What is Lockbit? The digital extortion gang on a cybercrime spree
By Zeba Siddiqui and James Pearson
SAN FRANCISCO/LONDON (Reuters) – A cybercriminal group named Lockbit, which on Friday said it breached the Industrial and Commercial Bank of China (ICBC), has hacked some of the world’s largest organisations in recent months, stealing and leaking their sensitive data if they didn’t pay ransom. Here are some details about the group:
WHERE IS LOCKBIT FROM?
Lockbit was discovered in 2020 when its eponymous malicious software was found on Russian-language cybercrime forums, leading some security analysts to believe the gang is based in Russia. The gang has not professed support for any government, however, nor has any government formally attributed it to a nation-state.
“We are located in the Netherlands, completely apolitical and only interested in money,” the gang says on its dark web blog.
In just three years, it has become the world’s top ransomware threat, according to U.S. officials. Nowhere has it been more disruptive than in the United States, hitting more than 1,700 American organisations in nearly every industry from financial services and food to schools, transportation and government departments.
Among its latest victims is the defense and aerospace giant Boeing. On Friday, Lockbit leaked a cache of internal data it had obtained by breaching Boeing’s systems. Earlier in the year the gang’s hack into the financial-trading services group ION disrupted operations at customers that included some of the world’s biggest banks, brokerages and hedge funds.
HOW DOES LOCKBIT TARGET ORGANISATIONS?
The cybercrime gang infects a victim organisation’s system with ransomware – malicious software that encrypts data – and then coerces targets into paying ransom to decrypt or unlock it. Such ransom is usually demanded in the form of cryptocurrency, which is harder to trace and gives the receiver anonymity.
U.S. and other officials in a 40-country alliance have been trying to trying to stem the global scourge of ransomware by sharing intelligence between nations on the cryptocurrency wallet addresses of such criminals.
On the dark web, Lockbit’s blog displays an ever-growing gallery of victim organisations that is updated nearly daily. Next to their names are digital clocks showing the number of days left to the deadline given to each organisation to provide ransom payment, failing which, the gang publishes the sensitive data it has collected.
Often victim organisations will seek the help of cybersecurity companies to identify what data was leaked and negotiate ransom amounts with the hackers. Such behind-the-scenes talks usually remain private and can sometimes take days or weeks, according to security analysts.
It’s common for some victim names to not show up on the Lockbit blog if the threat was made privately. ICBC’s U.S. unit, which said it was working on recovering from the breach, was not listed on Lockbit’s blog on Friday.
HOW DOES LOCKBIT OPERATE?
In part, Lockbit’s success depends on its so-called ‘affiliates’ – likeminded criminal groups who are recruited to wage attacks using Lockbit’s digital extortion tools.
On its website, the gang boasts of its successes in hacking various organisations and lays out a detailed set of rules for cybercriminals who may submit an “application form” to work with them. “Ask your friends or acquaintances who already work with us to vouch for you,” one of those rules says.
This web of alliances between cybercriminal groups makes tracking such hacking activity and attempts to ransom victims difficult, since their tactics and techniques can vary with each attack.