LockBit emerged in late 2019, initially calling itself “ABCD ransomware.” Since then, it has grown rapidly. The group is a “ransomware-as-a-service” operation, meaning a core team creates its malware and runs its website while licensing its code to “affiliates” who launch the attacks.
Typically, when ransomware-as-a-service groups successfully attack a business and get paid, they share a portion of the profits with affiliates. In LockBit’s case, Jérôme Segura, senior director of threat intelligence at Malwarebytes, said the federation model was turned on its head. Affiliates collect fees directly from victims and then pay the core LockBit team. The structure seems to work well and is reliable for LockBit. “The affiliate marketing model is really well addressed,” Segura said.
While researchers have seen various cybercriminals professionalize and streamline their operations multiple times over the past decade, many well-known and prolific ransomware groups have adopted flamboyant and unpredictable public personas to gain notoriety and intimidate victims. In contrast, LockBit has a reputation for being relatively consistent, focused, and organized.
“Out of all the organizations, I think they’re probably the most organized, and that’s part of the reason for their longevity,” said Brett Callow, a threat analyst at antivirus firm Emsisoft. Having a lot of victims doesn’t necessarily equate to them being the most prolific ransomware group, as some have claimed. Still, they might be happy to be described as such. It’s good for recruiting new affiliates.”
The group is certainly not all hype, though. LockBit appears to be investing in both technological and logistical innovations in order to maximize profits. For example, Peter McKenzie, director of incident response at security firm Sophos, said the group has experimented with new ways to force victims to pay ransoms.
“They have different payment methods,” Mackenzie said. “You can pay to delete your data, pay to release data earlier, pay to extend your deadline,” Mackenzie said, adding that LockBit opens up its payment options to anyone. In theory at least, this could lead to rival companies buying ransomware victims’ data. “From the victim’s point of view, it puts extra pressure on them, which helps make people pay,” MacKenzie said.
Since LockBit’s debut, its creators have spent a lot of time and effort developing their malware. The group made two major updates to the code — LockBit 2.0 in mid-2021 and LockBit 3.0 in June 2022. These two versions are also known as LockBit Red and LockBit Black respectively. Technological developments have coincided with changes in the way LockBit works with affiliates, the researchers said. The group worked with exclusive groups of up to 25 to 50 affiliates before releasing LockBit Black. However, since the 3.0 release, the group has become significantly more open, making it harder to keep tabs on the number of affiliates involved, and making it harder for LockBit to exert control over the collective.
