LockBit: Unmasking the Tactics of Ransomware Threat Actors


LockBit, a notorious ransomware gang, collected over USD 120 million in ransom payments by attacking over 2000 victims in the US and worldwide. Law enforcement has taken it down, but there is a lesson for security leaders in this occurrence.

What is LockBit?

LockBit is a cybercriminal group that developed a ransomware strain to infect and extort victims. The strain was run as a Ransomware-as-a-service (RaaS) offering with a subscription-based business model.

While the group maintained the functionality of a ransomware variant, they also offered access to this variant to individuals or groups, known as “affiliates.” The group supported the affiliates in deploying the ransomware in exchange for upfront payment, subscription fees, or a profit share.

LockBit gang was distributed many variants to encrypt files like .abcd, LockBit 2.0, and LockBit 3.0. LockBit 3.0 was the most copious extortion operation. It was equipped with worm-like capabilities that facilitated self-propagation across a compromised network.

The strain is recognized for its speed and use of cryptography to render files rapidly inaccessible to users. It also controlled backup activities to prevent file recovery attempts.

How Did LockBit Target Companies?

LockBit used various intrusion vectors to compromise victims’ systems. The intrusion vectors included Remote Desktop Protocol (RDP) exploitation, phishing, and credential stuffing.

One of the most reported intrusion vectors was using VPN remote access to access victim’s networks. The group also used double extortion tactics, threatening to release exfiltrated sensitive data if ransom demands were not met.

Moreover, LockBit ransomware attacks were highly unpredictable due to the presence of unconnected affiliates in the operation. As a result, the observed tactics, techniques, and procedures (TTPs) used in these attacks could vary significantly.

This variation in TTPs posed a significant challenge for firms to maintain their networks’ security and protect against ransomware threats.

Who has LockBit Targeted?


Between January 2022 and September 2023, the LockBit ransomware strain was the most frequently deployed R&DE strain. The strain compromised the highest number of known targets in almost all of the seven quarters analyzed. It has been the primary digital extortion threat to all regions and almost all industries since January 2022.

Also Read: Strategies to Prevent Ransomware Attacks

The report also states that-

  • North American firms account for approximately 25% of all R&DE attacks in the region.
  • LockBit accounts for over 30% of all R&DE attacks against European firms.
  • Nearly 15% of all LockBit attacks target APAC firms.
  • On average, roughly 6% of LockBit’s attacks target MEA-based firms.
  • While historically the primary R&DE threat to SA-based organizations, LockBit is no longer the pre-eminent threat to the region. On average, LockBit is responsible for approximately one-third of the R&DE attacks that occur in the area.

On February 20th, 2024, Britain’s National Crime Agency, and the FBI successfully infiltrated and disrupted the Lockbit ransomware gang.

This was a joint effort called “Operation Cronos,” involving law enforcement agencies from multiple countries and support from private sector partners. The ‘Operation Cronos’ involved:

  • seizing the group’s infrastructure (including their leak site),
  • 34 servers,
  • closing 14,000 rogue accounts,
  • freezing 200 cryptocurrency accounts, and
  • indicting 5 group members.

The FBI and NCA in the UK also seized various public-facing platforms where cybercriminals could contact and join LockBit.

Additionally, investigators seized two servers in the U.S. that were used to transfer stolen victim data.

Lessons Learned from LockBit 

Here are some significant features of how the LockBit attacks were planned and executed. With them, there are some valuable lessons learned from the LockBit series of attacks.

  • They Did Not Delete Victim Data Even if they Paid

It has been suspected for a long time that paying a ransom to hackers is not a guarantee for them to delete the stolen data.

Some companies have admitted that they “cannot guarantee” the deletion of their data even after paying the ransom. The recent LockBit takedown has confirmed this suspicion.

The National Crime Agency (NCA) has revealed that some of the data found on the seized systems of LockBit belonged to the victims who had already paid a ransom to the attackers.

  • They Used Freeware and Open Tools

According to the Cybersecurity and Infrastructure Security Agency (CISA), LockBit affiliates have used multiple freeware and open-source tools for legal use during intrusions.

After repurposing by LockBit, these tools were used for various malicious activities like file exfiltration, network reconnaissance, remote access and tunneling, and credential dumping. They also used PowerShell, batch scripts, and penetration-testing tools like Metasploit and Cobalt Strike.

Moreover, NCA also states that LockBit had a bespoke data exfiltration tool, known as Stealbit, which was used by affiliates to steal victim data. e

Here are some examples of the tools LockBit used

  • 7-zip: Its intended use was to compress files into an archive. LockBit used it compress data to bypass detection before exfiltration.
  • Advanced Internet Protocol (IP) Scanner: Its intended use was to scan networks and devices. LockBit used it to map victim’s network to identify potential access vectors.
  • Atera Remote Monitoring & Management (RMM): Its intended use was to enable remote connections to network devices. LockBit used it control victim’s devices remotely.
  • They Employed Post Detonation TTPs

When LockBit affiliates targeted a firm responsible for managing other firms’ networks, they attempted secondary ransomware extortion after the intrusion of the LockBit variant on the primary target.

After the primary target is hit, the affiliates attempt to extort the firms that are customers of the primary target. They do this by using secondary ransomware to lock down the services that customers consume.

LockBit affiliates may threaten to release sensitive information about the primary target’s customers to extort them.

How Companies Can Protect Themselves from LockBit Type Ransomware Attacks

Security experts globally recommend implementing the measures listed below, to strengthen the cybersecurity stance against LockBit’s activity.

These measures align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST).

Some of the measures are listed below:

  • Enforce sandboxed browsers to secure systems from malware stemming from web browsing.
  • Require all accounts with password logins that comply with NIST standards for developing and managing passwords.
  • Implement filters at the email gateway and firewalls to filter out malicious emails and block suspicious IP addresses.
  • Segment networks to prevent the spread of ransomware and follow the least-privilege best practice by mandating the use of admin accounts for managing systems.
  • Regularly audit the use accounts with admin privileges and enforce time-based access for those accounts.
  • Keep all the systems, software, and firmware updated and enable real-time detection for antivirus software on all hosts.
  • Raise awareness for phishing threats within the company.
  • Examine internet-facing services domain controllers, servers, workstations, and active directories.

Christian Have, CTO, at Logpoint says,

“There is a pressing need to look at detection in a different way and find opportunities to reduce the number of alerts. The key is to advance detection engineering to the next level by adding context to the alerts, which help determine which events are genuine incidents. “

“This can be achieved by correlating multiple alerts to the MITRE ATT&CK framework and see if there is a progression. This approach decreases the number of false positives and increases the chances of detecting an attack.”

Future of LockBit Ransomware: What to Expect?

LockBit attacks will go down in history as one of the prominent intrusions targeting firms globally.

Their impact on enterprises will likely bring significant changes to the R&DE threat landscape in the future.

Have adds, “The dismantling of BlackCat in December and the current takedown of LockBit remove the two most active ransomware groups in the ransomware economy, leaving space for new actors to enter.”

“With only two arrests from the LockBit group, there is likely a huge demand for the rest from either competitors or new entrants. Consequently, we anticipate many new groups to emerge that security practitioners will need to face.”

Current LockBit affiliates may have switched to newer ransomware services that offer more favorable terms of use, greater attack flexibility, or a higher payout rate following successful extortion.  These affiliates may adopt extortion tactics post-intrusion to pressure victims to pay ransom.

“The focus has shifted towards tactics, techniques, and procedures (TTPs). However, this approach can lead to a huge number of false positives, making it challenging to detect genuine problems,” he signs off.

Check Out The New ITsecuritywire Podcast. For more such updates follow us on Google News ITsecuritywire News.