LockBit ransomware might not last, but its business model will
While the group behind LockBit will eventually disband, its criminal professionalism practices will be a headache for cyber defenders long after.
LockBit ransomware continues to lead the digital extortion underworld. The latest ransomware report by threat intelligence firm Digital Shadows shows that in the second quarter of 2022, LockBit was the most active group by an overwhelming margin.
LockBit and its affiliates accounted for a third of all cyberattacks attacks involving organizations being posted to ransomware data-leak sites. Researchers attributed 231 victims to LockBit while the second-place holder, problem-ridden Conti, had 70.
According to Ivan Righi, Senior Cyber Threat Intelligence Analyst at Digital Shadows, LockBit’s success is likely a result of the group’s highly professionalized ransomware-as-a-service (RaaS) offering, trusted by the criminal underworld.
“LockBit has built a strong reputation as a reliable ransomware program, which attracts many skilled affiliates to join its forces,” Righi told Cybernews.
“We tend to think that the lawlessness of ransomware stems from chaos and disorder, but LockBit is an example of a criminal enterprise organized around the common goal to make money, albeit illegally and at others’ expense,”Jason McGinnis, president of cybersecurity company Silversky, told Cybernews.
Roots of success
More recently, the Conti ransomware gang seems to have closed up shop once at the top of the ransomware game. Meanwhile, LockBit has been in the game since 2019, a lifetime in the ransomware business, releasing the second and, recently, the third generation of malware.
LockBit’s success stems from the group’s ability to combine a surprisingly business-oriented approach with specialized tech, Jason McGinnis, president of cybersecurity company Silversky, thinks.
“We tend to think that the lawlessness of ransomware stems from chaos and disorder, but LockBit is an example of a criminal enterprise organized around the common goal to make money, albeit illegally and at others’ expense,” McGinnis told Cybernews.
None of the LockBit features are unique on their own, but combined, they create a successful ransomware business model, says Brad LaPorte, advisor at cybersecurity firm Ordr.
For one, LockBit has a generous affiliate program, allowing malware users to keep 75% of extortion profits. Double extortion-based coercion via the group’s leak site and wide use of access brokers attract criminals prowling for reliable return on malware investment.
“LockBit 2.0 has the fastest encryption routine. It encrypts only the first 4KB of each file, which is enough to render them unreadable and unusable while also allowing the attack to complete before incident responders have time to react,” LaPorte told Cybernews.
Demise of Conti
The most notable event in the ransomware business last quarter was the spectacular fall of the Conti ransomware gang, researchers at Digital Shadows surmise. The group has been at the top since mid-2020, harassing everyone from the government of Costa Rica to the Volkswagen Group.
However, Conti could not recover from aligning with Russia after Moscow invaded Ukraine. In March, a pro-Ukrainian insider set up a Twitter account named Conti leaks, exposing the ransomware gang and its link with the Russian state.
According to Digital Shadows, Conti’s disbanding paved the way for LockBit to take the crown. Last month LockBit became a gang with the highest number of victims, over a thousand, compared to 900 over Conti’s lifetime.
However, experts we’ve talked to doubt that the people behind Conti suddenly decided to come clean. Following the footsteps of so many before them, Conti’s members will likely regroup or join other affiliate programs.
“These groups were rebranded and not dispersed for good. The threat actors behind these activities are still at large. They were merely momentarily disrupted by law enforcement and will come back in smaller organizations to make it more difficult for law enforcement,” LaPorte explained.
Eventually, LockBit’s affiliates will suffer the same fate as Conti did. In the lawless cyber underground, little more than financial gain holds crooks together.
“LockBit’s continual success is likely not to be the case over the long-term. Many of these groups break up over time as pressures mount, both internally from their own vulnerabilities and externally from the pursuit of law enforcement agencies,” McGinnis said.
"The threat actors behind these activities are still at large. They were merely momentarily disrupted by law enforcement and will come back in smaller organizations to make it more difficult for law enforcement,"Brad LaPorte, advisor at cybersecurity firm Ordr, said.
The number of ransomware attacks grew last quarter compared to the beginning of the year. Digital Shadows counted 705 victims, 21% more than over previous months. Righi thinks that we’ll only see more attacks as the year progresses.
“[…] activity is likely to continue increasing until the end of the year. The rise in activity was primarily attributed to smaller ransomware groups having a higher activity level than usual, which is another trend likely to continue due to the recent closure of some large ransomware groups” Righi said.
The smaller groups that excelled in thievery most last quarter were Alphv, with a 118% increase in the number of victims, and Vice Society, whom researchers credit with 100% growth.
According to Digital Shadows, new groups that emerged last quarter include Black Basta, Mindware, Cheers, RansomHouse, Industrial Spy, Yanluowang, Onyx, NOKOYAWA, and DarkAngels. Black Basta is credited as the most successful newcomer.
Threat actors primarily focused on the industrial goods and services sector, followed by the technology as well as construction and materials sectors. Companies in the United States continue to be the primary focus of ransomware gangs, with around 39% of total victims in the US.
More from Cybernews:
Subscribe to our newsletter