LockBit Story: A Three-Year Investigative Journey

A Three-Year Investigative Journey into the LockBit Ransomware-as-a-Service (RaaS) group

By Yelisey Bohuslavskiy and Marley Smith

Introduction

LockBit is the only Ransomware-as-a-Service (RaaS) group to survive the “as-a-service” model crisis of 2021-2022.

Well, before yesterday, that is.

 

LockBit tattoo removal - image by John Fokker (Source)

 

While REvil, Netwalker, Avaddon, Maze, Egregor, and dozens of other RaaSes failed, LockBit endured. Even as of early 2024, LockBit was still presenting a major threat. Moreover, this threat had both horizontal and vertical effects, as LockBit is capable of broader low-to-mid-tier ransomware operations while creating an efficient payload delivery pipeline for top-tier groups.  

Now, with LockBit finally down, we find ourselves asking what will happen next. But what made LockBit so resilient in the first place? 

Here, I want to share RedSense's three-year journey attempting to answer this question. In this investigation, my team deliberately relied exclusively on SIGINT-centric approaches and evidence in order to avoid speculation, unverified assumptions, or outlandish theories. Using telemetry analysis, forensics, incident review, and malware reversing, we arrived at the following:


Chapter 1: LockBit’s Psychological Warfare

“Bratva” - allegedly one of the main LockBit affiliate promoters in 2023/2024. 

Source: (Twitter/X) and TOX (where they endorse the LockBitSupp for trying to restore servers after the takedown)

2023 was the turning point for the group and its victims. LockBit became extremely aggressive in attacking healthcare. 

MORAL & LANGUAGE DISCLAIMER: This is why, through the rest of the blog, I will refer to their affiliates (or promoters like this one above) as “it” rather than any human pronouns.

Because if there is one case of dehumanization being acceptable, it is in the case of those who attack maternity care homes with ransomware and use the ransoms to fund attacks on maternity care homes with missiles.

 

By early 2022, Marley Smith and I had followed LockBit through direct TAE (Threat Actor Engagement) initiations for over a year, and by this point, the group still felt like a mystery.

On the surface, It appeared like a standard low-tier/low-capability RaaS, barely able to steal 50-60 GB of data (something already available in open-source corporate datasets) and rarely paid by its victims. The problem, however, was that from our industry partners, particularly incident response teams and BTC-tracking teams, we definitely knew that LockBit was getting paid… somehow.

We assumed that LockBit had several layers of operation. The first was the standard Ransomware-as-a-Service-style facade, designed to be visible to anyone with a computer and internet: Open-source blogs with fake claims, announcements on "darkweb" forums; public drama in low-tier communities of RAMP, XSS, and Exploit; ransomware interviews, and other ways to weaponize the golden rule of "If it's on the internet, it must be true!"

This was LockBit’s RaaS side, managed by the group’s support named “LockBit Support” or “LockBitSupp” which aimed at using random unknown affiliates who would generate a consistent flow of low-tier accesses, most often bits of stolen information that LockBit dumped indiscriminately on its blog. While this didn’t bring any monetary gains, as naturally none of the targets were willing to pay for small bits of harmless data, this scheme did keep LockBit in the public mindset.

 

How Did LockBit’s Psy-Op Work?

First, with ransomware threat metrics often being calculated based on the number of companies on ransomware blogs and not actual attacks or payments (as the latter would require little-known intelligence and was not simply open-source), dumping volumes of company names on their website kept LockBit’s title of “most prolific ransomware group” secure. At the same time, the large number of affiliates enabled a constant flow of deployments, and while these affiliate-originating deployments do not seem to have resulted in any significant payments, they can still provide a “death-by-thousand-cuts” frame.

NOTE: While ”LockBitSupp” may seem like a comical character seeking attention from (as it is said in Russian colloquial language) “white, colonial masters” (meaning Westerners), the threat actor did their job well. Creating attention to the LockBit blog was a huge win for adversaries and an asset they will use in the future.

After LockBit used any opportunity to use social media, particularly Twitter, to its advantage, staffing it with as many affiliates promoting its name as possible, this operation went to a new level. It wouldn’t be an exaggeration to say that LockBit’s Twitter contribution to its development was comparable to the contribution of its locker builders.

This has only been enhanced by LockBit’s falsified claims regarding breaches they had allegedly committed. Also, just like KillNet and Anonymous Sudan, LockBit benefited from the unfortunate fact that a threat to attack an entity is often equated by the media to an actual successful attack. Throw in multiple scandals on public forums and widely-proliferated ransomware interviews, and the group had figured out the ultimate means to draw attention to the group. 

One can have different opinions about LockBitSupp, but they definitely were able to trick English-speaking audiences into putting them and their group at the top of Google search lists, and this was an important win.

As such, LockBit was able to utilize the obsolete and dying RaaS model to create a public discourse in which the group was perceived as a credible threat actor while constantly being at the center of attention. However, this leadership still had to find a way to monetize their activities. By mid-2022, the RaaS, with its low-tier affiliates, could not establish any substantial case pipeline and became as useless as REvil, Avaddon, Maze, and the many other RaaSes that fell before it.

 


Chapter 2: Summer 2022 - Nobody Expects the Spanish Inquisition

It’s now Summer 2022. Conti has collapsed, Ukraine is being invaded, and Russia has essentially turned into a fully-fledged fascist dictatorship. That last part is particularly important. The world is changing quickly, and LockBit is not far behind.

In the late summer of 2022, we began to specifically focus on the behavior of LockBit’s admin. Unlike the Supp, the admin and developer would have ultimate power over how the gang would continue to develop. Technically, anyone (including the reader 🙂) can join LockBit at any time. This doesn’t even require substantial technical knowledge. However, a new member will be only provided with their payload and tasked to deploy it. As such, the admins are the ones who handle the rest: improving the code, conducting the negotiations, and distributing the payment. 

August-September of 2022 was precisely when my team noticed significant shifts in three major aspects of LockBit’s "leadership side”.

First: Payment distribution. In the summer, during our TAEs, we began to observe a recurring theme in communications with LockBit actors: Considerable amounts of chatter were circulating related to individual affiliates who were being scammed by LockBit admins and kicked out of the program without receiving payment. It should be noted that such exit scams by admins were widespread among RaaSes and were one of the key factors leading to the collapse of the “as-a-service” business model. The aforementioned REvil, Avaddon, and Netwalker all performed similar scams against their affiliates in late stages.

Secondly, and even more interesting, some of the actors who were known and vetted initial access brokers for LockBit claimed they had terminated their supply contracts for the group’s leadership. Two of them claimed that a security apparatus appointee had replaced the group's admin. This has been their explanation for LockBit’s scams against affiliates, as well as LockBit’s increased public activity. The scandalous and “loud” behavior of the LockBit support account was allegedly a way to draw attention away from the leadership change (note the similarities to the dissolution of the Conti team, who attacked Costa Rica in 2022 and most likely Dallas in 2023 for similar distraction purposes).

 

One of the largest Russian-speaking Telegram communities celebrating the takedown of LockBit with praise that can be loosely translated as: “Good buy, you FSB snitch” (FSB being a reference to the principal security agency of the Russian state).

 

Neither the affiliates nor the access brokers provided factual proof of LockBit’s exit scams or the government takeover. However, it was clear that there had been shared observations of significant changes to LockBit’s payment rate, as well as its admin becoming extremely silent and non-communicative while LockBit support became increasingly vocal.

This is the exact time when LockBit criminal promoters on social media became extremely active. It is also when LockBit began targeting critical infrastructure, including hospitals, municipalities, and city services, particularly aiming its sights on healthcare. 

 


Chapter 3: Into the Rabbit Hole—The Real LockBit 

 

To identify the causes behind this change, my team began investigating two other "admin" domains of LockBit: Negotiation and Payload teams. The first major clue to the infrastructural changes LockBit was undergoing was the establishment of the so-called “LockBit Green” locker build—a LockBit locker suited to ex-Conti users. The second was the increasing use of the “false flag” Chinese APT group Yanluowang for LockBit publishing enhancement.

My Principal Researcher, Marley Smith, and I began to investigate these two areas: I focused on the locker (Because why would a ransomware group create a locker specifically designed for another gang?), and Smith began investigating Yanlowang. 

This became a rabbit hole!

The first lead with the locker quickly led us to the discovery of the Royal-LockBit relationship. This was around the time when the two groups initiated very similar attacks on US cities, which radically elevated their respective operations.

 

Screenshot detailing LockBit’s attack on the City of Oakland in March 2023 (top). Note how similar this was to the April 2023 Royal attack on Dallas, Texas (bottom).

 

But Conti was only a part of it. In late 2022, LockBit's core leadership—the admin—was able to understand a growing trend of increasingly corporate, highly organized syndicates, which were more effective than “as-a-service” groups. 

Alternatively, the initial access brokers’ theory that the LockBit admin was a representative of the Russian security services was true. Indeed, the Russian security apparatus always puts emphasis on highly structured groups, primarily Conti, as they share the same organizational culture. If this theory was true, the LockBit-Conti relationship was predestined by the Russian government. This may also explain why so much emphasis was put on the distraction set by LockBitSupp—while low-tier affiliates were posting on Twitter, the real professionals from Conti were attacking high-profile targets all over the world.

This resulted in LockBit operating via "collective affiliates". Unlike individual affiliates, who are random people with questionable skills, "collectives" are small groups of 4-5 highly organized pentesters belonging to a syndicate who outsource them to LockBit for a majority (up to 80%) ransomware payment cut.

This change in operations is when we began to see larger breaches associated with LockBit which were accompanied by major data exfils. These breaches do not appear on LockBit's website, because unlike LockBit's own affiliates, the "collectives" were able to inflict enough damage to receive payment, hence there is no breach publication on the same blog. This is a standard ransomware trend—the more successful you are, the less people know about your successes. And this silence played perfectly with the noise created by LockBitSupp.

To further extend the ruckus surrounding them, LockBit also released their builder, so now everyone can create a LockBit-like locker so that no attack can be directly attributed to them.

 

 

LockBit builder flowchart. Source: S2W

 


Chapter 4: The Nesting Doll

By 2024, LockBit was a nesting doll of sorts, with three distinct layers:

At its surface level, LockBit is a large and established RaaS comprised of dozens of "affiliates", who chaotically attack random networks in a "spray and pray" fashion and fail around 99/100 times. 

Under the surface, on the second layer, LockBit is comically low-capability: fake claims, lack of successful payments, constant affiliate scams, and “LockBitSupp” serving as a mere distraction for actual operations. This layer is designed to draw as much attention as possible to LockBit’s blog.

The third inner layer consists of LockBit's +"Big Game" division (although nobody calls it this)— While the “Supp” spent their early days entertaining Western journalists with "exclusive" interviews and TOX, the admin was building a system of personal alliances with real top-tier groups, borrowing their elite pentesters.

Smith calls this the “Ghost Group” model—something between a corporate ransomware structure like Conti and a classic RaaS like Maze.

A Ghost Group is a group that has very high capabilities but transfers them to another brand by allowing the other group to outsource operations to them. The clearest version of this is Zeon, who has been outsourcing their skills to LockBit and Akira. Zeon is a former Conti-1, the old guard of the Ryuk crew. They were also the ones who perfected the BazarCall dissemination model (not to be confused with generic callback phishing) via their elite call centers.

In Zeon’s “Ghost Group” operations:

  • Zeon provides its own call center, spam, and some of its high-end initial accesses, but most importantly, they provide skilled pentesters. 
  • In turn, their hires provide their own locker, blog, negotiations, and data publishing, as well as any high-end accesses which they cannot process due to lack of pentesting skills. 

NOTE: The blog and negotiation aspect is critical here. A “loud” and attention-seeking blog, in this case, serves as an asset for which they trade pentesters.

Zeon, as a prolific ghost group, currently primarily operates under other threat groups in this manner as well, notably Akira, 3AM, and (prior to its own takedown) BlackCat. 

For LockBit, the timeline of this “ghost group” alliance building went as follows:

Summer 2021: LockBit's admin engages with former Avaddon and REvil pentesters, who were disoriented and disconnected after both groups were taken down.

NOTE: If we consider that the LockBit admin was indeed affiliated with the Russian security forces, the engagement with the two groups that these forces took probably ended badly for the remaining members.

Summer 2021: The supposed "Chinese APT" Yanluowang (who were found to be faking their Chinese heritage for this same mystique-building) became affiliated with LockBit as well: RedSense, Yanluowang began a publishing arm of LockBit.

Fall 2021: LockBit's first engagements with Conti's leadership. There is no cooperation yet, but LockBit now has access to Conti's allies: HIVE, Avos, HelloKitty, and BlackCat.

NOTE: In November 2021, they were reported to engage with former BlackMatter. These members ended up with Royal a year later.

Fall 2022: After Conti's breakdown, LockBit's admin initiated their first major alliance - first with Conti's Team2, Royal, then with Conti's Team1, Zeon.

Early 2023: LockBit's relationship with ex-Conti grows, even developing LockBit Green - a version of the LockBit locker specifically suited to ex-Conti pentesters.

Spring 2023: The Conti/LockBit alliance bears more fruit: a relationship with 3AM and BlackCat. 

NOTE: During this time, LockBit allegedly engaged beyond Conti with Cl0p and EvilCorp (though Smith and I don't have evidence for this).

Summer 2023 to present: After Royal rebrands to BlackSuit and BlackCat are taken down, LockBit delegates the majority of their Big Game operations to Zeon (Conti1). 

 

Screenshot of the LockBit shame blog post-takedown, from February 19th, 2024. [Source: RedSense]

 


Chapter 5: The Takedown

On February 19, 2024, an official LEA announcement replaced LockBit’s official shame blog, effectively signaling an end for the group in its current form. The question for now is if this hidden network is collapsing as well. LockBit never possessed its own talent, but the talent they hired will remain. Zeon also operates as a "ghost group" for external collectives Akira and may relocate their effort there. The same can be said about former members of BlackCat working for LockBit. 

 

Zeon - one of the core groups behind LockBit’s high-profile attacks

As the ransomware ecosystem collapses in upon itself, outsourcing of threat group operations has become exceedingly commonplace in an attempt to maintain the long-gone “mystique” of ransomware’s heyday. LockBit has for years now exaggerated its victim numbers by reposting victims multiple times on its shame blog, claiming third-party attacks as direct infiltrations and falsely claiming attacks while posting empty file directories to its dataleak site. The group has continued to “cook the books” and coast off of its own public image—a public image which has now ironically led to the group’s downfall.

LockBit is a combination of their blog and Zeon + a couple of other alliances.

The blog - to which they invested so much, is dead. There is no way to replace it. The law enforcement, which is typically dry in their language, is openly mocking LcokBit’s “loud” posturing on LockBit’s one frontpage.

As for Zeon, their operations will naturally slow down without the blog but will continue as normal after LockBit is gone. Their focus will be to relocate back to Akira. However, just as any other elite pentesters, they are getting tired of constant restarts, and this will play its role. Some will remain, but quite a few will quit. This is part of the process of fatigue and erosion, which will hopefully mean the effective end of the ransomware ecosystem as we know it in 2024.

This is exactly why takedowns work, and this is why this operation should already be considered a success.

It’s only a matter of time.


Conclusion 

This is what happens after the takedown - i.e., why LockBit is done for good.

  1. Most of the low-tier affiliates who were bonded by a common infrastructural node - i.e., the blog, will be lost and disoriented.
  2. High-tier professionals will begin relocating - most of them are Zeon’s crew - they will invest in Akira and possibly in BlackSuit.
  3. Brand was LockBit’s main achievement, but the blog and the surrounding social infrastructure related to it, as well as LockBit’s brand, is unfixable. The amount of resources which was invested there could not be restored.
  4. The rebuilding of the infrastructure is very unlikely; LockBit’s leadership is very technically incapable. People to whom they delegated their infrastructural development have long left LockBit, as seen by the primitivism of their infra.
  5. OFAC has added LockBit members to its list. This ensures that neither the LockBit brand nor an attempt to rebrand the group will succeed. There will be no payments, as we already saw in the case of Conti and sanctions.
  6. IABs, which were the main source of LockBit’s venture, will not trust their access to a group after a takedown, as they want their access to be turned into cash.
  7. Most likely, LockBit will try to dump old data - the tactic that is used by every group after a takedown, but this won’t bring any results except for media speculation.
  8. The affiliates, support crew, and all their jackal minions, which they planted on Twitter, will finally get what they deserve - to turn into cannon fodder on the frontlines. There, they will get their most despicable and disgraceful death in the mud, and the more painful it will be, the better. 

Soon, other ransomware affiliates will meet this fate. Its only a matter of time.