The cyber threat landscape has undergone many shifts in the past year, from the involvement of ransomware cyber gangs in hacktivist activity during the war between Russia and Ukraine, to the disappearance from the scene of the most prolific ransomware groups. These include DarkSide, the hacker group behind the Colonial Pipeline attack, which decided to cease its operation in May 2021, and REvil, once of the most active ransomware groups which was responsible for the attack on the software company Kaseya. In July 2021, REvil suddenly disappeared from the internet, after receiving significant attention from law enforcement. One of the groups that has been active since 2019, and continues to grow regardless of the shifts in the cyber threat landscape is the LockBit gang.

Who is LockBit?

The LockBit gang, previously known as ABCD, is the operator of the ransomware LockBit, LockBit 2.0, and LockBit 3.0, which was released in June 2022 as part of the group’s new campaign. Their ransomware operation, first launched in 2019, has grown to be one of the most active and impactful operations. LockBit, which works as a Ransomware-as-a-Service (RaaS) model, recruits affiliates in underground forums in order to launch prolific attacks. It appears that the group only accepts to work with experienced and technically proficient affiliates. According to researchers, by May 2022, LockBit 2.0 accounted for 46% of all the ransomware attacks occurred in 2022.

In their attacks, LockBit operators leverage double extortion techniques, threatening victims of leaking the compromised data, to pressure them into paying the ransom. The gang has also been observed performing triple extortion, by launching DDoS attack targeting the victims’ infrastructure to render it unavailable and ensure the victims will pay. LockBit is a financially motivated actor, and it has launched attacks on victims across different sectors, including professional services, construction, retail, manufacturing, and the public sector. While the cybercrime group is responsible for attacks around the world, the majority of its victims are located in the US, Italy and Germany. Similarly, to other ransomware groups, it appears that the LockBit ransomwares avoid targeting systems that are set in Eastern European languages.

LockBit 3.0

Following the release of LockBit 2.0 in March 2022, the LockBit gang unveiled a new variant of the ransomware in June 2022, naming it LockBit 3.0. This coincided with the launch of group’s new data leak site on Tor, and the beginning of the first bug bounty program offered by a cybercrime group. According to cybersecurity experts, the new LockBit 3.0 ransomware displays new capabilities, in particular obfuscation features. These features allow the malware to slow down and even prevent reverse engineering, hence making it more difficult for researchers to be able to analyse the malware. Researchers have noticed that the ransomware’s code share similarities with the BlackMatter ransomware, hence where LockBit 3.0’s nickname, LockBit Black, takes its name from.

As part of its bug bounty program, the LockBit group invites security researchers, in addition to ethical and unethical hackers, to discover bugs and vulnerabilities in their ransomware, and report them to the group. For this, the LockBit gang offers rewards ranging from $1000 to $1 million. The program also encourages hackers and researchers to submit “brilliant ideas” that will improve the ransomware operation, in exchange for a reward. The LockBit gang is also offering a $1 million reward to anyone who will be able to dox the groups’ affiliate program manager.

Recent attacks

In one of its latest attacks, LockBit claims to have compromised Italy’s tax agency, L’Agenzia delle Entrate (AdE). The gang, which had given the AdE until the 1^st August to pay the ransom, published 47GB of compromised data on the 3^rd August as the ransom was not paid. From a first analysis of the leaked data it does not appear that it belongs to the Italian tax agency, but rather to a third entity. This would be in line with the statement provided by Sogei SPA, the state-funded organisation that manages the IT infrastructure of the AdE, which claims that there is no evidence of unauthorised access to the systems of the Italian tax agency. Similarly, Roberto Baldoni, the director of Italy’s national cybersecurity agency, stated that the attack did not hit the AdE.

The LockBit gang has proven once again its resilience, and its ability to evolve and improve its criminal operation, in a moment when other prolific ransomware groups have disappeared from the underground scene. Cybersecurity researchers warn that the group will continue to launch damaging attacks to companies across the world.

Reference list:

https://www.bleepingcomputer.com/news/security/lockbit-30-introduces-the-first-ransomware-bug-bounty-program/

https://www.cybersecurity360.it/nuove-minacce/ransomware/presunto-attacco-allagenzia-delle-entrate-pubblicati-i-dati-si-fa-strada-lipotesi-di-uno-scambio-di-societa/

https://www.cybersecurity360.it/nuove-minacce/presunto-attacco-allagenzia-delle-entrate-confermato-tentativo-di-intrusione-a-un-ente-terzo-e-non-allamministrazione-fiscale/

https://cybernews.com/news/lockbit-2-0-listed-a-whopping-203-victims-on-its-data-leak-site/

https://www.darkreading.com/attacks-breaches/lockbit-3.0-improved-malware-gang-top

https://edition.cnn.com/2021/07/13/tech/revil-ransomware-disappears/index.html

https://www.forbes.com/sites/chuckbrooks/2022/06/03/alarming-cyber-statistics-for-mid-year-2022-that-you-need-to-know/?sh=3948cc3c7864

https://techmonitor.ai/technology/cybersecurity/italy-ransomware-lockbit-tax-office

https://www.trendmicro.com/en_au/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html

https://unit42.paloaltonetworks.com/lockbit-2-ransomware/

https://www.zdnet.com/article/a-deep-dive-into-the-operations-of-the-lockbit-ransomware-group/