Keys to LockBit’s success: self-promotion, technical acumen

Dominant ransomware group remains highly active and enjoys unusual longevity

Mathew J. Schwartz (euroinfosec) •
July 28, 2022

LockBit recently listed the Italian revenue agency as a victim and claimed to have stolen 100 GB of data. But the Italian IT services company GESIS claims to be the real victim.

When the Conti ransomware brand imploded earlier this year, the big question was who would take their stand and become the world’s worst – or best, depending on perspective – criminal encryption gang.

See also: On demand | Zero tolerance: control the landscape where you will meet your opponents


A clear winner emerged: LockBit. It claims more victims on its data leak site than any other group. Its malware is technically sophisticated. Its focus on self-promotion and affiliate satisfaction touted it at the bottom – or top – of the list.


LockBit even took what could be called a party arc earlier this month with the release of LockBit 3.0.


The group has announced that it will pay a bug bounty of up to $1 million to any researchers who sell them zero-day vulnerabilities to exploit. He practically issued a challenge, saying the biggest payout is for anyone who reveals the true identity of the group’s affiliate program boss. And he trumpeted his mission to “Make ransomware even better!”


Everything the band does seems to work. “It’s definitely one of the most active groups right now,” says Lisa Sotto, partner and chair of the global privacy and cybersecurity practice at Hunton Andrews Kurth LLP. “They have become more sophisticated and they announce to the world that they have reached a new and higher level of sophistication in their exploits.”

Threat intelligence firm Trellix says LockBit is the most common ransomware strain, accounting for 26% of total attacks in the first three months of this year, followed by Conti at 13%, BlackCat at 11% and Ryuk. at 10%.

Another view of its success comes from the count of victims listed on ransomware groups’ data leak sites. In the first quarter of this year, LockBit listed 220 victims, nearly double Conti, which was in second place with 117 victims, cybersecurity firm Trend Micro reports.


Victims listed on ransomware group data leak sites in June (Source: Malwarebytes)

But counting the victims on a data breach site doesn’t tell the whole picture. For starters, this is a list of alleged victims who didn’t pay a ransom versus those who did. Also, not all ransomware or ransomware as a service groups operate data leak sites. “Leak site posts should not be assumed to indicate a group’s activity levels. Some operations post only a minority of their non-paying victims, while others incorrectly list companies that weren’t affected,” said Brett Callow, a threat analyst at a cybersecurity firm. emsisoft.


For example, LockBit falsely listed Mandiant as a victim, and on Monday it listed the Italian Revenue Agency. But Italian media reported that this latest victim appeared to be Italian IT services company GESIS instead.

“That said, LockBit is definitely one of the most active operations,” Callow says. “The reason for this is probably that it is one of the most stable RaaS operations, which has helped it attract affiliates from now-defunct operations.”

Technical refinement

Successful ransomware groups are usually unbridled self-promoters. The hype is intended to scare new victims into paying a ransom discreetly, as quickly as possible. Brand awareness helps groups recruit highly qualified affiliates, who take the group’s ransomware and use it to infect more victims.

One of the ways LockBit tries to differentiate itself from its competitors continues to be the sophistication of its ransomware code. Namely, the gang promises that its code will encrypt faster and be harder to detect and block than the code of its rivals.


LockBit 3 technical specifications listed on its Tor-based site (click to enlarge)

LockBit offers affiliates two different versions of the Windows cryptographic lock malware, “written by different programmers, allowing you to encrypt the network twice, time permitting,” it says. “It will be useful for paranoid people who doubt the reliability and implementation of the cryptographic algorithm”, or if the two get used on a network, to offer free decryption of one of the strains – but not the other. another – perhaps as a token of goodwill.


Version 3 of LockBit seems to have been reworked partly by adapting the source code of other ransomware. Security researchers have found many similarities between LockBit ransomware and BlackMatter – a variant of DarkSide, since relaunched as BlackCat or Alphv.


On Wednesday, a known representative of LockBit, an alleged ex-Conti member who goes by the name of LockBitSupp, “admitted to purchasing the source code of BlackMatter ransomware and upgrading it for LockBit 3.0,” reports threat intelligence firm Kela. . Tellingly, LockBit also refers to version 3 of its ransomware as LockBit Black.



LockBit Lock Screen (Source: Any.run Interactive Malware Hunting Service)

Among the similarities, Kela says, “The LockBit 3.0 code is based on the BlackMatter ransomware source code; LockBit 3.0 and BlackMatter share the same API harvesting tactic; they both implement the same anti-debugging technique; share similar routines for privilege escalation; a Base64-encoded hash string as an encrypted filename extension, ransom note name, wallpaper, and icon name.”


Unusual longevity


LockBit enjoys an unusual longevity, and the group is quick to emphasize this stability in its pitch to potential affiliates.


“We’ve been working for 3 years…and so far we haven’t been arrested by the FBI,” LockBit’s site says. “If they couldn’t catch up with us in 3 years, they probably never will and we’ll keep working.”


Experts agree. “Absent a law enforcement response, we expect to see LockBit for the foreseeable future and further iterations of what is undoubtedly a very successful RaaS operation,” the cybersecurity firm said. Sentinel Labs.


Ransomware-as-a-service operations are only as good as the collective power of the affiliates they recruit. The better the affiliate, the more reliable they are at eliminating targets, including big game. As a result, there is fierce competition among ransomware operations to recruit the most qualified affiliates – or in LockBit parlance, “pentesters”.


So far, LockBit has not supported Russia’s invasion of Ukraine, unlike Conti, who paid a price because many victims then refused to pay.


LockBit claims to be apolitical. “We are located in the Netherlands, completely apolitical and only interested in money,” he says on his website.


In reality, according to experts, most if not all of the dominant strains of ransomware are run by Russian-speaking attackers, many of whom are likely located in Russia or former Soviet satellites. Experts say they have to follow certain rules, as LockBit seems to do, such as never encrypting lock systems in Russia. In some cases, groups may also be called upon to render service to the government.


Client orientation


LockBit strives to attract affiliates via a dedicated page on its site. “The page is peppered with pleasant language designed to signal the gang’s trustworthiness and willingness to listen,” says cybersecurity firm Malwarebytes.


As LockBit tells potential affiliates: “If you can’t find one of your favorite features, please let us know, we may add it especially for you.”


The group is clearly banking on its reputation. “We have shown everyone that it is safe to cooperate with us,” he says. “We have never cheated on anyone and always honor our agreements.”


Such claims stand in stark contrast to other former ransomware bigwigs, such as the now-defunct Operation REvil – aka Sodinokibi. Reverse engineers working for cybercrime forum Exploit last year discovered that the developers of REvil had added a backdoor to the crypto-locking malware, allowing them to remove affiliates and negotiate directly with victims. Presumably, the affiliates were never notified that these victims had paid a ransom, since each ransom went to the operators first.


LockBit affiliates keep 80%


From a business perspective, LockBit seems to have organized its operations to avoid any questions that it would try or be able to run such scams. For starters, while the operators of many groups manage communication with victims, LockBit instead has affiliates to do so.


“You personally communicate with the companies under attack and decide for yourself how much money to take for your valuable pentest work, which should surely be generously paid,” LockBit told affiliates, noting that regardless of the price they fix, LockBit gets a 20% reduction from each paid ransom.


Affiliates are instructed to transfer their share to LockBit after any ransom payment, except for any ransom payment over $500,000. In this case, to prevent LockBit operators from being scammed, “you give the attacked company two payment wallets – one is yours, to which the company will transfer 80%, and the second is ours. for 20%,” says LockBit.


If potential affiliates think LockBit keeping 20% ​​is too much, operators offer this self-serving advice: “You shouldn’t deprive yourself of the pleasure of working with us. Just increase the ransom amount by 20% and be happy.”

Comments are closed.