many initiatives that aimed to elevate the group’s operations and standards. These efforts set LockBit apart from other, more traditional, ransomware gangs.

Read the Complete Guide to Ransomware  

LockBit goes pro

Over time LockBitSupp transformed the group’s infrastructure, recruiting developers to create user-friendly ransomware dashboards. DiMaggio was the first to report on LockBitSupp’s revolutionary approach to the ransomware payment model.

LockBit’s branding journey also included a logo. This was unusual in the ransomware world, as only a few groups like Vice Society were doing the same. The logo became the visual representation of the LockBit brand — from their leak website to ransom notes to anything else they sponsored.

They even began offering people $500 to $1,000 to tattoo the LockBit logo on their bodies. “I heard that, I’m like, there is no way anyone is going to tattoo the name of a ransomware brand and their logo on their bodies,” said DiMaggio. “And then people did. That’s just crazy to me.”

From there, LockBitSupp made his ransomware business more efficient and user-friendly with LockBit Red, also known as LockBit 2.0. He created a dashboard to keep track of attacks and added features such as push notifications and a faster data encryption process. The central management console made all elements of a ransomware attack easier to use, even for those with limited coding skills.

LockBit bug bounty

Next, LockBit 3.0 made history by launching the industry’s first bug bounty program initiated by a ransomware group. The operation invites security experts to uncover vulnerabilities and report them for rewards ranging from $1,000 to a staggering $1 million.

“We invite all security researchers, ethical and unethical hackers on the planet to participate in our bug bounty program. The amount of remuneration varies from $1000 to $1 million,” reads the LockBit 3.0 bug bounty page.

Source: Bleeping Computer

Moreover, LockBit has expanded its bug bounty program beyond just paying for discovered vulnerabilities and is now offering bounties for creative ways to enhance its ransomware operation. They even put up a $1 million cash prize for anyone who could identify LockBitSupp.

Source: Bleeping Computer

It’s big business

According to security company Dragos, the LockBit malware was responsible for a major portion of ransomware attacks on industrial organizations and infrastructure in 2022, with a staggering 33% and 35%, respectively, during Q2 and Q3.

The U.S. Department of Justice revealed in November that LockBit wreaked havoc on at least 1,000 victims globally. The Justice Department stated that LockBit’s extortionists have made at least $100 million in ransom demands and obtained tens of millions of dollars from their victims. The FBI commenced its probe into the group in early 2020, and in February 2022, it issued a cautionary alert, highlighting that LockBit utilizes a vast array of tactics, techniques and procedures (TTPs), presenting formidable hurdles for defense.

How will LockBit fail?

In Dimaggio’s highly detailed report, he predicts what might eventually happen to LockBit.

“The previous gangs that once held first place, such as Maze, REvil and Conti, all eventually fell,” Dimaggio said. “The common theme across each is that their egos grew out of control, and their greed drove them to push things too far. Eventually, they overstep and gain attention from entire governments with greater resources than traditional law enforcement.”

Only time will tell if LockBit gets taken down. But for now, shields up.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from Risk Management

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Addressing growing concerns about cybersecurity in manufacturing

4 min read - Manufacturing has become increasingly reliant on modern technology, including industrial control systems (ICS), Internet of Things (IoT) devices and operational technology (OT). While these innovations boost productivity and streamline operations, they’ve vastly expanded the cyberattack surface.According to the 2024 IBM Cost of a Data Breach report, the average total cost of a data breach in the industrial sector was $5.56 million. This reflects an 18% increase for the sector compared to 2023.Apparently, the data being stored in industrial control systems is…

Cybersecurity Awareness Month: Horror stories

4 min read - When it comes to cybersecurity, the question is when, not if, an organization will suffer a cyber incident. Even the most sophisticated security tools can’t withstand the biggest threat: human behavior.October is Cybersecurity Awareness Month, the time of year when we celebrate all things scary. So it seemed appropriate to ask cybersecurity professionals to share some of their most memorable and haunting cyber incidents. (Names and companies are anonymous to avoid any negative impact. Suffering a cyber incident is bad…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today