LockBit appeared at the end of 2019, it called itself “ABCD ransomware”. Since then, it has grown rapidly. The group is a “ransomware-as-a-service” operation, meaning that the main group creates the malware and runs its website while licensing the “agents” who carry out the attacks.
In most cases, when ransomware-as-a-service groups successfully attack a business and get paid, they share the profits with their partners. In the case of LockBit, Jérôme Segura, director of threat intelligence at Malwarebytes, says the utility model is being shaken on its head. Affiliates collect money from victims directly and pay fees to the main LockBit community. The design seems to work well and is reliable for LockBit. “The collaborative model was well-organized,” says Segura.
While researchers have repeatedly seen criminals of all kinds professionalize and improve their operations over the past decade, many of the most popular and increasingly popular ransomware groups have adopted crude and unknown individuals to create a profile and intimidate victims. In contrast, LockBit is known for being consistent, straightforward, and organized.
“Of all the groups, I think they’ve probably been doing the most business, and that’s one of the reasons for their longevity,” said Brett Callow, an analyst at antivirus firm Emsisoft. “But just because they put a lot of victims on their website doesn’t mean they’re the biggest redemptive group out there, as some might say. They probably enjoy being described that way. That’s good for recruiting new friends.”
The band isn’t all magic, though. LockBit seems to be investing in technology and operations in order to increase profitability. Peter Mackenzie, director of operations at security firm Sophos, says, for example, that the group has tried new ways to force victims to pay ransoms.
“They have different payment methods,” says Mackenzie. “You can pay to have your data removed, pay to have it released early, pay to extend your time,” says Mackenzie, adding that LockBit has opened up its payment options to everyone. This could, possibly, lead to a rival company buying the ransomware victim’s information. “The victim’s point of view, it’s very difficult for them, which helps people pay,” says Mackenzie.
Since LockBit’s inception, its creators have wasted a lot of time and effort developing the malware. The team has released two major updates to the code—LockBit 2.0, released in mid-2021, and LockBit 3.0, released in June 2022. The two versions are also known as LockBit Red and LockBit Black, respectively. The researchers say the evolution of technology has paralleled changes in the way LockBit works with providers. Before releasing LockBit Black, the team worked with a special team of 25 to 50 close collaborators. Since the release of 3.0, the group has become more open, which makes it difficult to maintain the number of partners and which makes it difficult for LockBit to control the group.
