Threat Actor Profile
Lockbit
Lockbit ransomware, first identified in 2019, is a highly sophisticated global cyber threat. Known for its ransomware-as-a-service (RaaS) model, it enables affiliates to execute devastating attacks across industries. Leveraging double extortion tactics, Lockbit encrypts sensitive data and demands ransoms, often targeting large organizations worldwide. Its agility and operational efficiency have made it one of the most notorious ransomware groups.
Threat Actor Profile
Lockbit
Country of Origin
Lockbit's country of origin remains unknown. However, cybersecurity experts suggest that it likely operates from regions with limited law enforcement oversight, possibly Eastern Europe or Russia, due to linguistic patterns and its focus on avoiding targets in CIS (Commonwealth of Independent States) countries.
Members
The exact size of Lockbit's membership is unknown, but it is believed to consist of a core development team managing the ransomware and an extensive network of affiliates who carry out the attacks. Affiliates are usually recruited through underground forums and receive a share of the ransom payments they collect.
Leadership
The leadership structure of Lockbit is shrouded in mystery. No publicly known names or aliases have been definitively tied to the group. Experts speculate that it likely follows a decentralized leadership model, characteristic of many RaaS operations.
Lockbit TTPs
Lockbit employs a sophisticated set of tactics, techniques, and procedures (TTPs) designed to maximize the impact of their ransomware attacks. These methods include lateral movement, data encryption, and data exfiltration
Tactics
Lockbit’s primary objective is financial gain through ransomware deployment. It focuses on high-profile organizations to ensure substantial ransom payments while utilizing extortion to amplify pressure on victims.
Techniques
The group uses advanced penetration tools like Cobalt Strike to compromise networks. Initial access is often gained through phishing campaigns or exploiting vulnerabilities in remote desktop services. Lockbit is also known to bypass endpoint security measures using sophisticated methods.
Procedures
Lockbit utilizes double extortion techniques, encrypting victim data and threatening to release it publicly if demands are not met. They often deploy custom malware variants and adapt quickly to overcome new cybersecurity defenses.
Want to Shut Down Threats Before They Start?
Notable Cyberattacks
One of Lockbit's most significant operations occurred in mid-2021, where they orchestrated multiple attacks on international corporations. These incidents resulted in stolen intellectual property being posted on data leak websites, damaging reputations and disrupting operations.
Law Enforcement & Arrests
Law enforcement has made strides in targeting Lockbit affiliates. For example, in November 2022, a Russian national suspected of developing and operating the ransomware was charged by U.S. authorities. However, the decentralized affiliate model complicates complete disruption of their operations.
How to Defend Against
Defending against Lockbit involves layered cybersecurity defenses. Organizations should implement secure backups, conduct frequent vulnerability assessments, and deploy endpoint detection and response (EDR) solutions. Huntress EDR tools enhance protection by monitoring for early signs of compromise and swiftly responding to ransomware activity.
References
Other RaaS Threat Actors
BlackCat (ALPHV)
BlackCat (also known as ALPHV) is a sophisticated ransomware group first observed in late 2021. Widely recognized for its use of advanced ransomware-as-a-service (RaaS) operations, BlackCat targets organizations across various industries and leverages double extortion tactics to pressure victims.
Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
