NetworkTigers timeline of the LockBit story.
The LockBit ransomware-as-a-service (RaaS) operation has become prominent due to high-profile attacks worldwide. Thousands of organizations have found themselves caught in LockBit’s web. While more than half were companies with 200 or fewer employees, notable high-profile victims include Boeing, various municipalities across the US, the Industrial and Commercial Bank of China, and the UK’s Royal Mail.
The group’s prevalence, effectiveness, and visibility made them impossible for authorities to ignore and contributed to the World Economic Forum’s repeated ranking of cyberattacks as a serious global threat.
LockBit’s hubris, enjoyment of the spotlight, and rumors of unpaid affiliates significantly weakened the gang while simultaneously making it a high-priority adversary among international law enforcement agencies and cybersecurity professionals alike.
Recent law enforcement campaigns have destabilized LockBit and seemingly dethroned the operation from its place as the world’s most dangerous ransomware group. However, the outfit is still launching attacks and, as is usually the case, may opt to rebrand itself and make a grand return to the world stage despite government intervention.
The history of LockBit
- January 2020: LockBit 1.0 is released and observed in the wild. Due to the “.abcd” file extension added to encrypted files, it is known as ABCD ransomware.
- June 2021: LockBit 2.0 is released. Also known as LockBit Red, this malware version is released alongside StealBit, a custom data exfiltration tool used to perform ransomware attacks.
- October 2021: LockBit Linux debuts. This version can target the VMware vSphere platform and the ESXi virtualization platform.
- March 2022: LockBit 3.0 is released. Referred to as LockBit Black, this version is created to exfiltrate company data files from victims before encryption.
- August 2022: LockBit administrators diversify their offerings by adding Distributed Denial of Services (DDoS) attacks to the menu.
- September 2022: A disgruntled developer (possibly more than one) leaks LockBit’s builder, allowing anyone to launch sophisticated ransomware attacks without going through LockBit itself. Around this time, LockBit also offered to pay people to get tattoos of the operation’s logo and post them on social media.
- January 2023: LockBit Green is released, featuring source code pulled from Conti ransomware after the group’s fall from favor following their public pledge of support for Russia’s invasion of Ukraine.
- The Royal Mail is hit with a LockBit ransomware attack.
- February 2023: LockBit is described as a “prolific ransomware group with ties to Russia” and an “enduring threat” by Canada’s cyber intelligence agency.
- March 2023: An affiliate of the group attacks the city of Oakland, California, causing the city’s systems to go down, the city’s IT network to be taken offline, and a state of emergency declared. Disruption of non-emergency phone lines and police response time follows for weeks as sensitive data belonging to city employees and some residents leaks onto the internet.
- April 2023: A version of LockBit is discovered that appears to have the capabilities needed to attack Mac users. However, professionals deem it “toothless” and likely a test.
- June 2023: CISA says that LockBit was the most deployed ransomware variant globally in 2022.
- October 2023: Boeing is attacked with LockBit ransomware, refusing to pay a $200 ransom in exchange for 43GB of stolen data.
- November 2023: LockBit modifies its affiliate compensation and negotiation rules to accommodate for lower-than-desired payouts from victims.
- December 2023: After disruptions and scams discourage criminals from continuing to work with the BlackCat/ALPHV and NoExit ransomware groups, LockBit offers its infrastructure to affiliates who still have outstanding negotiations with their victims. LockBitSupp, the group’s primary administrator, refers to the exodus from the rival groups as a “Christmas gift.”
- January 2024: LockBit apologizes for an attack on SickKids, Canada’s largest pediatric hospital, saying that an affiliate broke the group’s rules by attacking a medical institution.
- February 2024: LockBit’s infrastructure is seized by an international law enforcement task force called Operation Cronos. The agencies obtain the ransomware’s source code, seize 28 servers, and glean a great deal of information regarding the group’s activities, administrators, and affiliates.
- Additionally, 200 cryptocurrency accounts linked to the group are frozen and two defendants responsible for using LockBit to perform attacks are criminally charged and put in US custody.
- LockBit is effectively locked out of its operations, and the untouchable reputation the group has arrogantly cultivated over the years is damaged.
- A LockBit administrator time admits that members of the outfit were “lazy” regarding their security infrastructure, claiming that they had been distracted by the luxurious lifestyle afforded them through stolen funds.
- March 2024: LockBit returns, sharing data from five cyberattacks and, despite still remaining under fire from law enforcement, launches a new data leak site. However, the data posted is believed to be information from attacks before the group’s infiltration rather than new attacks.
- It is believed that this maneuver is intended to assure affiliates that LockBit is still fully operational.
- The operation’s primary administrator, LockBitSupp, in an interview with The Record, says that the group’s disruption “doesn’t affect business in any way” and is an opportunity to advertise and “show everyone the strength of my character.”
- May 2024: LockBitSupp is revealed and sanctioned by law enforcement agencies in the US, the UK, and Australia.
- Identified as 31-year-old Russian national Dmitry Khoroshev, the man behind the operation reportedly earned $100 million through the group’s illegal activities.
- The sanctions placed on Khoroshev are expected to severely damage LockBit, as an organization paying a ransom could break them and result in government fines.
What’s next for LockBit?
In an interview with Recorded Future’s Click Here podcast, LockBitSupp denies that he is Dmitry Khoroshev and has accused the FBI of identifying the wrong person.
“How did they find this person — based on what facts? Where is the proof? I always thought that the United States is a rule-of-law state, that without evidence, you can’t accuse an innocent person. I was wrong.”
Aside from the reality that LockBitSupp is a criminal and has no reason to be trusted, the fact that LockBit retained data that it promised to delete after receiving a ransom payment indicates that LockBitSupp only has his own interests in mind.
With the Justice Department offering a $10 million reward for any information that could lead to Khoroshev’s arrest, the saga of LockBit will likely continue to be interesting for the foreseeable future.
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
