[FIRSTCON 2024] Dissecting the Arsenals of LockBit

Author: Huiseong Yang | S2W TALON

#FIRSTCON24 — https://www.first.org/conference/2024/

Executive Summary

While many RaaS groups have come and gone in recent years, the LockBit group has been one of the most active. LockBit operates as a Ransomware-as-a-Service (RaaS) and employs multiple affiliates, causing more damage than any other ransomware group. As of 2023, it has inflicted 1,118 ransomware victims out of a total of 4,189 ransomware victims and is so aggressive that it ranks first in the number of victims among RaaS groups at about 27%.

The LockBit group has continued to grow its arsenal (which they refer to as a collection): LockBit Red, a 2.0 version of the original LockBit ransomware they developed in June 2021; LockBit Black, based on the BlackMatter ransomware they developed in June 2022; and the Conti-based LockBit Green, released last year. As you can see, we’ve been tracking the LockBit group since its inception.

In addition, we have done an in-depth analysis and comparison of all LockBit ransomware from LockBit 1.0 to 3.0, including ransomware targeting Linux, MacOS, and Windows. As a result, we identified code with the same functionality in each version and found a commonality among ransomware created from the Leaked LockBit Black Builder.

The results provide a look into the features that LockBit considers important and distinguish between LockBit Affiliate and Script Kiddie, which attacks with the leaked builder.

Key Takeaways

  1. (Understanding the evolution of LockBit) Based on data from tracking LockBit’s evolution since 2019, we’ve identified common characteristics and significant changes across LockBit’s weapons.
  2. (Understand LockBit’s views, ideas, and ideology) Get an in-depth look at LockBit’s dark web presence and recent issues to understand what LockBit believes is important to them and how these ideas are reflected in their weapons.
  3. (Understand the features of the LockBit Arsenals) Insights from a detailed analysis of LockBit Ransomware versions and the LockBit builder.

For more details, please refer to the presentation at FIRSTCON 2024.

[FIRSTCON 2024] Dissecting the Arsenals of LockBit was originally published in S2W BLOG on Medium, where people are continuing the conversation by highlighting and responding to this story.

Article Link: [FIRSTCON 2024] Dissecting the Arsenals of LockBit | by S2W | S2W BLOG | Jun, 2024 | Medium