The Unrelenting Menace of the LockBit Ransomware Gang

LockBit emerged at the end of 2019, first calling itself “ABCD ransomware.” Since then, it has grown rapidly. The group is a “ransomware-as-a-service” operation, meaning that a core team creates its malware and runs its website while licensing out its code to “affiliates” who launch attacks.

Typically, when ransomware-as-a-service groups successfully attack a business and get paid, they’ll share a cut of the profits with the affiliates. In the case of LockBit, Jérôme Segura, senior director of threat intelligence at Malwarebytes, says the affiliate model is flipped on its head. Affiliates collect payment from their victims directly and then pay a fee to the core LockBit team. The structure seemingly works well and is reliable for LockBit. “The affiliate model was really well ironed out,” Segura says.

Though researchers have repeatedly seen cybercriminals of all sorts professionalizing and streamlining their operations over the past decade, many prominent and prolific ransomware groups adopt flamboyant and unpredictable public personas to garner notoriety and intimidate victims. In contrast, LockBit is known for being relatively consistent, focused, and organized. 

“Of all the groups, I think they have probably been the most businesslike, and that is part of the reason for their longevity,” says Brett Callow, a threat analyst at the antivirus company Emsisoft. “But the fact that they post a lot of victims on their site doesn’t necessarily equate to them being the most prolific ransomware group of all, as some would claim. They are probably quite happy with being described that way, though. That’s just good for recruitment of new affiliates.”

The group certainly isn’t all hype, though. LockBit seems to invest in both technical and logistical innovations in an attempt to maximize profits. Peter Mackenzie, director of incident response at security firm Sophos, says, for example, that the group has experimented with new methods for pressuring its victims into paying ransoms. 

“They’ve got different ways of paying,” Mackenzie says. “You could pay to have your data deleted, pay to have it released early, pay to extend your deadline,” Mackenzie says, adding that LockBit opened its payment options to anyone. This could, theoretically at least, result in a rival company buying a ransomware victim’s data. “From the victim’s perspective, it’s extra pressure on them, which is what helps make people pay,” Mackenzie says.

Since LockBit debuted, its creators have spent significant time and effort developing its malware. The group has issued two big updates to the code—LockBit 2.0, released in mid-2021, and LockBit 3.0, released in June 2022. The two versions are also known as LockBit Red and LockBit Black, respectively. Researchers say the technical evolution has paralleled changes in how LockBit works with affiliates. Prior to the release of LockBit Black, the group worked with an exclusive group of 25 to 50 affiliates at most. Since the 3.0 release, though, the gang has opened up significantly, making it harder to keep tabs on the number of affiliates involved and also making it more difficult for LockBit to exercise control over the collective.