Lockbit 3.0 and the ransomware business model

“Make Ransomware Great Again!”

With this proclamation, the infamous LockBit ransomware group released its latest ransomware-as-a-service offering, LockBit 3.0 (or Lockbit Black, as it has considered).

The new offering focuses primarily on data exfiltration, as opposed to encrypting files on a victim’s computer.

The group also published a series of “Affiliate Rules” and announced what cybercrime experts call a first for the dark web: a bug bounty program. This reportedly offers a $1 million payout to those who reveal Personally Identifiable Information (PII) about known individuals, as well as any web security exploits.

“We invite all security researchers, ethical and unethical hackers on the planet,” the group posted upon the release of LockBit 3.0.

With the recent dissolution of the cybercrime syndicate Conti, this new iteration puts LockBit at the forefront of the ransomware landscape. It also signals the growing use and sophistication of the ransomware-as-a-service (RaaS) model.

“Ransomware-as-a-service has increased the speed at which gangs can develop effective new codebases and business models,” said Darren Williams, Ph.D., CEO and founder of cybersecurity company black fog. “This underground network of gangs works closely together and shares knowledge to maximize profits.”

Ransomware-as-a-service: A New Economy

RaaS is a criminal take on the popular software-as-a-service (SaaS) business model. Subscription allows affiliates to use ransomware tools developed by expert coders to perform ransomware attacks. Affiliates then earn percentages of successful ransom payments.

According to cybersecurity experts, its spread is a signal that cybercrime syndicates are becoming more and more like professionally-run entities. It also marks a new era of standardized cybercrime.

Lockbit 3.0, in particular, is still early in its life cycle, Williams noted, but added that “there is no doubt” that other cyber gangs will replicate their behavior and business models. “It doesn’t take long for new techniques to trickle down to other groups, especially if they’ve been successful,” he said.

According to an report from NCC Group’s Strategic Threat Intelligence team, ransomware attacks fell 42% in June compared to the previous month. But, the company warns, this should not be taken as a sign that ransomware is on the decline, quite the contrary.

The reduced activity is largely due to the recent dissolution of Conti and the retirement of LockBit 2.0, according to NCC Group. LockBit remained the clear leader, with 55 casualties – 244% more attacks than the second largest threat actor Black Basta. By contrast, Conti’s attacks dropped 94% as the group disbanded and integrated into other, smaller syndicates.

According to NCC Group, the most targeted sectors were manufacturing (37%), consumer discretionary (18%), and technology (11%).

Ransomware Incident Response Company coverware reports that the average ransom paid by victims in the first quarter of 2022 was $211,529. In addition, attackers typically only demand ransom in Bitcoins.

An ever-changing landscape

According to BlackFog, ransomware has been around for nearly as long as the World Wide Web itself, but is growing dramatically due to shifts in work patterns — particularly the emergence of hybrid and remote environments — as well as higher reputation and regulatory fines (public exposure of data can be much more harmful, and the legal consequences of failing to prevent data breaches are “higher than ever”), and easier access to ransomware tools.

The most recent “Ransomware Trend Reporthas revealed a renewed focus on weaker targets, including education (up 33%), government (25% up) and manufacturing (up 24%).

This is evidenced by attacks in June on the University of Pisa (which paid a $4.5 million ransom), Brooks County, Texas (which paid the $37,000 ransom with taxpayers’ money), and the Cape Cod Regional Transit Authority.

All told, BlackFog recorded 31 publicly disclosed ransomware attacks in June.

Matt Hull, global leader for strategic threat intelligence at NCC Group, eventually pointed to “massive changes” in the ransomware threat scene, adding that “it is clear that we are in a transient phase.”

“This is an ever-changing landscape that needs to be continuously monitored,” he said.

LockBit: what it is and the latest iteration

LockBit appeared in 2019, but the ransomware didn’t gain significant traction until the launch of LockBit 2.0 in the second half of 2021. After critical bugs in Lockbit 2.0 were discovered in March, the authors set to work updating encryption routines and adding new features to frustrate researchers.

“Interesting and surprising,” said the group “very shamelessly” from the Netherlands, said Drew Schmitt, chief threat intelligence advisor at cybersecurity firm GuidePoint Security. The group also stated that former USSR countries cannot be targeted because most of its members grew up there. According to Schmitt, this gives credence to the general hypothesis that the majority of ransomware groups operate from Eastern Europe and Russia.

Ultimately, LockBit remains “at the forefront of the threat landscape and the most prominent threat actor,” according to a monthly report from IT security company NCC group.

Most notably, LockBit 3.0 is pioneering a new ransomware concept to directly extort victims and not – at least initially – disclose an attack, Williams explains. The group gives victims several choices for which compensation must be paid: extend the payment term by 24 hours, delete extracted data immediately or download data.

“This unique approach maximizes the potential ransom that can be extracted from each victim,” Williams said. It also adds “even more efficiency” to LockBit’s extortion mechanism.

Meanwhile, according to LockBit’s “Affiliate Rules,” critical infrastructure cannot be encrypted, but data can still be stolen. This explicitly calls out that “it’s not the encryption of the files, it’s just data theft,” Schmitt said. “You can’t encrypt it, but you can steal all the data you want.”

This is particularly interesting, he said, because so far no distinction has been made between encrypting information systems related to critical infrastructure and stealing data related to critical infrastructure. This explicit definition allows affiliates to still attack critical infrastructure, steal data, and pursue large payouts, but without experiencing the backlash seen by other groups attacking critical infrastructure.

LockBit is also pulling “more explicit rules” when it comes to attacks on previously taboo industry sectors — including educational institutions, as long as they are private and for-profit schools. The group also allows the unrestricted targeting of medically related institutions such as pharmaceutical companies, dental clinics and plastic surgery providers.

Yet they “draw the line” wherever people could be harmed, while also preventing attacks on health care and other institutions focused on life-saving medical treatments. Even in those cases, however, partners are still allowed to steal data.

As Schmitt noted, “It appears that LockBit extortion is taking a somewhat new direction, giving affiliates more opportunities to monetize criminal activity outside of the traditional method of double extortion.”

Investigate affiliates

LockBit has also provided an “unprecedented public view” of its affiliates’ vetting and application process, Schmitt said. The group announced that “every candidate to join our affiliate program must understand that we are constantly trying to get hacked and cause harm in some way” as the reason for having such a rigorous vetting process. The requirement of a Bitcoin deposit is to ensure that a potential partner is not a journalist, security researcher or member of law enforcement, Schmitt explained.

Additional criteria for vetting and maintaining affiliate status include:

• Be active in working with the LockBit software package.
• Have the ability to earn more than 5 Bitcoins per month.
• Providing links to profiles on various hacker forums, proof of experience with other affiliate programs and current crypto account balance.
• vetting technical capability and evidence of past attacks.

Likewise, the group’s announced bug bounty program is an effort to improve the quality of the malware and financially reward those who help. A $1 million reward is available to anyone who can identify the affiliate program manager, Schmitt said. Similarly, the group offers incentives to disgruntled employees to work from within companies and discover vulnerabilities in their systems.

Prevent extortion

As Williams noted, LockBit’s new options are changing the way organizations should measure the risks of exfiltrated data, “because anyone can buy their data at any time.”

To protect themselves, organizations must focus on: endpoint security, he said. This is the practice of securing endpoints or access points to prevent the misuse of end-user devices such as desktops, laptops, and mobile and IoT devices. It’s especially critical as more devices connect to an organization’s network, Williams said, and as traditional solutions like firewalls become less effective at stopping the next generation of sophisticated attacks.

Anti-data exfiltration tools on the device can ensure that, even if cyber criminals gain access to a network or device, they cannot steal data. These tools also have geo-blocking features that refuse the transfer of data to certain countries, for example to Russia or North Korea; areas that a particular company wouldn’t otherwise communicate with, Williams explained.

Organizations would also do well to monitor connections between IP addresses and networks and compare them to known malware command and control centers, Williams said. And it’s critical that businesses can identify traffic anomalies, whether they’re suspicious data transfer volumes, strange destinations, or performed outside normal business hours.

Rather than follow traditional defensive strategies, Williams said, organizations should focus specifically on anti-data exfiltration. “If the gangs can’t steal your data,” he said, “they have nothing to blackmail you with in the first place.”