A deep dive into the operations of the LockBit ransomware group

Most victims are from the enterprise and are expected to pay an average ransom of $85,000.
Written by Charlie Osborne, Contributing Writer

Researchers have provided an in-depth look at how LockBit, one of the newer ransomware groups on the scene, operates.

Ransomware has become one of the most disruptive forms of cyberattack this year. It was back in 2017 with the global WannaCry outbreak that we first saw the severe disruption the malware could cause, and in 2021, nothing seems to have changed for the better. 

This year alone, so far we've seen the Colonial Pipeline ransomware disaster that caused fuel supply shortages across parts of the US; ongoing issues at Ireland's national health service, and systematic disruption for meat processor giant JBS due to the malware.

Ransomware operators will deploy malware able to encrypt and lock systems, and they may also steal confidential data during an attack. Payment is then demanded in return for a decryption key. 

Losing money by the second while their systems fail to respond, victim enterprise players may then be subject to a second salvo designed to pile on the pressure -- the threat of corporate data being either leaked or sold online through so-called leak sites in the dark web. 

Ransomware attacks are projected to cost $265 billion worldwide by 2031, according to Cybersecurity Ventures, and payouts now commonly reach millions of dollars -- such as in the case of JBS. However, there is no guarantee that decryption keys are fit for purpose or that paying once means that an organization will not be hit again. 

A Cybereason survey released this week suggested that up to 80% of businesses who fell prey to ransomware and paid up have experienced a second attack -- potentially by the same threat actors. 

The threat of ransomware to businesses and critical utilities has become serious enough that the issue was raised during a meeting between US President Joe Biden and Russian President Vladimir Putin at the Geneva summit.  

Each group has a different modus operandi and ransomware operators are constantly 'retiring' or joining the fold, often through a Ransomware-as-a-Service (RaaS) affiliate model. 

On Friday, the Prodaft Threat Intelligence (PTI) team published a report (.PDF) exploring LockBit and its affiliates. 

According to the research, LockBit, believed to have previously operated under the name ABCD, operates a RaaS structure that provides affiliate groups a central control panel to create new LockBit samples, manage their victims, publish blog posts, and also pull up statistics concerning the success -- or failure -- of their attack attempts. 

The investigation revealed that LockBit affiliates most often will buy Remote Desktop Protocol (RDP) access to servers as an initial attack vector, although they may also use typical phishing and credential stuffing techniques. 

"Those kinds of tailored access services can be purchased as low as $5, thus mak[ing] this approach very lucrative for affiliates," Prodaft notes. 

Exploits, too, are used to compromise vulnerable systems, including Fortinet VPN vulnerabilities that have not been patched on target machines. 

Forensic investigations of machines attacked by LockBit affiliates show that threat groups will often first try to identify "mission-critical" systems including NAS devices, backup servers, and domain controllers. Data exfiltration then begins and packages are usually uploaded to services including MEGA's cloud storage platform. 

A LockBit sample is then deployed manually and files are encrypted with a generated AES key. Backups are deleted and the system wallpaper is changed to a ransom note containing a link to a .onion website address to purchase decryption software. 

The website also offers a decryption 'trial,' in which one file -- with a size smaller than 256KB -- can be decrypted for free. 

However, this isn't just to show that decryption is possible. An encrypted file needs to be submitted for affiliates to generate a decryptor for that particular victim. 

If victims reach out, attackers can open a chat window in the LockBit panel to talk to them. Conversations will often start with the ransom demand, payment deadline, method -- usually in Bitcoin (BTC) -- and instructions on how to purchase cryptocurrency. 

Prodaft was able to obtain access to the LockBit panel, revealing affiliate usernames, the number of victims, registration dates, and contact details. 


The research team says that clues within the affiliate names and addresses suggest that some may also be signed up with Babuk and REvil, two other RaaS groups -- however, the investigation is ongoing. 

On average, LockBit affiliates request roughly $85,000 from each victim, 10 - 30% of which goes to the RaaS operators, and the ransomware has infected thousands of devices worldwide. Over 20% of victims on the dashboard were in the software and services sector. 

"Commercial and professional services as well as the transportation sector also highly targeted by the LockBit group," Prodaft says. "However, it should be noted that the value of the ransom is determined by the affiliate after various checks using online services. This value does not solely depend on the sector of the victim."

At the time of writing, LockBit's leak site was unavailable. After infiltrating LockBit's systems, the researchers decrypted all of the accessible victims on the platform.

Earlier this month, Bleeping Computer reported that LockBit was a new entrant to a ransomware cartel overseen by Maze. Prodaft told ZDNet that as they "detected several LockBit affiliates are also working for other ransomware groups, collaboration is very likely."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards