At the time of writing the ransomware group known as LockBit 3.0 are currently the most prolific ransomware group in the world. As of November 21^st 2023, they have carried out approximately 857 ransomware attacks throughout the year with 319 of those attacks targeting organisations in the United States of America. This far exceeds any other ransomware group currently operating and puts them at the forefront in the world of ransomware.

This group was first observed by security researchers in 2019 and were then known as ABCD Ransomware. It wasn’t until January 2020 that they took the names of LockBit 2.0 and LockBit Red. Much of LockBit’s success can be attributed to how they are managed by what is known as the ‘Core Group’. This group consists of the head of LockBit, known in the world of cybercrime as ‘LockBitSupp’, plus what is believed to be one or two more people, keeping it quite a tight group. The ransomware group is believed to be Russian based, even though they claim to be based in the Netherlands, and appears to be run much like a successful business. Instead of carrying out attacks themselves they recruit affiliates who are provided with access to the most up-to-date variant of their ransomware, which has been created in such a way that someone with limited technical ability can find it easy to use. Lockbit 2.0 is believed to have had somewhere between 25 to 50 affiliates working for them.

In March 2022 Lockbit 2.0 became Lockbit 3.0, or LockBit Black, and began their expansion to the point that it is now not known exactly how many affiliates they have recruited. The new ransomware variant appeared to be quite similar to that used by the BlackMatter and BlackCat ransomware groups, begging the question: did they steal it, or are members of other ransomware groups joining LockBit 3.0 and bringing their secrets with them? In January 2023 a new variant by the name of LockBit Green was released and appeared to contain source code from the ransomware group Conti who ceased their operations in early 2022; this strengthens the theory that members of other groups are joining LockBit 3.0.

LockBit 3.0 operate a ransomware-as-a-service model (RaaS). They recruit affiliates and provide them with easy-to-use ransomware tools and infrastructure so they can independently carry out attacks. Although each affiliate has their own way of working they generally use stolen or compromised credentials, brute force attacks, and phishing, as well as known network vulnerabilities to carry out the attacks and release the ransomware. Once they’ve gained access to a victim's network they will steal their data before deploying the ransomware to encrypt the files. The victims will then receive instructions on their device explaining how to download and use the TOR browser, links to the LockBit 3.0 chat service for negotiations, and a personal unique ID which is provided to the victim. Should negotiations be unsuccessful then all of the stolen data is leaked on LockBit 3.0’s leak site; should the negotiations be successful then, once the ransom payment is made, the victim will be provided with an encryption key and all of the stolen data will be destroyed.

Notable Attacks

• November 2023 – Boeing
• November 2023 – Industrial and Commercial Bank of China
• December 2022 – SickKids Hospital – It should be noted that once the ‘core group’ became aware of the attack on the hospital the affiliate was blocked and the decryption key was immediately provided to the victim.
• October 2023 - E.M.I.T. Aviation Consulting Ltd.

As well as using their own ransomware the group use a number of free online services to help facilitate their attacks (such as 7-zip for file compression and AnyDesk, which assists affiliates in remotely controlling their victims' computers). As well as deploying the ransomware onto their primary targets systems there is a secondary ransomware which locks down the services that customers of their primary targets use. As well as targeting those services the affiliates will also threaten to release the secondary targets' sensitive data, which is a strong hand to hold and puts them even further in the driving seat when it comes to negotiations.

LockBit 3.0 don’t operate in the same manner as most other groups. As part of their marketing and recruitment drives they held an essay writing competition with paid prizes, while in September 2022 on a cybercrime forum they offered to pay $1000 to anyone who got a Lockbit tattoo. More recently in September 2023 they conducted a survey amongst their affiliates to combat the differing negotiation tactics of the less experienced affiliates (in which they would sometimes offer victims a 90% discount on the ransom amount just to ensure a payday). This, of course, affected the amounts that the more experienced affiliates could then request. The survey gave the affiliates 6 options to choose from with regards to ransom amounts & negotiations moving forward, with the results leading to the ‘core group’ setting up 2 new ‘rules’:

• The first new rule determined how the initial ransom amount should be calculated as a percentage of the victim’s revenues.
• The second rule forbids any discount of over 50% of the original ransom amount.

The full set of affiliate rules can be found on their leak site which contains functionality information and rules on attack categories such as industries and countries that are forbidden to be attacked.

The group also have a unique approach to their ransom and the way in which they take payments. Unlike other groups, there are options for making payments on their leak site which aren’t exclusive to their victims. Anyone who visits the site can either pay to have all the stolen data deleted, have the payment deadline extended or to have the data leaked before the negotiations have been completed. Having these options applies much more pressure on the victim to pay the ransom amount as, for example, a rival company could in theory pay to have the data released, thus giving them access to all of their sensitive information. Affiliates also receive payment from the victim of which they keep 20% before paying the core group the remaining amount, which of course is in their interest to do to ensure that they have continued access to the ransomware and infrastructure. This is another one of the processes which is unique to LockBit 3.0.

LockBit 3.0 are as close to a well-oiled machine as you can get for a ransomware group. Their professionalism, ransomware and infrastructure has kept them at the top of the game and at the moment they don’t look like they are slowing down. The FBI have reported that since January 2020 there have been over 1700 attacks on organisations in the USA by LockBit 3.0, taking approximately $91m in ransom. The group continue to be closely monitored by US Law Enforcement, and the FBI arrested an alleged affiliate by the name of Mikhail Vasiliev in Canada in November 2022. However, as is the case with most ransomware groups, this will have little effect given the popularity of the group among seasoned and would-be affiliates. Any downfall in the future might be a result of a lack of management of their vast number of affiliates, but at this time that is pure speculation. They have proven to be one of if not the most successfully run ransomware groups ever and it doesn’t look like they are going anywhere anytime soon.

Sources

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a

https://www.cyber.gov.au/about-us/advisories/2023-03-acsc-ransomware-profile-lockbit-3.0

https://www.wired.co.uk/article/lockbit-ransomware-attacks

https://www.bleepingcomputer.com/news/security/lockbit-ransomware-exploits-citrix-bleed-in-attacks-10k-servers-exposed/

https://cybernews.com/editorial/arrests-wont-shut-down-lockbit/

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.