LockBit, the notorious ransomware crew that hobbled Royal Mail’s international shipping service in the U.K. last month, posted a warning late Monday claiming that it would publish “all available data” stolen from the company if it didn’t pay up by Thursday.
It was just the latest ominous warning from the group, which is one of the most prolific and profitable ransomware operators in the world. And following the headline-grabbing takedown of the rival group Hive that involved law enforcement in the U.S. and Europe, experts say LockBit is an obvious next target as governments around the world have pledged to go on the offensive against ransomware operators.
“I think something is going to happen to LockBit in the next [six] months,” said Allan Liska, an intelligence analyst with the cybersecurity firm Recorded Future. “I don’t know if it will be law enforcement or internal strife, but something will happen. You can’t be this big for this long as a [ransomware as a service] group without attracting a lot of unwanted attention.”
As if taunting law enforcement officials, the group applauded the Hive operation last month: “Nice news. I love when FBI pwn my competitors.”
Officials in the U.S. and abroad have stepped up actions against ransomware groups in recent months. In the U.S. last year, financial institutions observed nearly $1.2 billion in costs associated with ransomware attacks, the Treasury Department said in November, a figure experts say likely represents just a fraction of the total problem. The announcement came as the White House hosted the Second International Counter Ransomware Initiative Summit, hoping to better coordinate three dozen countries’ approach to attacking cybercrime.
Active since September 2019, LockBit has grown into one of the most prolific ransomware-as-a-service operations, where a core group of developers lease malware to “affiliates” who carry out attacks. Its ransom operations nearly doubled from 2021 to 2o22, according to analysis published Tuesday by NCC Group, an international cyber consultancy based in the U.K. And they aren’t shy about talking about the strength of their technology. LockBit boasted about the speed at which its malware encrypts systems and steals data, according to an August 2021 interview with a Russian tech blog analyzed by cybersecurity firm AdvIntel.
Liska said that based on public postings “LockBit is significantly larger than Hive.” Recorded Future has observed 1,327 victims posted to LockBit’s data leak site, he said, 854 of which have been posted since January of 2022. He said there is not enough data to nail down a firm dollar figure associated with the group, but the Department of Justice alleged in November that LockBit had demanded $100 million in payments and “extracted tens of millions” from its victims in the U.S. and around the world.
Their targets are also getting bigger and more high profile, too. Last week, LockBit attacked ION, a financial trading services group that facilitates trading and settlement of exchange-traded derivatives, according to Reuters, potentially impacting activities related to “thousands of firms.”
The Royal Mail hack has also gained international attention. Originally, LockBit denied any role in the attack and claimed that someone using a leaked version of its encryption malware was responsible, in an interview with Bleeping Computer. Two days later, however, a group representative said they had determined which affiliate was behind the attack and that a decryption key would be provided after a ransom was paid, the news site reported.
Signaling the group may have its own internal differences, a LockBit affiliate in December attacked The Hospital for Sick Children, known as SickKids, in Toronto. The group apologized for the attack and said the action “violated our rules” and that the “partner” that carried out the attack was “no longer in our affiliate program.”
“If I was a ransomware affiliate, I wouldn’t want to work with LockBit,” said Brett Callow, a threat analyst with cybersecurity firm Emsisoft. Its recent string of high-profile attacks will have likely focused law enforcement attention on the group even more than in the past, he said. “I wouldn’t be at all surprised to discover that LockBit’s operation had been subject to a Hive-like infiltration. Law enforcement agencies are getting better and better at counter-ransomware operations and every arrest they make and every bit of intel they collect helps them take action against other groups and individuals.”
For now, however, LockBit could be benefiting from the demise of Hive, Callow noted: “They have recently listed more victims than usual, possibly as a result of Hive affiliates looking for a new home.” Those new affiliates, however, could spell trouble. “Of course, as Hive’s operation was compromised by law enforcement months ago, it’s possible that some of its affiliates were compromised too and that LockBit and its business partners could soon get a nasty surprise,” he said.
A message sent to LockBit’s support chat address Tuesday was not returned. Neither the FBI nor the Department of Justice responded to a request for comment.
The group claims on its website to be located in the Netherlands and “completely apolitical and only interested in money,” although the group communicates largely on Russian-speaking hacking forums and told the Russian tech blog that “We benefit from the hostile attitude of the West (towards Russia). It allows us to do conduct such an aggressive business and operate freely within the borders of the former Soviet (CIS) countries.”
It’s impossible to know the full scope of LockBit’s activities or how it compares to other groups, Callow said, but the group is “certainly in the top 10.”
In November, when the Department of Justice unsealed charges against Mikhail Vasiliev, a dual Russian and Canadian citizen for working with LockBit, the agency alleged the group’s malware had “been deployed against over 1,000 victims in the United States and around the world.”