Insights, news, education and announcements from PolySwarm

A Brief History of LockBit

Written by The Hivemind | Mar 4, 2024 6:46:37 PM

Verticals Targeted: Government 

Executive Summary

LockBit has been one of the most prolific RaaS families of all time. Despite being all but dismantled by law enforcement earlier this month, the group appears to be back and is setting its sights on government targets.

Key Takeaways

  • LockBit has been one of the most prolific RaaS families of all time. 
  • LockBit released multiple variants over the course of its lifetime, and its operations have expanded over the years to include an affiliate program and a bug bounty program.
  • Operation Chronos was a joint law enforcement operation in February 2024 aimed at dismantling LockBit and removing its funds. 
  • LockBit returned less than a week after the takedown, claiming the FBI as one of its victims and threatening to release documents containing information that could impact the upcoming 2024 US election. 

What is LockBit?

LockBit has been one of the most prolific RaaS families of all time. We included LockBit in our 2023 malware to watch. At the time, we noted LockBit seemed to be evolving its capabilities to keep up with changes in the RaaS economy, in some cases staying ahead of the curve with innovative ideas.

We featured LockBit in our 2023 Recap - Malware Hall of Fame due to its evolution, as observed with LockBit Green, and the addition of a variant of LockBit meant to target MacOS systems. LockBit was featured in our 2023 Recap - Cyber Threats to the Energy Vertical, as the group successfully hacked multiple energy sector entities in 2023, including Gran Tierra Energy and Montreal’s CSEM. We also featured LockBit in PolySwarm's 2024 Malware to Watch, noting we expected it to continue to be one of the most prolific malware families for 2024. 

A Brief History of LockBit

A brief history of LockBit is included below, focusing on the evolution of LockBit variant’s and LockBit’s growth into a highly organized criminal enterprise. The scope of this report does not include a comprehensive list of LockBit targets due to the vast number of targets claimed by the group over the last few years.  

 

2019

  • The original LockBit ransomware was released in September 2019 and was known as ABCD ransomware. 

2020

  • In 2020, LockBit launched their ransomware as a service program. 
  • Later that year, the group launched its leaks site and began to leverage the double extortion model. 

2021

  • In June 2021, LockBit released version 2.0, also known as LockBit Red. LockBit Red differed from the previous release in that it included StealBit, an information stealer. StealBit allows threat actors to target and exfiltrate files, with a customizable set of file extensions to choose from. 
  • A variant of LockBit built to target Linux systems was released in October 2021. 

2022

  • In June 2022, LockBit released LockBit 3.0, also known as LockBit Black. The new version had multiple updates, including a new extortion method. Previously, LockBit victims were given a specific time period in which to pay ransom. In version 3.0, LockBit began giving victims the option to pay a fee to delay the ransom deadline, destroy all data, or download all data. LockBit 3.0 also used a code protection mechanism not present in previous versions. 
  • In 2022, LockBit also started a bug bounty program. Bug bounty programs typically reward security researchers for discovering and reporting vulnerabilities. LockBit 3.0 took a different approach, offering rewards for finding vulnerabilities, doxxing managers, and submitting “brilliant ideas” to be used for RaaS. 

2023

  • In January 2023, security researchers noted a new LockBit variant known as LockBit Green. The new variant added cloud-based services to its list of targets. LockBit Green became available to affiliates via the builder on the LockBit portal. Industry researchers noted the new variant shared significant overlap with Conti ransomware. 
  • In April 2023, security researcher Patrick Wardle recently posted an analysis of a LockBit variant built to target MacOS. The first known mention of the LockBit MacOS variant was a tweet by MalwareHunterTeam. They noted this is the first time LockBit was observed targeting MacOS and the first time a “big name” ransomware gang has targeted MacOS systems. 

2024

  • On February 19, 2024, a joint law enforcement effort carried out a plan, dubbed Operation Chronos, to disrupt and dismantle LockBit infrastructure, including over 11,000 domains, 14,000 accounts, and 34 servers. They also seized the group’s funds and cryptocurrency and arrested two individuals that were reportedly affiliated with LockBit. Additionally, the US published sanctions against the group.
  • Less than a week after the Operation Chronos takedown, The Hacker News reported LockBit had already returned. The group moved its leak site to a new .onion address and listed at least a dozen new victims, including the FBI. Upon their return, the group also threatened to release documents stolen from Fulton County, GA, warning that the documents contained information that could impact the upcoming 2024 US election. A LockBit administrator called for more attacks on government sector entities. 

IOCs

PolySwarm actively tracks LockBit ransomware. Hashes of recent LockBit samples are provided below. The most up-to-date LockBit samples can be found in the Emerging Threats section of our portal. 

 

947c63253b8117813376aa2843b09e22d4570ba6b8b2c8abc5bee64785aed6dc

e718743d2aecdf6cb0de29291d7f72e5aee9b6999caad14e0fa0a4386d0a5093

fc073ee5e385a148e0f4d0fd9c1af696d16bd6c8d3507a98d409c2eda858ce23

32cf89ca7cccc410ca4ad9bc58e22fe8920131687ef2a0d9f61d215c9d50d661

77a41f2ea91e559f5f1b0a24e0eedf28c4c74a1983641cff434be417f7ac20f7

74c8269a9ec642c0fd432fc9e0d7506a079b6d32c2c3e5313d96205726629233

ba1a91f76b6ae1f959d1b148286f7eab7959a12c671b59ef18ba5162e86d63e3

7c30282651dd0824c684196a9770e09ab343c71989a4dbf29a8caac0a072da2a

4c04ce3441edbb64c9a9b757b9db9aeb060412f001764e60bd5f3279d3e93ddb

60f7d224e19f982c8e2cec9847851b51d02fc6ad82164466aabc8bd3c178f4b4

2dcfce557fed0f90e03e462997500082c5190651eac66d2e71c5646452253a19

a3333aff9fa67fc8d80b7f1c291ff70b743f17acc9d2abc031d08221804ddc4f

3436eb9262da1fff6dd5f737d5b7a4e1913d60536b1ee307a2cfb34232f639c5

673c00c3cbcb4d9f68443319941403b9867ba6c9ec9202323fce65835514d940

E4b98863be3b398f32e91f9afe92a90a7ebbdb9ed2bbd3c8686330b09413fd66

6b2553825d7dc92dddb8fcd7f602b9d7c2fdb1a8423f51041ea253cea148b275

80a0a44f93a6461c6f837901030e9f357dd0216d291f68d121bcbf3b498ae356

D1a3daec64b8aabe1559223acf0c3a7c8c74cb9d9675d1a13ec45e7d74663955

E62fd8b3086001919a03f688e28da32171dc7f9f9635e3ce8b9f56427c26cb12

E731dc0e6b218adcd114033c9b399268fdd249f9965834f10c1bad3d174e826e

8627826f5e75b9b9291c90a5931d5ca59a055cb09f54eb4b734553c4a09593c7

E6df66868aac62d2f32999eb117d714c5f1eec3d3108f7671f3a7889d84a499c

4080fe395589d204220103aec730eb0bb298a77d1584d0109832ae965d2dcca5

f389dab07b22c0bd5a9ec745dbab3652d5910010a24a1439a734af73a8d67d25

 

You can use the following CLI command to search for all LockBit samples in our portal:

$ polyswarm link list -f LockBit

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at
 hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.