LockBit emerged at the end of 2019, calling itself “ABCD ransomware” for the first time. Since then, it has grown rapidly. This group is a “ransomware-as-a-service” operation, meaning a core group that creates malware and runs its website while licensing its code to “affiliates” that perform malicious software. attack.
Usually, when ransomware as-a-service groups successfully attack a business and get paid, they share a portion of the profits with affiliates. In the case of LockBit, Jérôme Segura, senior director of threat intelligence at Malwarebytes, said the federation model has been turned upside down. Affiliates collect payments directly from their victims and then pay a fee to the core LockBit team. The structure seems to work well and reliably for LockBit. “The association model has been perfected very well,” says Segura.
Although researchers have repeatedly witnessed cybercriminals of all kinds professionalize and streamline their operations over the past decade, many prominent and thriving ransomware groups have adopted Phoenix Flower and unpredictable public figure to attract notoriety and intimidate victims. In contrast, LockBit is known to be relatively consistent, centralized, and organized.
“Of all the groups, I think they’re probably the most business-like, and that’s part of the reason they’ve survived,” said Brett Callow, a threat analyst at anti-virus firm Emsisoft. Castle. “But the fact that they post so many victims on their site does not necessarily mean that they are the largest group of ransomware, as some have suggested. However, they are probably quite satisfied with being described that way. That is only good for recruiting new affiliates.”
However, the group is certainly not all hype. LockBit seems to invest in both technical and logistical innovation in an attempt to maximize profits. For example, Peter Mackenzie, director of incident response at security firm Sophos, said the team was testing new methods to pressure victims to pay ransoms.
“They have different payment methods,” says Mackenzie. “You can pay to erase your data, pay to release it early, pay to extend your term,” Mackenzie said, adding that LockBit has opened up payment options for any Who. At least in theory, this could lead to a rival company buying a ransomware victim’s data. “From the victim’s perspective, it’s the added pressure on them, that’s what costs everyone,” Mackenzie said.
Since LockBit launched, its creators have spent a lot of time and effort developing its malware. group has grant two major updates to the code—LockBit 2.0, released mid-2021, and LockBit 3.0, released June 2022. These two versions are also known as LockBit Red and LockBit Black, respectively. Technical developments have paralleled changes in the way LockBit works with branches, the researchers say. Prior to the release of LockBit Black, the team worked with an exclusive team of up to 25 to 50 affiliates. However, since the release of version 3.0, the gang has expanded significantly, making it more difficult to track the number of participating affiliates and also making it harder for LockBit to collectively control.