[FIRSTCON 2024] Dissecting the Arsenals of LockBit
Author: Huiseong Yang | S2W TALON
Executive Summary
While many RaaS groups have come and gone in recent years, the LockBit group has been one of the most active. LockBit operates as a Ransomware-as-a-Service (RaaS) and employs multiple affiliates, causing more damage than any other ransomware group. As of 2023, it has inflicted 1,118 ransomware victims out of a total of 4,189 ransomware victims and is so aggressive that it ranks first in the number of victims among RaaS groups at about 27%.
The LockBit group has continued to grow its arsenal (which they refer to as a collection): LockBit Red, a 2.0 version of the original LockBit ransomware they developed in June 2021; LockBit Black, based on the BlackMatter ransomware they developed in June 2022; and the Conti-based LockBit Green, released last year. As you can see, we’ve been tracking the LockBit group since its inception.
In addition, we have done an in-depth analysis and comparison of all LockBit ransomware from LockBit 1.0 to 3.0, including ransomware targeting Linux, MacOS, and Windows. As a result, we identified code with the same functionality in each version and found a commonality among ransomware created from the Leaked LockBit Black Builder.
The results provide a look into the features that LockBit considers important and distinguish between LockBit Affiliate and Script Kiddie, which attacks with the leaked builder.
Key Takeaways
- (Understanding the evolution of LockBit) Based on data from tracking LockBit’s evolution since 2019, we’ve identified common characteristics and significant changes across LockBit’s weapons.
- (Understand LockBit’s views, ideas, and ideology) Get an in-depth look at LockBit’s dark web presence and recent issues to understand what LockBit believes is important to them and how these ideas are reflected in their weapons.
- (Understand the features of the LockBit Arsenals) Insights from a detailed analysis of LockBit Ransomware versions and the LockBit builder.
For more details, please refer to the presentation at FIRSTCON 2024.
- Abstract: https://www.first.org/conference/2024/program#pDissecting-the-Arsenal-of-LockBit
- Presentation: (Attach later when public)