In September 2019, the LockBit ransomware was first discovered. Also known as ABCD ransomware, LockBit got its name from the ".abcd virus" extension first observed. LockBit operates using a Ransomware-as-a-service (RaaS) model. This means that affiliates make a deposit to use the tool, then split the ransom payment with the LockBit group. It has been reported that some affiliates are receiving a share as high of 75%. LockBit's operators have posted advertisements for their affiliate program on Russian-language criminal forums stating they will not operate in Russia or any CIS countries, nor will they work with English-speaking developers unless a Russian-speaking "guarantor" vouches for them. Initial attack vectors of LockBit include social engineering, such as phishing, spear phishing, and business email compromise (BEC), exploiting public-facing applications, hiring initial access brokers" (IABs), and using stolen credentials to access valid accounts, such as remote desktop protocol (RDP), as well as brute-force cracking attacks.
During last year's Global Threat Forecast webinar, hosted by SecurityHQ, LockBit was identified as a significant threat and highlighted as a Threat Actor to pay close attention to during 2022. LockBit has stepped out from the shadows of the Conti ransomware group, who were disbanded in early 2022. This makes LockBit the most active and successful cybercrime organization in the world.
Ransomware-as-a-service (RaaS) has become increasingly popular among cybercriminals as it presents a low-risk and high-reward opportunity. LockBit is just one example of a RaaS operation that has seen success in recent years. Because RaaS takes advantage of the affiliate model, there is little to no upfront cost for the cybercriminal. And, because the affiliate model allows for a percentage of the ransom to be paid back to the cybercriminal, there is a built-in profit motive.
For businesses, the best defense against RaaS operations like LockBit is a comprehensive cyber security solution that includes backup and disaster recovery. This will ensure that even if your systems are hit with ransomware, you will not lose any data and will be able to quickly get your systems up and running again.