April 10, 2023 By Jonathan Reed 4 min read

In every industry, visionaries drive progress and innovation. Some call these pioneers “crazy.” The same rule applies to the world of cyber gangs. Most threat groups try to maintain a low profile. They don’t seem to trust anyone and want tight control over money flow.

Then along came LockBit. Not only does the group maintain a high profile, but they’ve also turned ransom monetization upside down. Thanks to their innovative approach, the group has claimed 44% of total ransomware attacks launched in 2022.

What’s the secret to LockBit’s success? How has security changed due to the gang’s appearance?

A brand new ransomware paradigm

In a matter of a few years, the LockBit ransomware gang has become one of the most notorious organized cyber groups in history. Previously referred to as “ABCD ransomware,” LockBit made its debut in late 2019 and saw a swift rise in popularity. Operating as a Ransomware-as-a-Service, the group consists of a central team that crafts the malware and manages its website. Meanwhile, the group also grants access to its code to affiliates who help execute the cyberattacks.

Affiliates are experts in various areas, such as vulnerability search or network cracking. Prior to LockBit, the payment process involved each affiliate receiving a share of the ransom at the end, sort of like an invoicing system. However, this resulted in many affiliates not being paid their fair share —  a common complaint in criminal forums.

To address this, LockBit flipped the script and placed its affiliates in charge of negotiations and payments. By doing so, trust was established and the fear of being swindled was removed. This shift, coupled with an improved ransomware product, made LockBit the preferred choice among affiliates. Due to high demand, the group is now responsible for almost half of all ransomware attacks worldwide.

A call for research papers

In June 2020, an unusual announcement appeared on Russian Dark Web forums. Among the many advertisements for illegal goods, a “Call for Papers” stood out. The gang’s leader LockBitSupp invited submissions on topics such as obtaining shells, malware coding, viruses, bot development and monetization. The call also offered a $5,000 cash prize for the best paper.

Chief security analyst at Analyst1, Jon DiMaggio, was amazed by the appearance of an academic-style call for papers in a space primarily used by cyber criminals. He viewed it as a cunning appeal to the vanity of a group that typically operates in secrecy. Despite its unconventional nature, the contest generated a significant amount of interest.

The paper contest was only the beginning of LockBitSupp’s efforts to professionalize the group, according to DiMaggio. The contest was one of many initiatives that aimed to elevate the group’s operations and standards. These efforts set LockBit apart from other, more traditional, ransomware gangs.

Read the Complete Guide to Ransomware  

LockBit goes pro

Over time LockBitSupp transformed the group’s infrastructure, recruiting developers to create user-friendly ransomware dashboards. DiMaggio was the first to report on LockBitSupp’s revolutionary approach to the ransomware payment model.

LockBit’s branding journey also included a logo. This was unusual in the ransomware world, as only a few groups like Vice Society were doing the same. The logo became the visual representation of the LockBit brand — from their leak website to ransom notes to anything else they sponsored.

They even began offering people $500 to $1,000 to tattoo the LockBit logo on their bodies. “I heard that, I’m like, there is no way anyone is going to tattoo the name of a ransomware brand and their logo on their bodies,” said DiMaggio. “And then people did. That’s just crazy to me.”

From there, LockBitSupp made his ransomware business more efficient and user-friendly with LockBit Red, also known as LockBit 2.0. He created a dashboard to keep track of attacks and added features such as push notifications and a faster data encryption process. The central management console made all elements of a ransomware attack easier to use, even for those with limited coding skills.

LockBit bug bounty

Next, LockBit 3.0 made history by launching the industry’s first bug bounty program initiated by a ransomware group. The operation invites security experts to uncover vulnerabilities and report them for rewards ranging from $1,000 to a staggering $1 million.

“We invite all security researchers, ethical and unethical hackers on the planet to participate in our bug bounty program. The amount of remuneration varies from $1000 to $1 million,” reads the LockBit 3.0 bug bounty page.

Source: Bleeping Computer

Moreover, LockBit has expanded its bug bounty program beyond just paying for discovered vulnerabilities and is now offering bounties for creative ways to enhance its ransomware operation. They even put up a $1 million cash prize for anyone who could identify LockBitSupp.

Source: Bleeping Computer

It’s big business

According to security company Dragos, the LockBit malware was responsible for a major portion of ransomware attacks on industrial organizations and infrastructure in 2022, with a staggering 33% and 35%, respectively, during Q2 and Q3.

The U.S. Department of Justice revealed in November that LockBit wreaked havoc on at least 1,000 victims globally. The Justice Department stated that LockBit’s extortionists have made at least $100 million in ransom demands and obtained tens of millions of dollars from their victims. The FBI commenced its probe into the group in early 2020, and in February 2022, it issued a cautionary alert, highlighting that LockBit utilizes a vast array of tactics, techniques and procedures (TTPs), presenting formidable hurdles for defense.

How will LockBit fail?

In Dimaggio’s highly detailed report, he predicts what might eventually happen to LockBit.

“The previous gangs that once held first place, such as Maze, REvil and Conti, all eventually fell,” Dimaggio said. “The common theme across each is that their egos grew out of control, and their greed drove them to push things too far. Eventually, they overstep and gain attention from entire governments with greater resources than traditional law enforcement.”

Only time will tell if LockBit gets taken down. But for now, shields up.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from Risk Management

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

GenAI: The next frontier in AI security threats

3 min read - Threat actors aren’t attacking generative AI (GenAI) at scale yet, but these AI security threats are coming. That prediction comes from the 2024 X-Force Threat Intelligence Index. Here’s a review of the threat intelligence types underpinning that report.Cyber criminals are shifting focusIncreased chatter in illicit markets and dark web forums is a sign of interest. X-Force hasn’t seen any AI-engineered campaigns yet. However, cyber criminals are actively exploring the topic. In 2023, X-Force found the terms “AI” and “GPT” mentioned…

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today