LockBit: A deep-dive into the rapidly evolving RaaS gang and its unique business model
LockBit: A deep-dive into the rapidly evolving RaaS gang and its unique business model

News -

LockBit: A deep-dive into the rapidly evolving RaaS gang and its unique business model

  • New Logpoint study unfolds the ransomware threat landscape in the wake of the LockBit 3.0 launch in June 2022
  • LockBit 3.0 introduces new unique services such as automatic data exfiltration and the world’s first ransomware bug-bounty program

COPENHAGEN, Denmark & BOSTON, October 18, 2022 – Logpoint’s Global Services has identified 800 reported LockBit cases from May to September, which is twice as many as the closest competitors, BlackBasta, Alphpv/BlackCat, Hiveleak, and Clop, combined. LockBit is the most active RaaS strain, and Logpoint Global Services has investigated the threat in its latest Emerging Threats report.

“Ransomware groups have come and gone, techniques and tactics have evolved significantly, and activity levels have risen and fallen,” says Doron Davidson, VP Logpoint Global Services. “The latest variation, LockBit 3.0, also known as LockBit Black, represents yet another shift in the ransomware threat landscape. Organizations now face shorter time to detect attacks in the early stages and prevent ransomware deployment, and reduced opportunity to negotiate the ransom terms.”

LockBit attackers spent roughly 70 days within a network before releasing the ransomware in Q4 2021, 35 days in Q1 2022, and fewer than 20 days in Q2 2022. In addition, the attackers’ willingness to reduce the ransom has decreased significantly from an average of 80% last year to only 30% this year.

The LockBit threat development

LockBit is self-spreading and targeted and uses the double extortion model, in which its associates exfiltrate data from victim organizations and threaten to disclose it online. In June 2022, LockBit 3.0 launched a new bug bounty program to let security researchers and hackers find flaws in the gang’s projects and infrastructure hosted on the dark web. The LockBit creators have also developed an automatic data exfiltration tool called StealBit to improve the process.

While the overall number of ransomware incidents has decreased in recent months, the percentage that LockBit accounts for is likely to rise. This is partly because the Conti operation has allegedly shut down or splintered into smaller groups and partly because LockBit is attempting to attract more affiliates by offering better terms than their competitors, which appears to be successful.

The creators behind promote LockBit 3.0 as the world’s fastest and most stable ransomware. LockBit encrypts rapidly due to partial encryption. It only encrypts 4 KB of each file, enough to render it unreadable and unusable, allowing the attack to finish quickly before incident responders have time to shut down systems and isolate them from the network.

LockBit ransomware business model

The LockBit creators offer ransomware to affiliates for a cut of up to 75% of the ransom paid by victims. LockBit primarily targets organizations in North America and Europe due to the widespread prevalence of cyber insurance and higher profits. The malware also includes code that stops it from being executed on PCs configured with Eastern European language settings.

“Our report illustrates how ransomware gangs like LockBit operate as businesses. How they strive for a competitive advantage, develop their offerings, and innovate new products to stay relevant to their users. In reality, ransomware groups mirror software companies and are included in an entire ecosystem,” says Doron Davidson.

According to research by Coveware, LockBit was responsible for 15% of ransomware assaults in the first quarter of 2022, only behind Conti with 16%. According to a more recent assessment, LockBit was responsible for 40% of the ransomware assaults seen by NCC Group in May, followed by Conti. The most impacted industry verticals count professional and legal services, construction, the federal government, real estate, retail, high tech, and manufacturing.

Read Logpoint’s blog post about the findings here, and access the full Emerging Threats report, Hunting LockBit Variations Using Logpoint. The report offers an in-depth vulnerability analysis, means to detect and respond to the threat, including a collection of rules applicable to the procedures carried out by LockBit, and insights about incident investigation and response.

Related links

Topics

Categories

Contacts

Maimouna Corr Fonsbøl

Maimouna Corr Fonsbøl

Press contact Head of PR PR & Communications +45 25 66 82 98

Related content

Logpoint launches suite of compliance and security monitoring solutions for Business-Critical Systems

Logpoint launches suite of compliance and security monitoring solutions for Business-Critical Systems

Suite of solutions to address the security limitations of SAP by integrating complex SAP data with SIEM, SOAR and UEBA. Logpoint BCS for SAP solutions ensures SAP users robust security, business continuity and compliance by integrating complex SAP data with SIEM.

Logpoint releases Logpoint 7.1 to simplify secure digital transformation

Logpoint releases Logpoint 7.1 to simplify secure digital transformation

Logpoint announces the release of Logpoint 7.1 with upgrades to its SIEM, SOAR, and UEBA technologies to enhance the Converged SIEM platform and bolster cyber protection. The new features enable users to simplify security operations with improved UIs, workflows and automation options for faster threat detection and response.

Peer reviewers on the independent software review platform G2 have awarded Logpoint top marks in their reviews of SIEM and SOAR platforms

Logpoint receives top scores on SIEM and SOAR in G2 peer-to-peer reviews

Logpoint ranking as a Leader in the G2 Grid® for Security Orchestration, Automation, and Response (SOAR) Logpoint ranked as #4 out of 20 vendors in Security Information Event Management (SIEM) with a G2 Satisfaction Score of 83%

Logpoint 2023 predictions: The year of the business-driven CISO

Logpoint 2023 predictions: The year of the business-driven CISO

2023 is the year CISOs will be empowered – and forced – to address cybersecurity from a business perspective

An old acquaintance resurfaces with new capabilities

QakBOT: An old acquaintance resurfaces with new capabilities

A new Logpoint study reveals that the latest QakBot malware version is heavily used in malspam campaigns by notorious ransomware gangs. The new QakBot emergence uses multiple, simple yet effective defense evasion techniques against static detection methods.

Logpoint Global Services has researched the banking trojan IcedID, which has developed into a gateway for more sophisticated attacks

Cyber attackers hiding behind legal threats: A deep-dive into the IcedID gateway to sophisticated cyberattacks

Logpoint Global Services has researched the banking trojan IcedID, which has developed into a gateway for more sophisticated attacks. IcedID leverage legitimate infrastructure like contact forms and email to deliver fake legal threats or spoofed invoices.

Hunting BlackCat: A ransomware family on the rise

Hunting BlackCat: A ransomware family on the rise

Logpoint research reveals that BlackCat has the fourth-highest number of victims in the last six months. BlackCat uses its public leak site to intimidate victims, where anyone can easily search and access the leaked victim information.

The resurgence of a crippling malware: How to threat hunt Emotet

The resurgence of a crippling malware: How to threat hunt Emotet

Logpoint research reveals that Emotet has developed into a Loader-as-a-Service - a dropper of other malware. Logpoint recommends looking out for its common TTPs, IoCs, and malicious macros to detect Emotet.