UK's NCA, U.S. DOJ, FBI and Europol Disrupt Lockbit Ransomware Group

Today the UK’s National Crime Agency (NCA), the United States Department of Justice (DOJ), the FBI, and Europol announced the disruption of notorious ransomware group LockBit and the takedown of its associated website infrastructure.

LockBit is one of the most prolific ransomware groups in the world. The group has had unprecedented impact on businesses and critical infrastructure across the globe, using a Ransomware-as-a-Service (RaaS) model to conduct thousands of attacks and extort victims for large ransom payments in cryptocurrency. Through on-chain analysis, TRM estimates that addresses controlled by LockBit administrators and affiliates have received over GBP 160 million (or USD 200 million) in bitcoin since 2022, of which over 85 million GBP (or 110 million USD) are still unspent in multiple addresses on-chain. 

LockBit’s economic impact 

Since January 2020, LockBit has been the most deployed ransomware variant in the world, with affiliates targeting organizations of varying sizes across an array of critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. Some of LockBit’s notable attacks include those on Entrust (June 2022), the Italian Revenue Agency (July 2022), the Royal Mail (January 2023), IBM (May 2023), Carthage Area Hospital & the Clayton-Hepburn Medical Center (September 2023), and Boeing (November 2023).

The economic cost of such attacks extends well beyond the initial ransom payment to include losses from disrupted operations and reputational damage. IBM’s Cost of a Data Breach Report 2023 has estimated that the average cost of a data breach caused by a ransomware attack, not including the ransom payment, is USD 4.45 million. LockBit has committed over 2000 confirmed attacks, suggesting that its economic impact could be over USD 8 billion. 

LockBit has evolved from ABCD to LockBit Green

LockBit emerged in 2019 as an evolution of ABCD ransomware. Its versions have evolved over the years - from LockBit to LockBit 2.0, also known as LockBit Red, to LockBit 3.0, also known as LockBit Black, to LockBit Green, which incorporates source code from Conti ransomware. This most recent variant features a bug bounty program, privacy enhanced cryptocurrencies (e.g. Zcash), and novel extortion methods, incorporating strategies from the BlackMatter and DarkSide ransomware operations. This version, equipped with anti-detection techniques and passwordless execution, also introduced Denial-of-Service attacks to expand LockBit’s capabilities and tactics for extorting victims.

LockBit has scaled its impact with affiliate incentives 

LockBit’s operating model as a RaaS group has been a key driver for the scale of impact and notoriety the group has achieved. LockBit has distinguished itself in the RaaS market through how it has incentivized affiliates to use LockBit tools and infrastructure to execute attacks. These incentives have included ensuring that affiliates receive their share of ransom payments first, rewarding promotional activity and public critiques of competing RaaS platforms, and simplifying ransomware deployment with user-friendly interfaces.

LockBit Tactics, Techniques, and Procedures (TTPs)

LockBit ransomware attacks have typically involved initial access by exploiting vulnerabilities, phishing, or brute-forcing Remote Desktop Protocols. Once inside a network, LockBit actors have used tools like PowerShell Empire, Cobalt Strike, and PsExec for lateral movement and to prepare for encryption. They often delete logs to hinder the victim’s ability to recover. LockBit actors, along with ransomware strains like Rorschach and Babuk, then frequently use a technique called intermittent encryption, targeting only parts of files for faster, more efficient attacks. By minimizing the duration of the visible attack phase, attackers improve their likelihood of success against cybersecurity defenses.

After LockBit encrypts data, the threat actors direct victims to pay a ransom for decryption keys. The ransomware group also operates a leak site where it publishes information about its victims. This site is used as part of a double-extortion tactic: if a victim refuses to pay the ransom, LockBit threatens to release their stolen data on this public platform. The leak site serves as a tool for pressuring victims into complying with ransom demands by exposing sensitive information to the public, thereby increasing the reputational and operational risks for affected organizations.

LockBit has used Bitcoin as the primary cryptocurrency used to facilitate ransom payments, but with the evolution of LockBit 3.0, the group has introduced privacy enhanced payment options such as ZCash for both collecting from victims and paying its affiliates.

On-chain analysis of LockBit activity highlights the group’s operating structure, where victims’ initial ransom payments undergo a financial split: 80% go to the LockBit affiliate, and 20% goes to LockBit’s administrators. LockBit operators have subsequently used Wasabi 2.0 to mix funds and multiple non-custodial exchanges and centralized VASPs in the United States and Asia to launder victim funds.

‍

The Role of Blockchain Intelligence in Disrupting Ransomware 

Today’s disruption continues the series of disruptions that law enforcement agencies across the world have prioritized as RaaS continues to pose a threat to citizens and businesses. Given the ever-evolving nature and the unrelenting economic toll of this threat, we expect to continue to see a strong focus on disrupting ransomware threat actors. 

While ransomware groups may evolve TTPs and names, the blockchain remains an immutable ledger. Blockchain Intelligence tools will continue to play a key role in enabling seizures and stopping bad actors. 

TRM is proud to support the NCA and law enforcement agencies worldwide in their ongoing efforts to safeguard the integrity of our financial systems.