Why individual arrests will not shut down LockBit


Individual arrests of LockBit affiliates are unlikely to shake the foundation of the notorious ransomware cartel. Experts believe the group’s only vulnerability is its popularity.

Canadian authorities recently arrested Mikhail Vasiliev, a 33-year-old Russian national suspected of having ties with the notorious LockBit ransomware cartel. Vasiliev was no small catch, as Europol believes the Russian national’s ransom demands ranged between €5 to €70 million.

Arresting an important gang member often spells trouble for any criminal organization. The feeling of walls closing in on LockBit was also reinforced by Europol explicitly noting that the arrest was a follow-up of last year’s bust in Ukraine when local police arrested two of Vasiliev’s accomplices.

“Members of LockBit are developers at heart, and they’re not resting on a single ransomware codebase. Like a commercial software firm, they’re adding features, enhancements, general improvements.”

Fimlaid told Cybernews.

Helpful dispersity

However, some security experts believe incarcerating LockBit’s affiliates will have little effect on a gang that victimized over a thousand organizations worldwide. According to Justin Fimlaid, the founder and CEO of NuHarbor Security, catching lone actors will have little effect because LockBit is well-staffed and decentralized.

“In our experience, this means there are typically lieutenants in the organization that shadow and are mentored by more senior members. While this arrest is notable, it’s only one arrest and likely means a lieutenant will step up to lead LockBit,” Fimlaid told Cybernews.

Meanwhile, past decapitations of ransomware cartels show that cybergangs don’t go away as their remaining members regroup, rebrand, and start new gangs operating with modified malware and similar modus operandi.

“These operators have a skill set they can monetize, and their skills are in demand. For many, this is how they feed their families, so necessity will keep them working in the space,” Fimlaid said.

The Russian component

Another factor burdening efforts to eliminate ransomware gangs like Lockbit is that key operators likely reside in countries hostile to Western governments, Eli Salem, the Lead Threat Hunter at Cybereason, believes.

“Vasiliev’s arrest will likely have no impact on the group’s activities because of his small role and the fact that the core LockBit members are based in Russia,” Salem explained to Cybernews.

While other Russia-based ransomware cartels, namely REvil and Conti, fell apart, the tectonic shifts in the geopolitical landscape following Russia’s invasion of Ukraine will likely benefit ransomware gangs operating in the lands controlled by the Kremlin.

Salem notes that in REvil’s case, Russia seemingly tried to show some willingness to collaborate with the US authorities, arresting several of the group’s members at the US request.

“However, the members arrested weren’t the leaders. The LockBit group seems more united, and at the moment, the Russian government isn’t going to hand over members to the West as they reside in Russia,” Salem said.

Interestingly, Russian government officials recently proposed a bill that would allow the state to confiscate any property that was obtained as a result of cybercrime. Whether that will incentivize Moscow to deal with its cybercrime problem remains to be seen.

Criminal software company

Even if LockBit ceased to exist now, the cartel would remain the most successful in 2022. A report by threat intelligence firm Digital Shadows shows that for two consecutive quarters, LockBit and its affiliates accounted for over a third of all ransomware attacks involving organizations being posted to ransomware leak sites.

Fimlaid believes LockBit’s success is due to the fall of other prominent ransomware groups. Internal conflicts disrupted Conti while authorities took care of REvil, leaving a significant market share for LockBit to take. While climbing to the top is difficult, staying there is problematic.

The LockBit group seems more united, and at the moment, the Russian government isn’t going to hand over members to the West as they reside in Russia.”

Salem explained.

“As they take center stage, they will need to deal with increased attention and focus from law enforcement, and that will make it an interesting 2023,” Fimlaid said.

More signs point to the gang's high profile becoming problematic as breaches invite international cooperation between law enforcement agencies. Sources recently told Reuters that the FBI got involved in investigating LockBit's recent hack of German automotive supplier Continental.

However, if LockBit successfully avoids justice, the cartel could remain the top player. The driving force behind every successful ransomware cartel is its malware, and LockBit has few equals in this respect.

“Members of LockBit are developers at heart, and they’re not resting on a single ransomware codebase. Like a commercial software firm, they’re adding features, enhancements, general improvements,” Fimlaid explained.

Steady development puts the cartel in an advantageous position as organizations and cybersecurity experts are forced to react to new features that LockBit introduces. As long as the knowledge gap between the criminals and their persecutors remains, cybergangs like LockBit will find their way into organizations.