LockBit

LockBit is a cybercriminal group proposing ransomware as a service (RaaS). Software developed by the group (also called ransomware) enables malicious actors who are willing to pay for using it to carry out attacks in two tactics where they not only encrypt the victim's data and demand payment of a ransom, but also threaten to leak it publicly if their demands are not met.

According to a joint statement by various government agencies, LockBit was the world's most prolific ransomware in 2022. It was estimated in early 2023 to be responsible for 44% of all ransomware incidents globally.

In the United States between January 2020 and May 2023, LockBit was used in approximately 1,700 ransomware attacks, with US$91 million paid in ransom to hackers.

Government agencies did not formally attribute the group to any nation-state. Software with the name "LockBit" appeared on a Russian-language based cybercrime forum in January 2020. The group is financially motivated.

In February 2024 law enforcement agencies seized control of LockBit dark web sites used for attacks. However, further attacks with LockBit ransomware were later reported, with the group attempting to perform a comeback.

Description
LockBit software, written in the C and C++ programming languages until .NET was used for the LockBit-NG-Dev under development at takedown in 2024, gains initial access to computer systems using purchased access, unpatched vulnerabilities, insider access, and zero-day exploits, in the same way as other malware. LockBit then takes control of the infected system, collects network information, and steals and encrypts data. Demands are then made for the victim to pay a ransom for their data to be decrypted so that it is again available, and for the perpetrators to delete their copy, with the threat of otherwise making the data public. (While the data are not published if the ransom is paid, it was found when LockBit was taken down by law enforcement that it had not been deleted. )

LockBit gained attention for its creation and use of the malware called "StealBit", which automates transferring data to the intruder. This tool was introduced with the release of LockBit 2.0, which has fast and efficient encryption capabilities. To expand their reach, LockBit also released Linux-ESXI Locker version 1.0, targeting Linux hosts, particularly VMware ESXi servers.

LockBit recruits affiliates and develops partnerships with other criminal groups. They hire network access brokers, cooperate with organizations like Maze, and recruit insiders from targeted companies. To attract talented hackers, they have sponsored underground technical writing contests.

LockBit has targeted various industries globally, however, healthcare and education sectors are the biggest victims. According to Trend Micro, in terms of attack attempts, United States, India and Brazil are the top targeted countries.

LockBit is efficient and adaptable: they emphasize their malware's speed and capabilities to attract victims. They take external factors like data privacy laws into consideration when targeting potential victims. LockBit's success also relies heavily on their affiliate program, which helps them innovate and compete in the ransomware landscape.

On its site on the dark web, LockBit stated that it was "located in the Netherlands, completely apolitical and only interested in money".

Techniques and tactics
LockBit operators frequently gain initial access by exploiting vulnerable Remote Desktop Protocol (RDP) servers or compromised credentials purchased from affiliates. Initial access vectors also include phishing emails with malicious attachments or links, brute-forcing weak RDP or VPN passwords, and exploiting vulnerabilities such as CVE-2018-13379 in Fortinet VPNs.

Once installed, LockBit ransomware is often executed in Microsoft Windows via command-line arguments, scheduled tasks, or PowerShell scripts such as PowerShell Empire. LockBit uses tools such as Mimikatz, GMER, Process Hacker, and registry edits to gather credentials, disable security products, and evade defenses. It enumerates network connections to identify high-value targets such as domain controllers using scanners such as Advanced Port Scanner.

For lateral movement, LockBit spreads through SMB file-sharing connections inside networks, using credentials gathered earlier. Other lateral movement techniques include distributing itself via compromised Group Policy objects, or using tools such as PsExec or Cobalt Strike.

LockBit's ransomware payload encrypts files and network shares using AES and RSA encryption. It encrypts only the first few kilobytes of each file for faster processing, and adds a ".lockbit" extension. LockBit then replaces the desktop wallpaper with a ransom note; it can also print ransom notes to attached printers. The goal is to extort payment of a ransom to reverse system disruption and restore file access.

History
LockBit malware was previously known as ".abcd", after the file extension that was added to encrypted files as they were made inaccessible.

LockBit was first observed in September 2019.

LockBit 2.0
LockBit 2.0 appeared in 2021 and came into the spotlight with their attack on Accenture the same year, where an insider probably helped the group entering the network. LockBit published some of the data stolen in this attack.

In January 2022, the electronics company Thales was one of the victims of Lockbit 2.0.

In July 2022, the administrative and management services of La Poste Mobile were attacked.

In September 2022, the group's hackers claimed cyberattacks against 28 organizations, 12 of which involved French organizations. Among them, the Corbeil Essonnes hospital was targeted with a ransom demand of US$10 million.

In October 2022, the LockBit group claimed responsibility for an attack on Pendragon PLC, a group of automotive retailers in the UK, demanding a ransom of US$60 million to decrypt the files and not leak them; the company stated that they refused the demand.

On October 31, 2022, the LockBit hacker group claimed to have attacked Thales Group for the second time and did not demand a ransom, but said that the data would be released. The hacker group offered assistance to Thales customers affected by the theft, in order to lodge a complaint against Thales, a group "that has greatly disregarded confidentiality rules". On November 10, 2022, the LockBit 3.0 group published on the darknet a 9.5 GB archive with stolen information on Thales contracts in Italy and Malaysia.

In November 2022, OEHC - Office d'Équipement Hydraulique de Corse - was the victim of a cyberattack that encrypted the company's computer data. A ransom demand was made by the hacker group, to which OEHC did not respond.

In December 2022, the LockBit hacker group claimed responsibility for the attack on the California Finance Administration. The governor's office acknowledged being the victim of an attack, without specifying its scale. Lockbit claims to have stolen 246,000 files with a total size of 75.3 GB.

In December 2022, the hacker group claimed to have attacked the port of Lisbon. The ransom was set at US$1.5 million, to be paid by January 18, 2023.

On December 18, 2022, a group of hackers attacked Toronto's Hospital for Sick Children. After realizing their blunder, the hacker group stopped the attack, apologized and offered a free solution to recover the encrypted files.

LockBit 3.0
In late June 2022, the group launched "LockBit 3.0", the latest variant of their ransomware, after two months of beta testing. Notably, the group introduced a bug bounty program, the first of its kind in the realm of ransomware operations. They invited security researchers to test their software to improve their security, offering substantial monetary rewards ranging from US$1,000 to $1 million.

In August 2022, German equipment manufacturer Continental suffered a LockBit ransomware attack. In November 2022, with no response to its ransom demand, the hacker group published part of the stolen data and offered access to all of it for 50 million euros. Among the stolen data are the private lives of the Group's employees, as well as exchanges with German car manufacturers. Beyond the theft of data, the danger lies in opening the way to industrial espionage. Indeed, among the exchanges with Volkswagen are IT aspects, from automated driving to entertainment, in which Volkswagen wanted Continental to invest.

In November 2022, the United States Department of Justice announced the arrest of Mikhail Vasiliev, a dual Russian and Canadian national, in connection with the LockBit ransomware campaign. According to the charges, Vasiliev allegedly conspired with others involved in LockBit, a ransomware variant that had been used in over 1,000 attacks globally as of November 2022. According to reports, the operators of LockBit had made at least $100 million in ransom demands, of which tens of millions had been paid by victims. The arrest followed a 2.5 year investigation into the LockBit ransomware group by the Department of Justice.

In January 2023, the hacker group claimed to have attacked the French luxury goods company Nuxe and ELSAN, a French group of private clinics. The hacker group filched 821 GB of data from the company's headquarters. The same month, Royal Mail's international export services were severely disrupted by a Lockbit ransomware attack.

In February 2023, the group claimed responsibility for an attack on Indigo Books and Music, a chain of Canadian bookstores.

In March 2023, the group claimed responsibility for attacking BRL Group, a water specialist in France.

On May 16, 2023, the hacker group claimed responsibility for attacking the Hong Kong branch of the Chinese newspaper China Daily. This is the first time the hacker group has attacked a Chinese company. LockBit does not attack Russian entities and avoids attacking Russian allies.

In May 2023, the hacker group claimed responsibility for the attack on Voyageurs du Monde. The hacker group stole some 10,000 identity documents from the company's customer files.

In June 2023, the United States Department of Justice announced criminal charges against Ruslan Magomedovich Astamirov, a Russian national, for his alleged participation in the LockBit ransomware campaign as an affiliate. The charges allege that Astamirov directly executed at least five ransomware attacks against victims and received a portion of ransom payments in bitcoin.

At the end of June 2023, the TSMC group fell victim to a ransomware attack via one of its suppliers. LockBit demanded a $70 million ransom.

In July 2023, LockBit attacked the Port of Nagoya in Japan, which handles 10% of the country's trade. The attack forced a shutdown of container operations.

In October 2023, LockBit claimed to have stolen sensitive data from Boeing. Boeing acknowledged they were aware of a cyber incident affecting some of their parts and distribution business a few days later, though it did not affect flight safety; they did not name the suspected attackers.

In November 2023, LockBit attacked the U.S. subsidiary of the Chinese state-owned Industrial and Commercial Bank of China. Bloomberg reported that the US unit of ICBC at the time was considered the world's largest lender by assets.

In November 2023, LockBit released internal data that the group had stolen a month earlier from Boeing onto the Internet.

In November 2023, the LockBit gang attacked the Chicago Trading Company and Alphadyne Asset Management. Bloomberg reported that the CTC had been hacked in October, and that over the prior year Lockbit had "become the world’s most prolific ransomware group." Since 2020, it had reportedly carried out 1,700 attacks and extorted $91 million, according to the US Cybersecurity and Infrastructure Security Agency. The Register reported in late November 2023 that LockBit was facing growing internal frustrations, and that its leaders were overhauling some of its negotiation methods with victims in response to the low pay rate achieved.

In January 2024, the LockBit gang attacked Fulton County computers. The county released a statement on the attack the following month, saying they had not paid the ransom, that it was not associated with the election process, they were not aware of any extraction of sensitive information about citizens or employees.

In June 2024, the LockBit gang attacked the University Hospital Center in Zagreb, the largest medical facility in Croatia. The cyberattack caused significant disruption, taking the hospital "back 50 years—to paper and pencil". LockBit claimed to have exfiltrated a large number of files, including medical records and employee information, and demanded an undisclosed sum in exchange for not publishing the data. The Croatian government refused the demands.

LockBit-NG-Dev (LockBit 4?)
When the LockBit server was closed down by law enforcement in February 2024, it was found that a new version, LockBit-NG-Dev, probably to be released as LockBit 4.0, had been under advanced development; Trend Micro published a detailed report on it.

Seizure by law enforcement in 2024
On February 19, 2024, the National Crime Agency in collaboration with Europol and other international law enforcement agencies seized control of darknet websites belonging to the LockBit ransomware gang as a part of Operation Cronos. An unverified report said that Lockbit had said that its servers running on the programming language PHP had been hit, but that it had backup servers without PHP that were "not touched". One person was arrested in Ukraine, one in Poland, and two in the United States. Two Russians were also named, but have not been arrested. According to Graeme Biggar, Director General of the National Crime Agency, law enforcement has "taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems." A decryptor for LockBit 3.0 was made using the seized keys and released for free use on No More Ransom.

After the takedown, law enforcement posted information about the group on its dark web site, including that it had at least 188 affiliates. Law enforcement also obtained 30,000 Bitcoin addresses used for managing the group's profits from ransom payments, which contained 2,200 BTC ($112 million USD).

As of 22 February 2024 LockBit ransomware was still spreading.

On 24 February 2024 a new website claiming to be run by LockBit appeared. The new site listed more than a dozen alleged victims including the FBI, hospitals and Fulton County, Georgia. The new site threatened to release information relating to Fulton County unless a ransom was paid by 2 March 2024. The new site claimed to have the identities of members of a jury in a murder trial. There was also a threat to release Fulton County documents relating to court cases involving Donald Trump if the ransom wasn't paid.

On 7 May 2024 charges and sanctions were announced against Dmitry Khoroshev, the alleged administrator and developer of LockBit.

On 21 May 2024, LockBit claimed responsibility for an attack on the corporate offices of Canadian retail chain London Drugs, demanding a payment of $25 million. All London Drugs stores were closed nationwide from 28 April–7 May 2024 due to the attack. London Drugs is refusing to pay the ransom, and stated that customer and "primary employee" data was not compromised.

In June 2024, LockBit claimed responsibility for a major breach of Evolve Bank & Trust, a partner bank of many financial technology companies including Stripe, Mercury, Affirm, and Airwallex. The group had threatened to leak data from the US Federal Reserve, but the leaked data appeared to come directly from Evolve, not the Federal Reserve.