The new ruler of the underground: LockBit ransomware chips away at the global economy

By Dain Oh, The Readable
July 12, 2022 6:00PM KST Updated July 12, 2022 8:54PM KST

This article was published in collaboration with Maeil Business Newspaper. Maeil Business Newspaper published its version of the article on the front page of its newspaper on July 13, 2022.

“Busy.” It was the answer that we received from the LockBit ransomware group recently. The Readable contacted LockBit on June 21 for the first time for an interview. Although LockBit said “yes” to our interview request and received questions on the same day, we were not able to hear from them further because the group said it was occupied with work.

LockBit is indeed busy. Its presence in the cyber sphere is dominant. Until last year, LockBit remained second to Conti in terms of ransomware success rate, based on the amount of infected business entities. However, it has overtaken Conti’s place this year with over twice the number of victims. LockBit recruited a coder and released a new version of its product. Its confidence is skyrocketing.

The Readable investigated LockBit’s operation and tried to measure its impact to the global economy. S2W, a data intelligence company, provided some of its data related to LockBit for the investigation. Maeil Business Newspaper, the most circulated business newspaper in South Korea, collaborated with The Readable, especially in planning the news article.

◇ LockBit stands out

According to analysis by S2W, LockBit made its way up to become the most powerful cybercriminal group in just three years. LockBit started its operation on September 3, 2019. LockBit originally used the name “ABCD ransomware” and belonged to Maze ransomware cartel before the Maze ransomware group announced its retirement.

In 2020, LockBit was ranked in nineteenth place, affecting at least nine companies in the world. Maze ransomware group, on the other hand, had an impact on at least 257 companies, taking its place as the number one threat actor in the same year. In 2021, Conti went from third place up to first, affecting at least 484 companies. LockBit was slightly behind Conti, affecting at least 479 companies in that year.

This year, LockBit is far ahead of the other ransomware groups. While Conti, the second biggest ransomware group, has affected 176 companies so far, LockBit has affected 383 companies. The ratio of LockBit’s attacks to the entire ransomware sector is reaching 34.3%. This means that every third organization which is hit by ransomware is affected by LockBit.

The number of victimized companies sorted by ransomware groups (2020-June 2022).

The real number of victimized companies is assumed to be much higher than exposed. “If a victim pays a ransom to LockBit, LockBit does not upload the victim’s leaked data to its webpages,” said Jungyeon Lim, senior researcher at S2W. “As LockBit runs its websites for additional extortion and negotiation, victimized companies which paid a ransom in the first place do not appear anywhere. This is why small businesses who cannot afford to pay the ransom come to the surface, while big businesses are hardly exposed."

It is impossible to accurately count how many companies were hit by ransomware attacks, since some of the victims are never disclosed to a third party. Unless an attack is directly reported by the victims, cybersecurity companies count the number of ransomware victims based mostly on the number of channels between victims and threat actors in the deep, dark web, which are usually used for negotiation.

When the Israeli cybersecurity company Cybereason conducted a survey of victims of ransomware, 41% of the respondents said they paid a ransom to expedite recovery, even though the recovery was not guaranteed. If a victim agrees to pay a ransom at the first stage of the attack, there will be no channel because the deal is already made. Due to this reason, the cybersecurity industry points out that there must be many more companies that have been victimized by ransomware.

Likewise, it is almost impossible to know exactly how much money has been paid to ransomware groups. The numbers which are announced by cybersecurity firms regarding the total amount of damages and losses related to ransomware attacks are only the tip of the iceberg. Blockchain data platform company Chainalysis reported that ransomware damage costs were aggregated up to $602 million last year and mentioned that the real costs were expected to be higher.

◇ Hotels and government bodies were hit by LockBit

According to analysis by S2W, a total of 870 organizations were hit by LockBit during the last three years. Among the list of victims, a multinational hotel chain, financial institutions, and several government institutions were included. S2W researched the victims’ revenue along with their employment size and found that the average revenue of the victims was $46 million.

The partial list of victimized companies by LockBit. The companies listed above are some of the largest business entities among the victims.

As for the United Sates, a bank, an educational institution, and a manufacturing company were infected by LockBit 2.0 this year, and their revenue appeared to be $400 million, $21 billion, and $1 billion respectively. France, Switzerland, United Kingdom, Turkey, India, Indonesia, and Japan were attacked by LockBit 2.0, as well. The affected industries are varied, including retail and energy.

South Korea is no exception. From 2020 to this point in the current year, a total of 19 South Korean companies were attacked by ransomware groups, and five out of the 19 companies were hit by LockBit. Sunhyung Shim, senior researcher at S2W, pointed out, “LockBit has become a deep-pocketed player in the ransomware scene, damaging numerous organizations in the world, and it is obvious that LockBit is the most active threat actor in South Korea, like in many other countries.”

The number of victimized companies in South Korea, sorted by ransomware groups. (2020-June 2022)

◇ LockBit steps up its game: 3.0 is active

A large portion of LockBit’s influence on business entities is coming from its ransomware-as-a-service (RaaS) operations. RaaS divides ransomware operations into two different actors: creators and operators, who are known as affiliates. The two parties share profits, which are paid by the victims as ransom. RaaS gives cybercriminals flexibility, scalability, and most importantly profitability. For this reason, LockBit pays special attention to updates and branding. Since its first emergence in September 2019, LockBit has updated its ransomware three times.

In June 2021, the group released LockBit 2.0, the updated version of LockBit 1.0. According to S2W, it is unusual for a ransomware group to update its product, rather than to rebrand it. Moreover, while other ransomware groups are using cloud services, such as MEGA and pCloud, to communicate on the data that they stole from victims’ systems, LockBit has developed its own malicious code called StealBit, which is specifically designed to extract information.

Before the 3.0 version release, the group even went through beta testing. It recruited beta testers whose job it was to find vulnerabilities in the new product, LockBit 3.0 ransomware. Once LockBit 3.0 was released, the group advertised it with the slogan “Make Ransomware Great Again! LockBit 3.0 release!” Prior to this, LockBit hired a coder in May 2021 who was able to write a bootkit, which is a malicious program that modifies the boot sectors of a hard drive.

The group also specified its affiliate rules on June 27, 2022, while announcing the LockBit 3.0 release. Introducing themselves as a group that is “completely apolitical and only interested in money,” LockBit urged “all professionals” to join their team. After the brief introduction, LockBit listed detailed descriptions of the job. Regarding targets, LockBit drew a line between what to encrypt and what not to but encouraged users to steal data from all targets. According to a notification posted by LockBit, LockBit and its affiliates share ransoms in a ratio of eight to two. Affiliate applicants must deposit one Bitcoin (approximately $20,000) and are preferred if they are recommended by insiders of the LockBit team. Cybersecurity experts believe that there is a high likelihood that Conti affiliates will move to LockBit, since Conti stopped its operations in June.

Sunhyung Shim, senior researcher at S2W, pointed out, “LockBit has become a deep-pocketed player in the ransomware scene, damaging numerous organizations in the world, and it is obvious that LockBit is the most active threat actor in South Korea, like in many other countries.” Photo by Sukwoon Ko

LockBit is now holding a bug bounty program for its 3.0 version. The ongoing program is focused on six categories: website bugs, doxing, locker bugs, tox messenger, brilliant ideas, and Tor network. Rewards are from $1,000 to $1,000,000. “LockBit reconstructed its admin page for 3.0, and for that page, cybersecurity is really important,” said Huiseong Yang, researcher at S2W, indicating that LockBit must have spent a good amount of time on its web security.

It was a lesson learned from the past. LockBit’s admin panel, which LockBit used to negotiate with victims and schedule management, was hacked by cyber threat intelligence company Prodaft. In a report, published in June, 2021, Prodaft exposed LockBit's management panels in detail. After it went through its own cybersecurity breach, LockBit reestablished its system.

◇ Excessive confidence. And the copycats

LockBit shows excessive confidence. Believe it or not, LockBit declared that it is located in the Netherlands when it posted its affiliate rules. On top of that, LockBit displays its mirror sites openly. A mirror site is a copy of a website hosted at a different location, which is built as a back-up to preserve availability. LockBit 3.0 runs a total of nine mirror sites, and all of them are shown on its loading page.

“Normally, cybercriminals run one or two servers to upload victims’ data. LockBit, however, runs several servers and goes out of its way to disclose the Tor onion addresses to the public. It is a pure gesture of confidence that they will never get caught,” said Jungyeon Lim, senior researcher at S2W. When law enforcement and cybersecurity companies start a crackdown on cybercriminals, the locations of servers and the IP addresses of illegal websites are the starting point. Hence, it is almost a mockery towards law enforcement.

While LockBit was going through updates, copycats emerged: SolidBit and CryptOn. According to analysis by S2W, SolidBit and CryptOn duplicated LockBit’s logo and websites. Given the fact that there was no connection found between the two and LockBit, researchers concluded that the two groups were taking advantage of LockBit’s name.

Contributions to this article
Huiseong Yang, Jungyeon Lim, and Sunhyung Shim contributed to this article.
S2W cyber threat intelligence (CTI) group TALON provided data for this article.
S2W data insight analyst (DIA) team analyzed data for this article.
Hyunjun Na at Maeil Business Newspaper participated in planning this article.
The photo of this article was taken by Sukwoon Ko.
The graphics of this article were designed by Areum Hwang.

Dain Oh is an award-winning cybersecurity journalist based in South Korea and the founding editor-in-chief of The Readable by S2W. Before joining S2W, she worked as a reporter for The Electronic Times, the top IT newspaper in Korea, covering the cybersecurity industry on an in-depth level. She reported numerous exclusive stories, and her work related to the National Intelligence Service led to her being honored with the Journalist of the Year Award in 2021 by the Korea Institute of Information Security and Cryptology in a unanimous decision. She was also the first journalist to report on the hacking of vulnerable wallpads in South Korean apartments, which later became a nation-wide issue.