What is LockBit ransomware and how does it operate?

LockBit has emerged as the most prolific name in ransomware attacks and has now been blamed for an incident that has hit Royal Mail’s international operations. Here is what we know about LockBit and how it operates.

What is ransomware?

Ransomware is a piece of malicious software, or malware, that is often inserted into an entity’s computer network via a so-called “phishing attempt”. This involves tricking the receiver into downloading the malware, commonly by clicking on a link or attachment contained in an email. The phishing attempt can also include trying to access the person’s user name and password to get into the network, by fooling them into thinking they are logging on to the network in question.

The malware then encrypts infected computers, making it impossible to access their content. The rogue actor behind the attack then demands money from the affected entity – typically a company or government organisation – for those computers to be unlocked or decrypted. According to the US Treasury, US banks and financial institutions alone processed approximately $1.2bn (£990m) in ransomware payments in 2021.

How does LockBit work?

LockBit is the name given to a specific piece of malware, with the criminal organisation behind it also carrying that name. The LockBit group also sells this malware to other operators for financial gain, in a model known as ransomware as a service (Raas). On underground forums the malware has been advertised as “the fastest encryption software all over the world”.

“We have seen a real trend in ransomware gangs operating an ‘affiliate model’ where they sell access to this malware on the dark web in exchange for payment, often in cryptocurrency,” says Toby Lewis, the global head of threat analysis at Darktrace, a UK cybersecurity firm. “This helps LockBit to scale its operations like a franchise.”

Lewis says LockBit operators do not just encrypt the files but also commit “double extortion” where they steal the data and threaten to release it online. Some of the features of the malware include being able to print ransom demands on affected network printers, a detail that has been reported in the Royal Mail hack, with the Daily Telegraph reporting that a ransomware note stated: “Lockbit Black Ransomware. Your data is stolen and encrypted.”

LockBit, like most ransomware groups, demands to be paid in cryptocurrency. Bitcoin has been the preferred payment method historically but according to Sophos, a British cybersecurity company, LockBit is demanding payment in other digital assets. “Many like LockBit have moved over to the cryptocurrency monero instead, due to the increased anonymity it provides,” says Peter Mackenzie, who leads the incident response team at Sophos.

He adds: “LockBit ransom demands can range from the hundreds of thousands into the tens of millions, typically based on the amount damage believed to have been caused, type of data stolen and how much they believe the victim can afford.”

Who is behind LockBit?

Most ransomware groups tend to operate from eastern Europe, former Soviet Republics and Russia itself. “LockBit falls into the same category,” says Lewis. In November the US Department of Justice charged a dual Russian and Canadian national, Mikhail Vasiliev, over alleged participation in LockBit’s ransomware campaign. The DoJ said LockBit had been deployed against at least 1,000 victims in the US and around the world, has made at least $100m in ransom demands and has “extracted tens of millions of dollars in actual ransom payments”.

Victims of LockBit attacks include Pendragon, a UK car dealership company, which has refused to pay a $60m ransomware demand.

According to Trustwave, a US cybersecurity firm, the LockBit group “dominates the ransomware space” and uses large payments to recruit experienced actors. It accounted for 44% of ransomware attacks in January-September last year, according to Deep Instinct, an Israeli cybersecurity firm.

The malware was previously known as “.abcd”, after the file extension that was added to encrypted files as they were made inaccessible. Ransomware, and the groups behind it, often undergoes name changes in order to avoid law enforcement or a company-style rebranding exercise after becoming excessively notorious.

“Rebranding is often a common occurrence. This may be to avoid law enforcement or it is simply to do with marketing,” says Lewis.

Can ransomware attacks be disabled?

This is difficult. Once the attack has got in, it is really hard to stop. “Your best chance is to stop the attack in the first place,” says Lewis. Cleanups often involve rebuilding systems and networks. “If you have got ransomware on your network it’s really hard to get reassurance any other way than to rebuild the systems from scratch.”

Is it illegal to pay ransomware demands?

Last year the UK data watchdog, the Information Commissioner’s Office, and the National Cyber Security Centre wrote to legal professionals in England and Wales stressing that law enforcement did “not encourage” the payment of ransoms although payments were not usually unlawful. For instance, it is illegal to pay ransoms if the affected entity knows, or has reason to suspect, the proceeds will be used to fund terrorism. The ICO and NCSC letter said: “Payment incentivises further harmful behaviour by malicious actors and does not guarantee decryption of networks or return of stolen data.”

In the US, payment of ransoms is discouraged by the government, but an advisory note from the US Treasury in 2020 emphasised this was “explanatory only” and did “not have the force of law”.


This website uses cookies. By continuing to use this site, you accept our use of cookies.