What is ransomware LockBit?

Ransomware LockBit is a type of malicious software that encrypts files on a victim’s computer and demands a ransom payment in order to restore access. First observed in September 2019, LockBit has quickly emerged as one of the most prolific and dangerous ransomware operations targeting organizations worldwide.

Table of Contents

What does LockBit ransomware do?

Like other ransomware, LockBit infects computers through various vectors such as phishing emails, compromised Remote Desktop Protocol (RDP) connections, and software vulnerabilities. Once executed on a machine, it encrypts documents, images, databases, and other files so they become inaccessible to the user. A ransom note is displayed demanding payment, usually in cryptocurrency, to receive the decryption key and restore the files.

LockBit utilizes robust encryption algorithms, making encrypted files extremely difficult to recover without the key. Newer versions adopt a double extortion tactic, threatening to publish sensitive stolen data on the dark web if the ransom isn’t paid.

How does the LockBit ransomware work?

The LockBit operation follows the Ransomware-as-a-Service (RaaS) model, where ransomware developers create the malware and infrastructure, then recruit “affiliates” to distribute it. Affiliates purchase access to LockBit and retain a percentage of any ransom payments, while the developers get the remainder.

Like many RaaS groups, LockBit operates through an underground web portal on the dark web. Affiliates can use the portal to configure their ransomware builds, manage infections, make ransom demands, leak victim data, and more. The portal even offers live chat support.

When a victim is infected, LockBit encrypts files with AES and RSA encryption algorithms using randomly generated keys. A unique victim ID is generated to identify the target. Encrypted files are given a new extension such as .lockbit.

A ransom note is dropped containing instructions for accessing the LockBit payment portal. Victims must purchase cryptocurrency and transmit it to the ransomware operators’ digital wallet to receive a decryptor tool. Payments are facilitated through the Tor anonymity network.

What is the impact of LockBit ransomware attacks?

LockBit has rampaged through commercial enterprises, manufacturers, healthcare providers, and government agencies. Notable victims include:

Optus – Australian telecom giant, hit in September 2022 with data on up to 10 million customers stolen

Eskenzi Health – Indiana healthcare provider, August 2022 attack disrupted facilities across Indianapolis
Banque Cantonale de Fribourg – Major Swiss bank, June 2022 attack encrypted systems and forced branch closures

These and countless other attacks demonstrate how damaging LockBit can be. Beyond encrypting critical systems, it causes business outages, data breaches, delayed patient care, interrupted operations, and financial harm. Recovering without paying the ransom is extremely difficult.

Estimated global impact

Organizations affected	Over 1,000 (2022)
Cost per victim	Average $1.27 million
Total ransom paid	Over $100 million (2022)

Where did LockBit ransomware originate?

LockBit first appeared in September 2019 when a sample was uploaded to the malware identification service Hybrid Analysis. It was likely developed by experienced cybercriminals out of Russia or an Eastern European nation.

The earliest version was not a RaaS model but rather distributed in campaigns by its creators. By late 2020, LockBit evolved into RaaS allowing multiple affiliates to get involved in deployment.

LockBit did not gain notoriety until mid-2021 when adoption of its RaaS model caused a surge in attacks. Through 2022 it accelerated to become one of the most prolific ransomware strains in the world.

Who is behind the LockBit ransomware attacks?

LockBit is shrouded in secrecy, so attribution is difficult. The developers hide behind pseudonyms and maintain anonymity via encryption. There are a few key figures that have emerged:

ALX-AL – Handles recruiting of affiliates and PR efforts for LockBit. Active on cybercrime forums.
Voval – Alleged developer who helped create the initial LockBit codebase.

Gang Stars – Elite ransomware group claimed to be the creators of LockBit.

Dozens of LockBit affiliates have also been identified carrying out distribution, including prolific actors like Hive0101, LockBitGang, and N3tw0rm3d. However, the operation’s masterminds remain unknown.

Why is LockBit ransomware dangerous?

LockBit rose to prominence for several reasons that make it effective at extorting victims:

Speed – Encrypts files rapidly in under 3 hours before being detected.
Stealth – Uses evasion techniques to avoid security tools.
Data theft – Exfiltrates data from networks to enable double extortion.

RaaS model – Decentralized structure makes it resilient.
Innovation – Constantly evolving with new features and techniques.

The developers actively maintain LockBit, releasing updates to enhance its success rate against defenses. They market it as “unbreakable” encryption, though weaknesses have been found by researchers.

Notable LockBit ransomware attacks

Some major ransomware incidents tied to LockBit affiliates include:

Mitsubishi Electric – Japanese conglomerate hit in June 2022, 6.7 GB of data stolen related to R&D and tech products.
Hagerty Insurance – Specialty auto insurer ransomwared in August 2022, given 48 hour deadline to pay $10 million.

Zulily – E-commerce company for moms and kids, suffered ransomware attack in August 2022.
Hellman Worldwide Logistics – Food transport provider disrupted by March 2022 attack, operations delayed.
Forrester Research – Market research firm hacked in July 2022, internal systems and data encrypted.

Recent LockBit ransomware campaigns

Ongoing waves of LockBit activity demonstrate its rampant growth:

NTT Data – Japanese IT services firm hit by LockBit in January 2023, downplaying impact.
“GoodWill” campaign – December 2022 spree over the holidays targeted over 50 companies globally.

Healthcare attacks – Hundreds of hospitals, clinics, and care facilities ransomwared in 2022.
Costa Rica government – April 2022 attack disrupted public services across the country via Conti ransomware.

Is LockBit ransomware decryptable?

Recovering files without paying LockBit is difficult since it utilizes 2048-bit RSA public key cryptography paired with a robust AES cipher. Each victim has a unique RSA private key held by the ransomware operators.

Security researchers have discovered some flaws that enable decryption in certain circumstances:

Reusing old RSA private keys on new victims, allowing recovery via lookups.
Weak AES keys derived from the RSA private key, enabling brute force cracking.

Mistakes in ransomware code leaving remnants of keys.

However, most victims find it impossible to restore meaningful data without obtaining the private key. Paying the ransom should be an absolute last resort after exhausting all other options.

How much does LockBit ransomware cost victims?

Ransom demands from LockBit groups are tailored based on the victim’s perceived ability to pay. Small businesses may face ransom notes of $50,000 or less, while large corporations are pressured to pay millions.

The highest known ransom came in September 2022 when Thailand’s Siam Commercial Bank was asked for $92 million. They refused to pay.

On average, ransom amounts in 2022 were approximately:

Small business	$5,000 – $50,000
Mid-size company	$250,000
Enterprise	$1.5 – $5 million

Even if an organization pays, there is no guarantee they will receive working decryption or have stolen data deleted. The operators frequently manipulate and lie to victims.

What to do if infected with LockBit ransomware?

If LockBit ransomware is detected within a network, organizations should take these steps:

Isolate and disconnect infected systems immediately.
Alert senior management and activate response plans.

Determine scope of compromise through forensic analysis.
Notify law enforcement and regulatory bodies as required.
Engage external incident response firms for support as needed.

Explore options to restore data from backups before considering paying ransom.

Paying the ransom should only be carefully evaluated as an absolute last step after other recovery efforts fail. Even then, it may not result in restored data if the attackers are not honest.

How to protect against LockBit ransomware

Defending against ransomware like LockBit requires layers of cybersecurity controls. Recommended safeguards include:

Backups – Maintain regularly updated, isolated backups to enable data recovery.
Endpoint security – Install advanced antivirus and firewalls on all endpoints.
Network security – Deploy tools like intrusion prevention and sandboxing to block threats.

Vulnerability management – Continuously scan for and patch software flaws.
User training – Educate staff to identify social engineering and suspicious links.
Segmentation – Limit lateral movement by isolating and restricting access to systems.

MFA – Require multi-factor authentication for all remote access and logins.

Preventing ransomware should be a top priority for IT and security teams. LockBit and other strains will continue evolving rapidly, necessitating constant vigilance.

Conclusion

LockBit exemplifies the serious dangers posed by ransomware today. Its speed, use of data extortion, and massive distribution via RaaS make it especially pernicious. Victims across industry verticals have suffered enormous financial and operational harm.

By following cybersecurity best practices, organizations can harden their environments against attack. But the threat landscape is constantly shifting as groups like LockBit innovate. Continued research, information sharing, and vigilance is key to combating this major cyber risk moving forward.