Hidden Secrets of LockBit Ransomware Revealed!!!

This article reveals a lot of insider information related to LockBit Ransomware gang and the ransomware cartel.

People with LockBit Logo Tattoo — Picture Blurred Intentionally

Where To Begin……

Ok, so I will begin the story by explaining about what LockBit is. Then I will go on to speak about the LockBit victimology and attack timeline in brief and then proceed to the research details that are revealed. This is going to be interesting and exciting so read till the end.

Disclaimer

Please be advised that some of the screenshots used in this blog may contain content that may be considered offensive or harmful to some audiences. Read this article at your own will. You are solely responsible for your actions.

This information is for informative, educational and research purpose only. This information can be used for intelligence gathering for your incident investigations and for the purpose of securing your organization. The motive of providing this information is to share intelligence and secure organizations from cyber threats. Do not utilize this information for illegal, unauthorized, and unlawful activities.

What is this article about?

This article focus more on the human involvement in the LockBit ransomware gang. This article delves deeper into the human aspect of ransomware-as-a-service operations, offering insight into the thoughts, motivations, and actions of the threat actors behind the screens. The research is an outcome of months of interactions of the researcher in the criminal forums and private chat groups used by ransomware criminals to gain inside knowledge about the LockBit gang.

What is Ransomware Cartel?

The best way of representing this is:

Source: Analyst1 — Actual Source: CrowdStrike

What is LockBit Ransomware?

LockBit is a highly notorious and well-organized cybercrime group known for its attacks on large corporations and high-profile industries across the globe. Their activities have been widely reported by news and media outlets and have been analyzed by security experts who have provided detailed technical assessments of their methods. I will not go in detail about what LockBit group is, there are so many articles on the internet that you can refer to know more about the TTPs of this gang.

lockBit 3.0 aka. LockBit Black Ransom Note, Source: GridInSoft

The mechanism of LockBit builder, Source: GridInSoft

Here are some references if you want to read more about LockBit Ransomware:

Ransomware Spotlight: LockBit

Conti vs. LockBit: A Comparative Analysis of Ransomware Groups

LockBit 3.0 Ransomware Unlocked

A Deep-dive Analysis of LOCKBIT 2.0

LockBit 2.0 Ransomware Explained

How to Detect LockBit 3.0 (a.k.a. LockBit Black) Ransomware Attack?

Threat Report: Lockbit Ransomware

BleepingComputers

Don’t Get Left in the Dark and Stay Ahead of the Game: Click Here to Join My Community and Learn Real Cybersecurity!

LockBit’s Global Victimology and Timeline

I think pictures speak in volumes:

*LockBit data auction leak site — August 2022, Source: Analyst1*

LockBit Stands as an Undisputed Topper in the Ransomware Cartel

Due to its wide range, scale, impact, and capability, LockBit has always been the top ransomware gang in most of the studies, statistics, and articles published by various cybersecurity firms.

LockBit Encryption Speed are Higher Than Its Rivals, Source: GridInSoft

Other References which say LockBit tops the list:

Federal Agency Warnings on LockBit

Being one of the most successful, dreadly and active ransomware gangs, LockBit has always been in the news and was also been in the radar of federal agencies.

Now, Let’s Talk

LockBit’s Insider Information — Facts and Revealation

Here are some of the Key revealations regarding the human’s operating LockBit Ransomware Cartel:

LockBit Operators: Human Behavioral Insights

The individual currently leading and directing the LockBit ransomware operation, who often uses the online persona “LockBitSupp,” is demonstrating narcissistic traits that feed his ever-growing ego.

Over the last six months, the LockBitSupp persona has conducted several propaganda-based “smear campaigns” against rival gangs.

The leader of LockBit claims he stores the PGP keys, Crypto wallets, key files, and other sensitive data on two disk drives. The drives are stored separately from one another to prevent anyone from obtaining access.

LockBit leadership claims it accesses its back-end infrastructure via Starlink, a US satellite internet service owned by SpaceX.

LockBit leadership claims it primarily relies on Bitcoin exchanges in Hong Kong and China to launder its money.

Ransomware Rivalry

According to the leader of LockBit, the developer of DarkSide ransomware is the same individual who developed BlackMatter and LockBit Black ransomware and previously developed malware for Fin7, another cybercrime group.

The previous attribution made by a third party linking LockBit to Gogalocker and Megacortex ransomware is false.

LockBit engages and communicates with several other ransomware gangs, DarkSide/BlackMatter, BlackCat, REvil, Hive, and BlackBasta. The relationships are adversarial, but the individuals behind these gangs appear to know one another and have/had direct lines of communication with each other.

LockBit believes Conti and now BlackBasta, secretly work and support the Russian government. LockBit believes the gang directly provides support the FSB.

*High-level relationships between criminal gangs,* Source: Analyst1

LockBit Inital Expansion Strategies

In 2020, LockBit sponsored a “summer paper contest” in which applicants would submit academic-style papers pertaining to hacking and exploit techniques. LockBit would select the best paper and award the author a monetary prize. This was one of its early attempts to gain recognition among cybercriminals and demonstrates its “outside-of-the-box” approach to identifying and recruiting smart upcoming criminals.

Ransomware releases bug bounty programs.

LockBit offered to pay anyone who tattooed the LockBit name and logo on their body. The tattooed individual simply needed to post proof of the tattoo to collect payment.

Blurred Image Intentionally — Crazy People Tatooed LockBit, Source: Analyst1, Github: LockBit Tattoos

LockBit Ransomware Bug Bounty Program, Source: Analyst1

Curious Case of Entrust Data Breach:

LockBit allegedly stole over 300 GB of internal data from Entrust, but the company took a bold stance when the cybercriminals threatened to release the stolen information. Unlike many other victims, Entrust launched a counterattack by launching a denial of service attack on LockBit’s infrastructure, rendering their data auction site and victim chat portal inaccessible for several days. This move not only effectively defended their own data, but also made LockBit appear weak and caused them financial loss. Frustrated LockBit team posted this:

Entrust’s response clearly frustrated LockBit. on August 23, 2022, Source: Analyst1

Entrust achieved something remarkable by taking a stand against LockBit. By launching a DDoS attack, they temporarily shut down the cybercriminals’ operations and delayed the release of their stolen data. This move not only cost LockBit time and resources, but also resulted in them not receiving payment for their ransom demands. While there is never a clear victor in a ransomware attack, Entrust sent a powerful message to LockBit through their actions, as demonstrated by the DDoS attack data. You can see how aggresive Entrust was on LockBit from the below screenshot. Its a DDOS packet information.

*Entrust/LockBit DDoS attack data,* Source: Analyst1

US and Canadian Governments Arrested LockBit Agent

On November 9, 2022, a joint Russian-Canadian citizen named Mikhail Vasiliev was arrested in Canada for his alleged involvement in the LockBit global ransomware campaign. The following day, the United States Department of Justice (DOJ) issued a criminal complaint against him, accusing him of various charges related to ransomware. This arrest received widespread coverage in news outlets around the world. The DOJ released the following statement in regards to the arrest.

Game is Not Over — And The Threat is On Hunt!!

However, it is evident by the recent sharp increase in the LockBit victims list and cyber attacks that the arrest has not significantly impacted the ransomware cartel to its core.

LockBit is on Top, Current Trends of Ransomwares, Source: Ransomware Live

Conclusion: Who’s Next?

I want to conclude this article in an unusal way. LockBit is a notorious and well-organized cybercrime group known for its attacks on large corporations and high-profile industries worldwide. This group is known to use various tactics to steal data and demand ransom from the victims. It is important to be vigilant and protect your company and personal information from such attacks. This can be done by implementing security measures, such as keeping software up-to-date and regularly backing up important data, as well as being aware of potential threats and suspicious activity. Remember, prevention is key when it comes to ransomware attacks, and being cautious can help to mitigate the risk of falling victim to LockBit or any other cybercriminals.

Now, The Conclusion:

If you remember the great old Diamond model, note that the Adversary already has Infrastructure and Capability to attack and intrude your organization. In addition, it also has the intent and motive to do so. It is just in search of a Victim orOpportunity to exploit. So,

Don’t give chance…

Reference:

Credits: It would be wrong and unethical for me if I don’t give credit of this research work to Jon DiMaggio from Analyst1. I have tried to summarized his work to my dear readers here and contributed additional secrets and internal information of LockBit from my months of research on LockBit ransomware gang.

Like My Work? Then Why Don’t You Support Me:

Buy Me A Coffee!

Don’t Get Left in the Dark and Stay Ahead of the Game: Click Here to Join My Community and Learn Real Cybersecurity!

Also From Author:

New to trading? Try crypto trading bots or copy trading on best crypto exchanges