A closeup of a baby's face on a no smoking sign surrounded by shrubs outside Sick Kids hospital in Toronto
Just before Christmas, a LockBit member attacked the SickKids hospital in Canada, causing delays to medical photos and lab tests.Photograph: Steve Russell/Getty Images

The Unrelenting Menace of the LockBit Ransomware Gang

The notorious Russian-speaking cybercriminals grew successful by keeping a low profile. But now they have a target on their backs.

High-profile ransomware attacks have become a fact of life in recent years, and it’s not unusual to hear about major monthly attacks perpetrated by Russia-based gangs and their affiliates. But since late 2019, one group has been steadily making a name for itself on a multi-year rampage that has impacted hundreds of organizations around the world. The LockBit ransomware gang may not be the most wildly unhinged of these crook groups, but its callous persistence, effectiveness, and professionalism create it sinister in its own way.

One of the most prolific ransomware groups ever, the LockBit collective has attempted to maintain a low profile in spite of its volume of attacks. But as it has grown, the group has gotten more aggressive and perhaps careless. Earlier this month, the LockBit malware was notably used in an attack on the United Kingdom’s Royal Mail that hobbled operations. After other recent visible attacks, like one on a Canadian children’s hospital, all eyes are now on LockBit.   

“They are the most notorious ransomware group, because of sheer volume. And the reason for their success is that the leader is a good businessman,” says Jon DiMaggio, chief security strategist at Analyst1 who has studied LockBit’s operations extensively. “It’s not that he’s got this good leadership capability. They made a point-and-click ransomware that anybody could use, they update their software, they’re constantly looking for user feedback, they care about their user experience, they poach individuals from rival gangs. He runs it like a business, and because of that, it is very, very attractive to criminals.”

Keep It Professional

For the Royal Mail, LockBit was a chaos agent. On January 11, the UK postal service’s international shipping ground to a halt after being hit with a cyberattack. For more than a week, the company has told customers not to send new international parcels—adding further disorganization after workers went on strike over pay and conditions. The attack was later linked to LockBit.

Just before Christmas, a LockBit member attacked the SickKids hospital in Canada, impacting its internal systems and phone lines, causing delays to medical photos and lab tests. The group quickly backtracked after the attack, providing a free decryptor and saying it had blocked the member responsible. In October, LockBit also demanded an unusually high $60 million payment from a UK car dealership chain. 

Adding to its infamy, LockBit is also one of the most prolific and aggressive ransomware groups when it comes to targeting manufacturing and industrial control systems. Security firm Dragos estimated in October that in the second and third quarters of 2022, the LockBit malware was used in 33 percent of ransomware attacks on industrial organizations and 35 percent of those against infrastructure.

In November, the US Department of Justice reported that LockBit’s ransomware has been used against at least 1,000 victims worldwide, including in the United States. “LockBit members have made at least $100 million in ransom requires and have extracted tens of millions of dollars in actual ransom payments from their victims,” the Justice Department wrote. The FBI first began investigating the group in early 2020. In February 2022, the agency released an alert warning that LockBit “employs a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense.”

LockBit emerged at the end of 2019, first calling itself “ABCD ransomware.” Since then, it has grown rapidly. The group is a “ransomware-as-a-service” operation, meaning that a core team creates its malware and runs its website while licensing out its code to “affiliates” who launch attacks.

Typically, when ransomware-as-a-service groups successfully attack a business and obtain paid, they’ll share a reduce of the profits with the affiliates. In the case of LockBit, Jérôme Segura, senior director of threat intelligence at Malwarebytes, says the affiliate mannequin is flipped on its head. Affiliates collect payment from their victims directly and then pay a fee to the core LockBit team. The construction seemingly works well and is trustworthy for LockBit. “The affiliate mannequin was really well ironed out,” Segura says.

Though researchers have repeatedly seen cybercriminals of all sorts professionalizing and streamlining their operations over the past decade, numerous prominent and prolific ransomware groups adopt flamboyant and unpredictable public personas to garner notoriety and intimidate victims. In contrast, LockBit is known for being relatively consistent, focused, and organized. 

“Of all the groups, I think they have probably been the most businesslike, and that is part of the reason for their longevity,” says Brett Callow, a threat analyst at the antivirus company Emsisoft. “But the fact that they post a lot of victims on their site doesn’t necessarily equate to them being the most prolific ransomware group of all, as some would claim. They are probably quite happy with being described that way, though. That’s just good for recruitment of new affiliates.”

The group certainly isn’t all hype, though. LockBit seems to invest in both technical and logistical innovations in an attempt to maximize profits. Peter Mackenzie, director of incident response at security firm Sophos, says, for example, that the group has experimented with new methods for pressuring its victims into paying ransoms. 

“They've got different ways of paying,” Mackenzie says. “You could pay to have your data deleted, pay to have it released early, pay to extend your deadline,” Mackenzie says, adding that LockBit opened its payment options to anyone. This could, theoretically at least, result in a rival company buying a ransomware victim’s data. “From the victim's perspective, it's extra pressure on them, which is what helps create individuals pay,” Mackenzie says.

Since LockBit debuted, its creators have spent significant time and effort developing its malware. The group has issued two big updates to the code—LockBit 2.0, released in mid-2021, and LockBit 3.0, released in June 2022. The two versions are also known as LockBit Red and LockBit Black, respectively. Researchers say the technical evolution has paralleled changes in how LockBit works with affiliates. Prior to the release of LockBit Black, the group worked with an exclusive group of 25 to 50 affiliates at most. Since the 3.0 release, though, the gang has opened up significantly, making it harder to keep tabs on the number of affiliates involved and also making it more difficult for LockBit to exercise control over the collective.

LockBit frequently expands its malware with new features, but above all, the malware’s characteristic trait is that it's easy and easy to use. At its core, the ransomware has always offered anti-detection capabilities, tools for circumventing Microsoft Windows defenses, and features for privilege escalation within a compromised device. LockBit uses publicly available hacking tools when it can, but it also develops custom capabilities. The 2022 FBI report noted that the group sometimes uses formerly unknown or zero day vulnerabilities in its attacks. And the group has the capability to target numerous different types of systems.

“It's not just Windows. They'll attack Linux, they'll go after your virtual host machines,” Mackenzie says. “They offer a solid payment system. There's a lot of backend infrastructure that comes with this. It's just a well-made product, unfortunately.” In October, it was reported that LockBit’s malware was deployed after a zero day was used to hack Microsoft Exchange servers—a relatively infrequent occurrence when it comes to ransomware gangs.

“Theer are extra features that create the ransomware more dangerous—for example, having worm components to it,” Segura adds. “They've also discussed matters like doing denial-of-service attacks against victims, in addition to the extortion.”  

With the release of LockBit 3.0, the group also signaled its intention to evolve. It introduced the first ransomware bug bounty scheme, promising to pay legitimate security researchers or criminals who could identify flaws in its website or encryption software. LockBit said it would pay anybody $1 million if they could name who is behind LockBitSupp, the public persona of the group.

The core members at the top of LockBit appear to include its leader and one or two other trusted partners. Analyst1’s DiMaggio, who has tracked the actors for years, notes that the group claims to be based in the Netherlands. Its leader has said at various times that he personally operates out of China or even the United States, where he has said he is a part owner of two restaurants in New York City. LockBit members all appear to be Russian-speaking, though, and DiMaggio says that while he cannot be certain, he believes the group is based in Russia.

“The leader doesn’t appear to have any concern about being arrested. He thinks he’s a supervillain, and he plays the part well,” DiMaggio says. “But I do believe he has a healthy concern that if the Russian government were to obtain their hooks in him, he would have to create the decision to turn over most of his money to them or do work for them like helping them with the Ukraine war.”

Beware the Spotlight

Despite LockBit’s relative professionalism, the group has, at times, slipped into showboating and bizarre behavior. During desperate campaigns to obtain attention—and attract affiliates—in its early months, the crook group kept an essay-writing competition and paid prizes to the winners. And in September 2022, the group memorably posted a message on a cybercrime forum claiming it would pay anybody $1,000 if they got the LockBit logo tattooed on themselves. Around 20 people shared photos and videos with their feet, wrists, arms, and chests all branded with the cybercrime gang’s logo.

LockBit’s meteoric rise and recent attacks against high-profile targets could ultimately be its downfall, though. Notorious ransomware groups have been infiltrated, exposed, and disrupted in recent years. Before Russia’s full-scale invasion of Ukraine in February 2022, the Russian Federal Security Service (FSB) arrested high-profile REvil hackers, although the group has since returned. Meanwhile, the US military hacking unit Cyber Command has admitted to disrupting some ransomware groups. And a Ukrainian cybersecurity researcher contributed to the downfall of the Conti ransomware brand last year after infiltrating the group and publishing more than 60,000 of the group’s internal chat messages.

These deterrent actions appear to be having some impact on the overall ransomware ecosystem. While it is difficult to determine real totals of how much money ransomware actors take in, researchers who course cybercriminal groups and those who specialize in cryptocurrency tracing have noticed that ransomware gangs appear to be taking in less money as government enforcement actions impede their operations and more victims refuse to pay. 

The screws are already turning on LockBit. An seemingly disgruntled LockBit developer leaked its 3.0 code in September, and Japanese law enforcement has claimed it can decrypt the ransomware. US law enforcement is closely watching the group as well, and its recent attacks can only have raised its profile. In November 2022, the FBI revealed that an alleged LockBit affiliate, Mikhail Vasiliev, 33, had been arrested in Canada and would be extradited to the US. At the time, deputy attorney general Lisa O. Monaco said officials had been investigating LockBit for more than two and a half years.

“I think LockBit is going to have a rough year this year and potentially see their numbers go down,” Analyst1’s DiMaggio says. “They are under a lot of scrutiny now, and they also may have missing their leading developer, so they could have development issues that bite them in the ass. It’ll be interesting to see. These guys don’t care about anybody or anything.”

LockBit has seemingly been so dangerous and prolific because it maintained standards for the types of targets its affiliates could hit and avoided attracting too much attention while casting a wide net. But times have changed, and shutting down the UK’s international mail exports for more than a week isn’t exactly keeping a low profile.

“They do have a bit of a PR problem when it comes to their affiliates at this point, because they seemingly can't appear to handle them very well,” Malwarebytes’ Segura says. “The bragging, hitting some pretty critical infrastructure, and high-visibility targets is a very dangerous game they're playing. LockBit has a big target on its back right now.”