LockBit in Focus: Ransomware, Cyber Attacks, and Takedowns
Table of contents
The LockBit ransomware group has made headlines with its cyber attacks since 2019—and more recently, its takedown thanks to a united effort from 10 countries. But LockBit’s legacy of providing Ransomware-as-a-Service (RaaS) lives on.
With their approach that lets anyone steal and encrypt data (even non-tech-savvy criminals), organizations are becoming increasingly vulnerable to LockBit malware.
Here’s everything we know about the LockBit gang, and how businesses can step up their cybersecurity measures to fight back.
1. What is LockBit?
LockBit is a cybercrime gang that Europol described as ‘the world’s biggest ransomware operation.’
Since 2019, LockBit has specialized in Ransomware-as-a-Service (RaaS), offering malware to affiliates in exchange for a cut of the profits. This business model has made LockBit highly accessible to cybercriminals.
Spotlight: Understanding RaaS
Ransomware is a type of malware that encrypts victims’ data, blocking all access until a ransom is paid. Often, cybercriminals escalate the situation by threatening to leak sensitive data or sell it on the dark web if payment isn’t received.
Thanks to the RaaS model, even non-technical cybercriminals can launch ransomware attacks. LockBit’s ransomware is known for being highly efficient and difficult to detect, targeting multiple industries and organization sizes.
LockBit affiliates get ready-made ransomware, a management dashboard, and negotiation support. They then pay a percentage of their resulting ransom payment to LockBit.
2. LockBit in numbers
So, what do we know about LockBit in 2024? Is ransomware associated with LockBit still spreading? Here are 5 trends that every CISO should know.
They’ve cost the US $91 million
Digital extortion has been a profitable business for LockBit. Since January 2020, LockBit has accounted for $91 million’s worth of ransomware payments in America, and one fifth of all ransomware attacks in Australia, Canada, New Zealand, and the US.
They have the most detected attacks worldwide
In 2023, LockBit was highlighted as a malware with the highest number of detected ransomware attacks worldwide, being responsible for 22.22%.
This makes it the ‘top global ransomware threat’, as described by Infosecurity Magazine, and ‘a major threat to businesses worldwide,’ according to the National Cyber Security Centre.
Graph showing most-detected ransomware attacks worldwide in 2023. Source.
They’re a major threat to critical infrastructure
In 2023, LockBit was the main ransomware variant targeting US critical infrastructure—followed by ALPHV/ BlackcCat and Akira. This makes it a dominant player in the RaaS market, and an appealing solution for threat actors everywhere.
Graph showing the main types of ransomware attacking critical infrastructure. Source.
They frequently target the manufacturing industry
In 2023, the manufacturing sector was highlighted as the main industry affected by ransomware attacks (closely followed by technology), with a 50% increase in attacks since the previous year.
The manufacturing industry is often targeted because they don’t always have the strongest cybersecurity, and any disruption can have major implications for other businesses and supply chains.
Their malware is still active
Even after the United Kingdom’s National Crime Agency (NCA), the FBI, and Europol orchestrated a LockBit takedown, the gang launched ransomware attacks from different servers and updated encrytors. A new variant also emerged in April 2024, derived from LockBit 3.0, which has self-spreading features.
News headlines showing LockBit 3.0 features dominated early 2024. Source.
3. The LockBit timeline: How it all began
Here’s a short rundown of everything that’s happened with LockBit since 2019.
- 2019: LockBit’s malware was first observed and known as “.abcd”, after the file extension which could be found on encrypted documents.
- 2020: The name ‘LockBit’ emerged, and the group created its on website, with posts in Russian and English (although it claimed to be based in the Netherlands).
- 2021: LockBit 2.0 was launched, including a feature called StealBit, an infostealer that could disguise itself to gather sensitive data.
- 2022: LockBit operators claimed responsibility for cyberattacks on many organizations—such as Pendragon PLC with a ransom demand of $60 million—and launched LockBit 3.0.
- 2023: French-based brand Nuxe claimed to have been targeted by LockBit attacks, along with the UK’s Royal Mail, and a branch of the newspaper China Daily, and countless more.
- 2024: International partners took control of the LockBit website. The group was already working on the potential future LockBit 4.0 when the takedown happened.
As for the technology itself, the Cybersecurity & Infrastructure Security Agency (CISA) has an overview of how LockBit’s malware has evolved.
Timeline of LockBit functionality changes. Source CISA.
4. How LockBit works: Attack stages
What does a LockBit attack actually look like? Here’s a summary of the different stages.
- Initial access: Using social engineering tactics, such as phishing, or forcing Remote Desktop Protocols (RDP), threat actors can exploit an organization’s vulnerabilities and get unauthorized access.
- Lateral movement and privilege escalation: Once inside the organization, hackers will identify which sensitive data to encrypt, and establish themselves in the network.
- Ransomware payload is deployed: After preparing the network, they deploy the malware and send the ransom note, sometimes threatening to share the data on a leak site or forum if it remains unpaid.
LockBit’s software relies on tools including PowerShell Empire and Cobalt Strike, as well as abusing the Windows Defender tool. These systems allow it to move through victims’ networks—and delete log files and backups before the attack.
5. Case studies: The LockBit victims you should know
Let’s look at some real-life stories of what happens when the LockBit malware infiltrates a network (with some interesting twists)!
When the hackers apologized…
Healthcare data is highly valuable, with personally identifiable information (PII) leaks including credit card details and social security numbers.
But sometimes, even ransomware gangs go a step too far.
In 2022, cybercriminals targeted Toronto’s Hospital for Sick Children. When they realised what had happened, LockBit released a statement to apologize, said it had blocked the partner responsible, and offered a free decryption key so that the hospital could get its data back.
When 57,000 people had their personal data stolen…
With the majority of cybercrime being motivated by profit, the financial services sector is the ultimate target for many hackers (second only to healthcare).
For instance, in 2023, the Bank of America had 57,000 of their customers’ data exposed by LockBit—and the bank neglected to tell anyone about it until 2024.
When the UK postal service ground to a halt…
Ransomware can be hugely disruptive to businesses and supply chains—particularly when it targets the postal service itself.
In January 2023, the UK’s Royal Mail was hit by a Russia-linked ransomware attack via LockBit. It affected the computer systems that were used to send international parcels. It took a month for the usual overseas postage services to resume.
When LockBit told a lie…
Sometimes, ransomware gangs aren’t entirely honest about the data they’ve stolen. They might lie or exaggerate for prestige or to spread disinformation campaigns and spark unrest.
After the international takedown, LockBit claimed it had attacked the central bank of the US, the Federal Reserve, and stolen 33 terabytes of sensitive data. But in reality, it had just stolen data from a single bank—Evolve Bank & Trust.
When things got personal with Elon Musk…
“Elon Musk, we will help you sell your drawing to other manufacturers — build the ship faster and fly away,” LockBit announced in March 2023, claiming to have broken into a SpaceX supplier and stolen 3000 schematics for rocketeers.
However, both SpaceX and the supplier never commented, so it remains a mystery as to whether LockBit had stolen the proprietary schematics at all.
When the biggest sandwich chain came under fire…
In a similar situation in January 2024, LockBit claimed to have breached Subway’s internal database, exposing ‘hundreds of gigabytes’ of data, and their financial information such as royalty payments and employee salaries.
Subway investigated the claim, but there isn’t any public information on whether the ransomware attack was authentic or not.
Screenshot of the ransom note addressed to Subway from LockBit. Source.
6. Operation Cronos: A retaliation from law enforcement
In February 2024, LockBit suffered a critical blow after an international effort to dismantle its operations.
In a mission known as ‘Operation Cronos’, 10 core countries, including the UK and the US, plus 4 participating countries, including Ukraine, collaborated to seize LockBit’s primary servers.
Europol graphic showing the countries involved in Operation Cronos. Source.
International law enforcement partners, including the Department of Justice, gathered in London to announce that they had successfully taken over several public websites by LockBit, and trolled the site to portray this message…
It successfully closed 14,000 rogue accounts, made 2 arrests, and brought down 34 servers. It also identified 194 affiliates who were using the ransomware, of whom 119 had already deployed attacks.
Europol graphic showing the outcomes of Operation Cronos. Source.
However, many LockBit affiliates are still at large, scattered across different regions—so eradicating the malware completely is difficult.
But law enforcement continues to pursue threat actors responsible. Just this month, Mikhail Matveev was arrested by Russian authorities for his involvement in LockBit.
The FBI has also issued a $10 million reward for information about Russian national Dmitry Khoroshev, or “LockBitSupp”, a key administrator for the software.
The UK’s National Crime Agency announced that these sanctions show that, “there is no hiding place for cyber criminals.”
An FBI reward listing for information about “LockBitSupp”. Source.
7. Moving forward: Protecting against ransomware gangs
In the aftermath of the takedown, LockBit made a new announcement in May 2024. It claimed that it had increased its attack volume, becoming the most active ransomware gang globally.
Whether they’re being truthful or simply inflating the numbers, ransomware remains a huge threat to any organization.
Here are some cybersecurity measures that every CISO should follow:
- Know cybercriminal tactics, techniques, and procedures (TTPS): By understanding how hackers operate, information security teams can take steps to counteract them.
- Invest in an external attack surface management (EASM) tool: Software such as CybelAngel can help brands to secure public-facing digital assets. For example, you can use dark web monitoring to track cybercriminal conversations, and invest in account takeover prevention.
- Make regular data backups: Maintain secure, offline backups of your critical data. This ensures you can recover information without paying a ransom if attacked.
- Train your team: Educate staff about phishing scams and other social engineering tactics used by ransomware gangs to gain unauthorized access.
- Have an incident response plan: Develop and routinely test a ransomware response plan. Know how to isolate infected systems, communicate with stakeholders, and recover efficiently.
Wrapping up
LockBit’s rise and impact reveal just how dangerous ransomware has become. These groups exploit weaknesses, disrupt people’s lives, and demand huge sums of money.
But smarter defenses are helping to push back against ransomware gangs—and make the online world a safer place.