“If you are a cybercriminal and are active on these marketplaces, forums or platforms, you cannot be sure that law enforcement there will not observe you and take action against you,” said Paul Foster, the head of the NCA. National Cybercrime Unit.
Rise of Supp
LockBit first emerged in 2019 as a new ransomware-as-a-service (RaaS) platform. Under this scheme, a handful of individuals, organized by the LockBitSupp handle, created the group's easy-to-use malware and launched their leak website. This group licenses LockBit's code to “affiliate” hackers who launched attacks and negotiated ransom payments, ultimately netting LockBit about 20 percent of their profits.
Despite thousands of attacks, the group initially tried to keep a low profile compared to other ransomware groups. As LockBit became more famous over time and began to dominate the cybercrime ecosystem, its members became braver and arguably more careless. The NCA's senior investigator says they have extracted data on 194 member companies from LockBit's systems and are piecing together their offline identities. Only 114 of them made no money, the researcher says. “There were those who were incompetent and did not carry out attacks,” they say.
At the center of all this was the LockBitSupp persona. The NCA investigator said there were “numerous” examples where the LockBit administrator immediately “took responsibility” for high-profile or high-ransom negotiations after affiliates initially attacked the companies or organizations.
Jon DiMaggio, a researcher at cybersecurity firm Analyst1, has spent years researching LockBit and interacting with the LockBitSupp handle. “He treated it like a business and often sought feedback from his affiliates on how to make the criminal operation more effective,” DiMaggio said. The LockBitSupp character would ask affiliates what they needed to do their work more effectively, the researcher says.
“He didn't just take money for himself, he reinvested it in developing his operation and made it more attractive to criminals,” DiMaggio said. During the life cycle of the LockBit group, there were two major updates and releases of the malware, with one being more capable and easier to use than the previous one. Analysis of the law enforcement operation by security company Trend Micro shows a new version was also being worked on.
DiMaggio says the person he spoke to privately under the name LockBitSupp was “arrogant” but “very business-like and very serious” — aside from sending cat stickers as part of chats. In public, LockBitSupp was very different on Russian-language cybercrime forums where hackers exchange data and discuss hacking politics and news, DiMaggio said.
“The persona he amplified on the Russian hacking forums was a mix of supervillain and Tony Montana Scarface,” says DiMaggio. “He flaunted his success and money, and that sometimes misled people.”
In addition to handing out a reward for their own identity, the more innovative and whimsical side of LockBitSupp also ran an essay writing contest on the hacking forums, offering a 'bug bounty' if people found bugs in LockBit's code, and said they would pay $1,000 to anyone who has the LockBit logo as a tattoo. About 20 people posted photos and videos of their tattoos.