(Cyber)Crime Kingpin – Lockbit Ransomware Group’s Evolution And Rise To The Top

Published on 24 May 2023


In the world of cybercrime, staying ahead of the game is essential. Cybercriminals are constantly evolving their tactics and looking for new vulnerabilities and victims to exploit, and ransomware groups are no exception. One group that has risen to the top is LockBit, establishing themselves as the cybercrime kingpin that other ransomware groups have to keep pace with. This has seen them constantly innovating and updating their encryption malware. Since its inception in 2019, LockBit has become one of the most prominent ransomware groups in recent years, in part due to its success as a popular Ransomware-as-a-Service (RaaS) option for affiliates. RaaS kits allow affiliates with minimal skill or time to launch their own ransomware attacks quickly and inexpensively. 

This has contributed to LockBit's meteoric rise, with the number of attacks employing LockBit ransomware increasing dramatically year after year. In 2022, LockBit led the way with 913 ransomware attacks worldwide. This is consistent with CSA’s findings that LockBit was the most active ransomware group globally and locally in 2022.

Figure 1: Top 10 ransomware groups observed globally in 2022. Source: CSA’s diagram based on the groups’ respective data leak sites.

Lockbit’s readiness to innovate and continuously improve their techniques and tools demonstrates their determination to become the top dog of the ransomware world - and maintain this position as long as they can. This issue of Cybersense examines the reasons why LockBit is a significant threat and how they have risen to the top of the ransomware underworld.

A Brand New Ransomware Paradigm

In a span of just a few years, the once obscure "ABCD ransomware" evolved into the notorious LockBit ransomware group, gaining a prominent position in the ransomware underworld. Lockbit’s rise to the top was not by chance, but carefully engineered - even if they deviated from the norms of traditional ransomware operations.

"Uplifting” the Position of Affiliates

As an RaaS operation, the group's core team develops the malware and oversees the website, while affiliates, who specialise in various domains such as vulnerability scanning or network cracking, are granted access to the code to carry out attacks. A prevailing problem with such cybercriminal affiliate models is that affiliates would receive a portion of the ransom only at the end of the attack, similar to an invoicing system. However, a significant number of affiliates have expressed dissatisfaction and voiced complaints regarding the lack of fair distribution of proceeds, prompting them to seek alternative ransomware groups with more appealing affiliate models, or even sabotaging the group’s operations.

To circumvent this issue, LockBit flipped the affiliate model on its head, by giving affiliates full control over negotiations and payments. E.g. in setting their own ransomware amounts, and even offering deadline extensions. Affiliates collect payment from their victims directly and then pay a 20% commission to the core LockBit team. The structure seemingly works well and is reliable for LockBit. This change, combined with an improved ransomware product, made LockBit the preferred choice among affiliates. 

Unleashing the Unconventional for Publicity

In an effort to garner attention and attract affiliates, the criminal group hosted an essay competition and rewarded winners with cash prizes. In September 2022, the group made headlines by offering a reward of US$1,000 to anyone who got a tattoo of the LockBit logo. Approximately 20 people obliged and shared photos and videos of their newly inked limbs.

Trouble on the Horizon?

Despite LockBit's growing notoriety and increasing efforts to evade detection, recent developments indicate that trouble may be on the horizon for the group. LockBit’s large-scale ransomware operations have attracted the attention of global law enforcement agencies, with the FBI releasing a report detailing how LockBit compromised over 1,000 organisations worldwide. Additionally, Japanese police successfully decrypted a number of files encrypted by LockBit in December 2022. Although it remains to be seen if their decryptor would work on all such files, the episode indicated that a potential breakthrough against the LockBit group’s operations may be on the horizon. In November 2022, a LockBit affiliate was arrested in Canada and will be extradited to the United States for prosecution. Internal discord within LockBit may also be brewing, as a disgruntled developer allegedly leaked the group's source code for version 3.0 online. This incident could potentially indicate growing dissatisfaction among the group's members, casting uncertainty on the future of LockBit.

Protecting against the Persistent Threat of LockBit Ransomware

The LockBit ransomware group continues to showcase increasingly audacious behaviour with each new iteration and update to their malware. This is not surprising, given the highly illegal yet exceedingly profitable nature of the ransomware industry. Cybersecurity research company Cybersecurity Ventures predicted that ransomware attacks could cause annual financial damages exceeding US$265 billion by 2031. LockBit's pursuit of innovation and business model enhancement underscore the need for continued vigilance against ransomware attacks and other cyber threats. As one ransomware group is eradicated, another swiftly emerges to take its place. This highlights the imperative for sustained efforts to combat and stay ahead of the ever-evolving landscape of ransomware and cybercriminal activities.

Despite the technical sophistication of LockBit 3.0, existing best practices for combating ransomware remain effective. Employing multi-factor authentication provides the ultimate barrier against common hacking attempts such as credential theft, while endpoint detection and response offer crucial tools for stopping cybercriminals in their tracks. In addition, it is essential to limit user permissions, remove unused accounts, and maintain up-to-date security procedures to fortify defences against LockBit and other ransomware. Regular system backups and clean machine images are also critical measures to implement in preparation for a potential attack. For further details on what you can do to protect your organisation from LockBit 3.0, please refer to the Joint Technical Advisory by the Cyber Security Agency of Singapore, the Personal Data Protection Commission and the Singapore Police Force.

[1] BlackMatter is another RaaS that was responsible for the attack on Japanese technology company Olympus and French beverage company La Martiniquaise, which announced that it was shutting down in 2021 due to law enforcement pressure.


Sources include:

AVM Consulting, Bleeping Computer, CBC Canada, Cybereason, Cybersecurity Ventures, Cyware, Dark Reading, Flashpoint, Kaspersky, Palo Alto Networks (Unit 42), Sangfor, Security Intelligence, SOCRadar, Recorded Future, Trend Micro, Wired.