The Enigma of LockBit, The World’s Leading Ransomware Syndicate
Background
In September 2019, the LockBit ransomware made its official debut, initially gaining notoriety as the “ABCD” ransomware for using the .abcd extension to mark the files it encrypted. The early version, LockBit 1.0, was quite rudimentary. During its operations, the encryption software not only used a fixed mutex but also left behind debug functions that could be easily identified and intercepted by antivirus software and sandboxes.
As the organization expanded, LockBit 1.0 began operating under the Ransomware-as-a-Service (RaaS) model. This involved developing and distributing ransomware tools for use by other malicious actors and promoting its partnership program on a well-known Russian-language forum, XSS.
Eight months later, the operators of LockBit 1.0 upgraded their ransom strategy by creating a site for publishing victims’ data. This, combined with file encryption, aimed to further pressure victims into paying the ransom, achieving a “double extortion” tactic.
After several minor upgrades, LockBit 1.0 exhibited more sophisticated methods compared to other ransomware. It encrypted files targeting the Windows system using the RSA + AES algorithms and enhanced work efficiency with IOCP (I/O Completion Ports) and the AES-NI instruction set, achieving a high-performance encryption process. Once the encryption was successful, all victim files were appended with the .abcd extension, making them undecryptable.
During the LockBit 1.0 era, the group primarily used a tactic of changing the victim’s system desktop wallpaper to display ransom notes and left a ransom note named Restore-My-Files.txt. Victims were instructed to log onto the dark web and pay a ransom in Bitcoin or Monero.
This syndicate became famous for several high-profile attacks. For example, in June 2022, they launched LockBit 3.0, which included a bug bounty program that invited security researchers to test and improve their software. Offering rewards for uncovering system vulnerabilities was a unique approach in the realm of ransomware.
Since its inception, LockBit has had a significant impact on cybersecurity, with its attacks often leading to the theft of sensitive data and financial losses for the victims.
An “Infamous” History
Before May 2022, LockBit was unrivaled, breaching the defenses of over 850 businesses and institutions worldwide, accounting for 46% of all ransomware-related attacks during the same period.
RaaS Affiliate Model:
Mode of Attack:
According to data from the cybersecurity firm Dragos, about one-third of ransomware attacks on industrial systems in the second quarter of 2022 were initiated by LockBit, dealing a significant blow to many large enterprises in the industrial control sector. A report by Deep Instinct noted that in the first half of 2022, LockBit was responsible for approximately 44% of all ransomware attacks.
In just three years, the number of victims of the LockBit ransomware gang has surpassed a thousand, double that of the veteran ransomware organization Conti, and more than five times that of Revil.
Notably, the ransom recovery rate of the LockBit ransomware group also exceeds that of many veteran ransomware organizations. In 2022, for the $100 million in ransom demands it issued, the success rate of its extortion exceeded half, leaving countless businesses in fear.
Current Situation
Given these circumstances, the gang has attracted the attention of law enforcement agencies worldwide. In November 2022, the U.S. Department of Justice (DoJ) charged Mikhail Vasiliev, a man with dual Russian and Canadian nationality, for his alleged involvement in the LockBit ransomware operations. He is currently detained in Canada, awaiting extradition to the United States.
In May, 30-year-old Russian national Mikhail Pavlovich Matveev, also known by the aliases Wazawaka, m1x, Boriselcin, and Uhodiransomwar, was charged by the U.S. Department of Justice with participating in multiple ransomware attacks.
The U.S. Department of Justice released two indictments accusing him of using three different types of ransomware to attack numerous victims across the United States, including law enforcement agencies in Washington D.C. and New Jersey, as well as organizations in the healthcare sector and other sectors nationwide:
- Around June 25, 2020, Matveev and his LockBit accomplices attacked a law enforcement agency in Passaic County, New Jersey;
- On April 26, 2021, Matveev and his Babuk conspirators attacked the Metropolitan Police Department of Washington D.C.;
- Around May 27, 2022, Matveev and his Hive conspirators attacked a non-profit behavioral healthcare organization in New Jersey.
On February 19, 2024, the infamous ransomware gang LockBit’s website was seized in a joint law enforcement operation involving the UK’s National Crime Agency, the United States Federal Bureau of Investigation, Europol, and an international coalition of police forces.
The U.S. Treasury’s website, treasury.gov, has disclosed sanctions information, including personal information, as well as BTC and ETH addresses:
Let’s use MistTrack to examine the sanctioned ETH address (0xf3701f445b6bdafedbca97d1e477357839e4120d)
We discovered that the funds associated with this ETH address have been completely laundered.
Further analysis of the sanctioned BTC addresses reveals that the earliest transaction for these addresses dates back to October 2019, with the most recent transaction traceable to March 2023. The funds in each of these addresses have been transferred.
Among these, the address receiving the largest amount of funds is 18gaXypKj9M23S2zT9qZfL9iPbLFM372Q5. This address is associated with LockBit-affiliated company Artur Sungatov and has been marked by MistTrack as a Binance Deposit address, with the funds already transferred.
Additionally, the address 32pTjxTNi7snk8sodrgfmdKao3DEn1nVJM received 52.7892 BTC and is associated with LockBit’s Ivan Kondratyev. MistTrack flagged it as a Kucoin Deposit address. This address also received 0.4323 BTC from another sanctioned address, bc1qx9upga7f09tsetqf78wa3qrmcjar58mkwz6ng6.
The U.S. government, in collaboration with the UK and Europol, disclosed more information about the LockBit ransomware organization, revealing that LockBit has 193 branches:
The Mystery of the Arrests
A spokesperson for the UK’s National Crime Agency stated that LockBit’s operations had been disrupted, marking an ongoing and evolving operation. This operation is the latest in a years-long struggle between law enforcement and ransomware gangs, dealing a significant blow to LockBit’s recent transnational ransomware operations and serving as an effective deterrent against the increasingly rampant ransomware attacks.
Upon examining LockBit’s nodes, each known LockBit ransomware organization website was either offline or displayed a page indicating seizure by EUROPOL. Law enforcement agencies have seized or dismantled at least 22 Tor sites in what is referred to as “Operation Chronos.”
Following the seizure, the management of the LockBit ransomware group confirmed to the media that their websites had been shut down:
However, it appears that the seizure did not affect the core members of LockBit. The ransomware organization then posted a message to individuals on Tox stating: “The FBI messed up the server using PHP; the backup servers without PHP were not affected.”
Today, the narrative took a turn when the LockBit leadership stated that they had communicated with the management of the LockBit ransomware organization regarding the law enforcement’s announcement to reveal the identities of the LockBit leadership on Friday, February 23, 2024.
LockBit responded: “Let them reveal it; I’m sure they don’t know who I am.” Subsequently, the LockBit ransomware group changed its name to “FBI Supp” in a mocking gesture towards law enforcement agencies.
According to @vxunderground, it now seems that the mastermind behind the operation has not been captured. Even more, LockBit is openly offering a larger reward for the public to find them.
The story gets increasingly intriguing as law enforcement agencies claim that more information about the LockBit organization will be released in the coming days.
What happens next? We shall wait and see.
Conclusion
This crackdown represents the latest in a series of law enforcement actions against ransomware gangs. At the end of last year, the FBI and other agencies had already successfully dismantled the networks and infrastructure of several ransomware gangs, including Qakbot and Ragnar Locker.
At the recent Munich Cyber Security Conference, the Deputy Attorney General of the United States emphasized the country’s determination to combat ransomware and cybercrime. He proposed adopting faster, more proactive strategies focused on preventing and disrupting these criminal activities.
With the development of digital technology, cybercrime relying on cryptocurrencies has become a significant global challenge. Cybercrimes like ransomware not only cause losses to individuals and businesses but also pose serious risks to society as a whole. According to statistics, cybercriminals extorted over $1 billion from victims worldwide last year.
Moreover, ransomware governance is a contest between attackers and security personnel, requiring patience, strategy, and timing.
Take LockBit ransomware as an example; it continually iterates and updates its attack methods, strategies, and points of entry with each version. This makes it difficult for security personnel to form a complete remediation system. Therefore, in the process of ransomware governance, prevention is far more important than remediation. It’s essential to adopt a systematic, comprehensive, and multi-faceted approach to form a defense against ransomware. Strong protective measures are highly recommended:
- Use complex passwords: Internally, enterprises should use complex login credentials for servers or internal systems, such as passwords that include numbers, uppercase and lowercase letters, special symbols, and are at least 8 characters long, changing them regularly.
- Two-factor authentication: For sensitive corporate information, add another layer of defense on top of password logins to thwart hacker attacks, such as biometric verification (fingerprint, iris recognition) or physical USB key authenticators on certain sensitive systems.
- Avoid four practices: Do not click on emails from unknown sources; avoid visiting websites with inappropriate content, such as pornography or gambling; do not install software from unknown sources, and be cautious about installing software sent by strangers; do not insert unknown USB drives, external hard disks, flash memory cards, and other mobile storage devices into your devices.
- Data backup and protection: The real safeguard against data loss is always offline backup, so backing up critical data and business systems is crucial. Ensure clear labeling of each backup stage, so you can quickly recover if a backup is infected by malware.
- Regular virus scanning and port management: Install antivirus software and regularly update its virus database, performing full-system scans periodically; close unnecessary services and ports, including unnecessary remote access services like port 3389, port 22, and unnecessary local network sharing ports like 135, 139, and 445.
- Enhance employee security awareness: The biggest hidden danger in safety production lies in personnel. Phishing, social engineering, baiting, weak passwords, and other key factors are all closely related to personnel’s security awareness. Therefore, to strengthen overall security fortification and improve defense capabilities, it’s crucial to enhance personnel’s security awareness.
- Patch office terminals and servers promptly: Apply patches to the operating system and third-party applications in a timely manner to prevent attackers from invading the system through vulnerabilities.
Acknowledgements: WuBlockchain, @vxunderground, Xitan Lab, YunDing Lab
References:
[1] https://www.justice.gov/opa/pr/us-and-uk-disrupt-lockbit-ransomware-variant
[3] https://www.justice.gov/opa/pr/us-and-uk-disrupt-lockbit-ransomware-variant
[4] https://ofac.treasury.gov/recent-actions/20240220
About SlowMist
At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.
We offers a variety of services that include but are not limited to security audits, threat intelligence, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) solutions, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we wish to help spread awareness and raise the security standards in the blockchain ecosystem.