What is LockBit ransomware?
LockBit is a type of ransomware that encrypts files on infected systems and demands a ransom payment in cryptocurrency to decrypt them. It operates as a RaaS (Ransomware-as-a-Service) where developers create the malware and lease it out to affiliates who then carry out attacks (CISA, 2022).
LockBit first appeared in September 2019 but saw rapid growth and adoption starting in 2021, becoming one of the most prolific ransomware strains currently in operation. In 2022, LockBit conducted the most ransomware attacks of any variant, largely targeting organizations in manufacturing, retail, and professional services (Kaspersky, 2022).
Unlike some ransomware that is sprayed out in mass campaigns, LockBit is often deployed via targeted intrusions and multi-stage cyber attacks. After infiltrating a victim’s network, it will move laterally across systems, disabling security tools, before deploying ransomware payloads across large numbers of devices (BlackBerry, 2022).
LockBit operates on a RaaS model where developers continually update the malware with new capabilities and rental affiliates conduct tailored attacks against victims. This has allowed LockBit operations to rapidly expand while evolving to evade detection.
Does LockBit have a website?
Yes, LockBit operates a website on the dark web that serves as the public face of their ransomware operation. The site can only be accessed through Tor browser at lockbitapt.onion. This allows LockBit to remain anonymous while communicating with victims and facilitating ransom payments.
The LockBit site contains information about their ransomware strain, instructions for victims, and even a “press center” where they issue statements. There is also a page where LockBit publishes data leaks from victims who refuse to pay the ransom (LockBit 2.0 pioneered the “double extortion” tactic of threatening to publish stolen data).
According to cybersecurity researchers, the LockBit site enables new levels of “professionalization” for ransomware gangs. It allows LockBit to openly communicate with victims and conduct ransom negotiations out in the open, treated almost like a legitimate business transaction [1].
However, in November 2022, monitoring groups observed that the main LockBit Tor site briefly went offline, leading to speculation that law enforcement may have disrupted their infrastructure. LockBit later came back online claiming it was just maintenance [2].
[1] https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/lockbit
[2] https://cybernews.com/news/lockbit-ransomware-gang-infrastructure-reported-down/
How does the LockBit website work?
The LockBit ransomware group operates a website on the dark web that serves as the public face of their criminal operation (CISA, 2023). The site has a homepage that describes LockBit’s ransomware-as-a-service offering, where they recruit affiliates to conduct attacks using their malware. There are sections outlining their ransomware capabilities, pricing structure, and victim targeting. The site also contains a “Wall of Shame” page that lists the names and some stolen data from victims who refuse to pay the ransom (Kaspersky, 2022).
The LockBit website allows new affiliates to register and create an account. Registered affiliates can then log in to access LockBit’s builder tool for configuring ransomware executions. The builder provides options for setting ransom amounts, creating ransom notes, specifying file types to encrypt, and more. Affiliates pay LockBit a percentage of any ransom payments received from victims in exchange for using their ransomware service and infrastructure (Flashpoint, 2023).
Overall, the LockBit site operates as a criminal platform for recruiting and supporting affiliates to conduct ransomware attacks. The public-facing pages promote LockBit’s ransomware capabilities, while the login section contains tools for deploying the malware against victims. The site facilitates the full cycle of compromise from affiliate recruitment to ransom payment collection.
What information is on the LockBit site?
The LockBit ransomware site operates like an underground marketplace, providing data and services to cybercriminals. According to Kaspersky, the site contains several key features:
A data leak site where stolen data from victims is published if ransom demands are not met. This acts as leverage to pressure victims into paying. As per a Flashpoint analysis, over 538GB of data from 120 victims was published on the leak site as of July 2022 (Flashpoint).
Ransomware builder tools that enable affiliates to customize the ransomware. For example, they can configure the ransom amount, encryption method, ransom note, etc.
Access to the ransomware executable files, allowing affiliates to download and distribute the malware.
An affiliate program where new partners can register and access resources for conducting attacks. LockBit offers up to 80% of ransom payments as commissions.
Support resources like guides, videos, and FAQs to assist affiliates in deploying the ransomware and extracting payments.
Overall, the LockBit site provides cybercriminals with the infrastructure to efficiently perpetrate ransomware campaigns at scale.
Can anyone access the LockBit website?
Access to the LockBit ransomware website is restricted and not open to the general public. According to sources, the LockBit site is hosted on Tor hidden services and can only be accessed through the Tor browser (Flashpoint). Tor provides a high degree of anonymity by routing traffic through multiple servers, making it difficult to trace site visitors. To access the site, an individual would need to download Tor, find the right .onion URL, and enter the correct password phrase which reportedly changes periodically (SOCradar). Simply searching for “LockBit” will not bring up the website.
LockBit operates as a Ransomware-as-a-Service (RaaS) model, so affiliates sign up and pay to use the ransomware. The LockBit site itself serves as the infrastructure enabling this criminal service. Affiliates can reportedly log in to manage infections, make ransom demands, and even chat with the LockBit administrators (Flashpoint). So while regular internet users cannot access the site, cybercriminals participating in their affiliate program can gain access.
Gaining unauthorized access to the LockBit site would be difficult, dangerous from a legal standpoint, and does little to combat their operations. Rather, implementing strong endpoint security and patching known vulnerabilities are the best ways organizations can protect themselves from ransomware threats like LockBit (Blackberry).
Is visiting the LockBit site illegal?
There are some inherent legal risks in visiting cybercrime sites like the LockBit leak site, even just out of curiosity. According to CISA, the FBI discourages visiting these sites, as doing so may be “dangerous and illegal.” While merely accessing such sites is not explicitly illegal, there are potential legal issues to consider:
– Viewing or downloading data that was illegally obtained – This could potentially make you an accessory to criminal activity or put you in possession of stolen information.
– Accidentally clicking on malware – These sites often contain malicious links and files that could infect your device if clicked on or downloaded.
– Violating company internet policies – Many organizations prohibit accessing websites associated with criminal activity.
– Triggering law enforcement scrutiny – Merely accessing a cybercrime site could put you on the radar of law enforcement monitoring these activities.
The legality issues are complex, but in general it is best to avoid accessing ransomware leak sites directly. If accessing for security research or reporting purposes, take precautions like using a VPN or isolated virtual machine. As always, check your local laws and regulations.
How does LockBit operate?
LockBit operates using a ransomware-as-a-service (RaaS) business model, allowing affiliates to conduct ransomware attacks and then share profits with the creators of LockBit. Under this model, the LockBit developers create the ransomware code and infrastructure, then recruit affiliates to distribute the malware and conduct attacks (VentureBeat).
During a LockBit ransomware attack, the malware encrypts files on a victim’s system and leaves a ransom note demanding payment, usually in cryptocurrency. If the ransom is paid, the affiliate provides a decryptor to recover files. The ransom payment is then split between the affiliate and LockBit developers, often 70% to the affiliate and 30% to LockBit (CISSA).
This RaaS model allows LockBit to scale attacks rapidly by leveraging a network of affiliates. It also provides an infrastructure like the LockBit leak site, which affiliates use to publish stolen victim data if ransom demands are not met (CyberNews).
By facilitating mass distribution of ransomware through its affiliate program, LockBit has been able to extort significant sums from victims. This infrastructure and profit-sharing approach underpins its operations.
Who does LockBit target?
LockBit ransomware primarily targets large organizations with valuable data and the resources to pay substantial ransoms. According to CISA, LockBit operators carefully select targets that will yield high ransom payments, often conducting weeks of reconnaissance on victims first (CISA, 2023).
Common targets include large corporations, government agencies, hospitals, and critical infrastructure organizations. In particular, LockBit seems to favor targeting manufacturing, retail, IT, insurance, healthcare, and energy companies (Flashpoint, 2023).
LockBit does not discriminate based on geography and has impacted thousands of organizations globally. However, research suggests certain countries see more LockBit activity than others, including the United States, Italy, Brazil, Vietnam, India, and countries in Eastern Europe.
The sensitive data exfiltrated and encrypted by LockBit includes personally identifiable information (PII), intellectual property, medical records, financial information, and more. By targeting essential organizations like hospitals, LockBit puts lives at risk by disrupting critical systems and care.
How can you protect against LockBit?
There are several cybersecurity measures organizations and individuals can take to protect themselves against LockBit ransomware attacks:
Use strong passwords and enable multi-factor authentication wherever possible. This makes it much harder for hackers to gain access to accounts through brute force attacks or credential stuffing [1].
Keep all software up-to-date with the latest patches. LockBit exploits known vulnerabilities, so patching helps remove these attack vectors [2].
Back up critical data regularly and keep backups offline and immutable. This ensures data can be restored if encrypted by ransomware.
Limit access and privileges for accounts. Only provide access to what is needed for each user to do their job.
Use endpoint detection and response tools to monitor for suspicious activity that could indicate compromise.
Educate employees on cybersecurity best practices around phishing, strong passwords, and reporting suspicious activity.
Keep software firewalls enabled to help block unauthorized network traffic.
Use ad blocking and anti-malware software to help prevent infections from web-based attacks.
Segment and monitor network traffic to limit lateral movement after an attack.
The future of LockBit
LockBit continues to keep its lead as the most prolific ransomware group in the world in early 2023, according to cybersecurity firm Flashpoint [1]. As long as ransomware continues to be a lucrative criminal enterprise, LockBit is expected to continue innovating their tactics, techniques and procedures. Some predictions for how LockBit may evolve in the future include:
– Expanding their target list to attack a wider range of organizations across more sectors. In the past LockBit has focused on targets in manufacturing, retail and healthcare, but they could broaden their scope.
– Continuing to enhance their ransomware-as-a-service offering and recruit more affiliates. This distributed model makes LockBit more resilient.
– Trying new methods of initial access like zero-day exploits or supply chain compromises rather than relying on phishing.
– Leveraging new technologies like cryptocurrency or IoT botnets to further their operations.
– Potentially engaging in double extortion schemes where they not only encrypt files but also steal and threaten to leak data.
– Focusing more on targeting backup systems to make recovery more difficult for victims.
While the future evolution of LockBit is unknown, their adaptability makes them likely to continue posing a serious ransomware threat for the foreseeable future. Proactive precautions like offline backups, patching and employee education are key to mitigating the risk.