April 10, 2023 By Jonathan Reed 4 min read

In every industry, visionaries drive progress and innovation. Some call these pioneers “crazy.” The same rule applies to the world of cyber gangs. Most threat groups try to maintain a low profile. They don’t seem to trust anyone and want tight control over money flow.

Then along came LockBit. Not only does the group maintain a high profile, but they’ve also turned ransom monetization upside down. Thanks to their innovative approach, the group has claimed 44% of total ransomware attacks launched in 2022.

What’s the secret to LockBit’s success? How has security changed due to the gang’s appearance?

A brand new ransomware paradigm

In a matter of a few years, the LockBit ransomware gang has become one of the most notorious organized cyber groups in history. Previously referred to as “ABCD ransomware,” LockBit made its debut in late 2019 and saw a swift rise in popularity. Operating as a Ransomware-as-a-Service, the group consists of a central team that crafts the malware and manages its website. Meanwhile, the group also grants access to its code to affiliates who help execute the cyberattacks.

Affiliates are experts in various areas, such as vulnerability search or network cracking. Prior to LockBit, the payment process involved each affiliate receiving a share of the ransom at the end, sort of like an invoicing system. However, this resulted in many affiliates not being paid their fair share —  a common complaint in criminal forums.

To address this, LockBit flipped the script and placed its affiliates in charge of negotiations and payments. By doing so, trust was established and the fear of being swindled was removed. This shift, coupled with an improved ransomware product, made LockBit the preferred choice among affiliates. Due to high demand, the group is now responsible for almost half of all ransomware attacks worldwide.

A call for research papers

In June 2020, an unusual announcement appeared on Russian Dark Web forums. Among the many advertisements for illegal goods, a “Call for Papers” stood out. The gang’s leader LockBitSupp invited submissions on topics such as obtaining shells, malware coding, viruses, bot development and monetization. The call also offered a $5,000 cash prize for the best paper.

Chief security analyst at Analyst1, Jon DiMaggio, was amazed by the appearance of an academic-style call for papers in a space primarily used by cyber criminals. He viewed it as a cunning appeal to the vanity of a group that typically operates in secrecy. Despite its unconventional nature, the contest generated a significant amount of interest.

The paper contest was only the beginning of LockBitSupp’s efforts to professionalize the group, according to DiMaggio. The contest was one of many initiatives that aimed to elevate the group’s operations and standards. These efforts set LockBit apart from other, more traditional, ransomware gangs.

Read the Complete Guide to Ransomware  

LockBit goes pro

Over time LockBitSupp transformed the group’s infrastructure, recruiting developers to create user-friendly ransomware dashboards. DiMaggio was the first to report on LockBitSupp’s revolutionary approach to the ransomware payment model.

LockBit’s branding journey also included a logo. This was unusual in the ransomware world, as only a few groups like Vice Society were doing the same. The logo became the visual representation of the LockBit brand — from their leak website to ransom notes to anything else they sponsored.

They even began offering people $500 to $1,000 to tattoo the LockBit logo on their bodies. “I heard that, I’m like, there is no way anyone is going to tattoo the name of a ransomware brand and their logo on their bodies,” said DiMaggio. “And then people did. That’s just crazy to me.”

From there, LockBitSupp made his ransomware business more efficient and user-friendly with LockBit Red, also known as LockBit 2.0. He created a dashboard to keep track of attacks and added features such as push notifications and a faster data encryption process. The central management console made all elements of a ransomware attack easier to use, even for those with limited coding skills.

LockBit bug bounty

Next, LockBit 3.0 made history by launching the industry’s first bug bounty program initiated by a ransomware group. The operation invites security experts to uncover vulnerabilities and report them for rewards ranging from $1,000 to a staggering $1 million.

“We invite all security researchers, ethical and unethical hackers on the planet to participate in our bug bounty program. The amount of remuneration varies from $1000 to $1 million,” reads the LockBit 3.0 bug bounty page.

Source: Bleeping Computer

Moreover, LockBit has expanded its bug bounty program beyond just paying for discovered vulnerabilities and is now offering bounties for creative ways to enhance its ransomware operation. They even put up a $1 million cash prize for anyone who could identify LockBitSupp.

Source: Bleeping Computer

It’s big business

According to security company Dragos, the LockBit malware was responsible for a major portion of ransomware attacks on industrial organizations and infrastructure in 2022, with a staggering 33% and 35%, respectively, during Q2 and Q3.

The U.S. Department of Justice revealed in November that LockBit wreaked havoc on at least 1,000 victims globally. The Justice Department stated that LockBit’s extortionists have made at least $100 million in ransom demands and obtained tens of millions of dollars from their victims. The FBI commenced its probe into the group in early 2020, and in February 2022, it issued a cautionary alert, highlighting that LockBit utilizes a vast array of tactics, techniques and procedures (TTPs), presenting formidable hurdles for defense.

How will LockBit fail?

In Dimaggio’s highly detailed report, he predicts what might eventually happen to LockBit.

“The previous gangs that once held first place, such as Maze, REvil and Conti, all eventually fell,” Dimaggio said. “The common theme across each is that their egos grew out of control, and their greed drove them to push things too far. Eventually, they overstep and gain attention from entire governments with greater resources than traditional law enforcement.”

Only time will tell if LockBit gets taken down. But for now, shields up.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from Risk Management

Digital solidarity vs. digital sovereignty: Which side are you on?

4 min read - The landscape of international cyber policy continues to evolve rapidly, reflecting the dynamic nature of technology and global geopolitics. Central to this evolution are two competing concepts: digital solidarity and digital sovereignty.The U.S. Department of State, through its newly released International Cyberspace and Digital Policy Strategy, has articulated a clear preference for digital solidarity, positioning it as a counterpoint to the protectionist approach of digital sovereignty.What are the main differences between these two concepts, and why does it matter? Let’s…

A decade of global cyberattacks, and where they left us

5 min read - The cyberattack landscape has seen monumental shifts and enormous growth in the past decade or so.I spoke to Michelle Alvarez, X-Force Strategic Threat Analysis Manager at IBM, who told me that the most visible change in cybersecurity can be summed up in one word: scale. A decade ago, “'mega-breaches' were relatively rare, but now feel like an everyday occurrence.”A summary of the past decade in global cyberattacksThe cybersecurity landscape has been impacted by major world events, especially in recent years.…

It all adds up: Pretexting in executive compromise

4 min read - Executives hold the keys to the corporate kingdom. If attackers can gain the trust of executives using layered social engineering techniques, they may be able to access sensitive corporate information such as intellectual property, financial data or administrative control logins and passwords.While phishing remains the primary pathway to executive compromise, increasing C-suite awareness of this risk requires a more in-depth approach from attackers: Pretexting.What is pretexting?Pretexting is the use of a fabricated story or narrative — a “pretext” — to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today