LOCKBIT Ransomware

Based on our profiling analysis, the site is largely operated by east-European individuals based on sentence structure. Primary motivation is based on monetary gain and the group offers access to their encryption software (aka Malware aka Ransomware) on a paid and commission based subscription model (RaaS). The group has no political interests but CYPFER has noticed that no attacks against Russian/Ukrainian or other East-European attacks were evident.

  • LOCKBIT operators are not limiting themselves to specific attack types, but have been seen exploiting both external Internet facing assets using some of the latest exploits such as Log4j but also using brute force of remote access capabilties. Some attacks were identified using phishing techniques to establish initial foothold.
  • COMMUNICATION PROTOCOLS: LockBit communications take place primarily over the groups web-chat that is accessible through TOR. Each victim organization is provided with a unique key to access the chat-room.
  • INITIAL DEMANDS: LockBit demands on average begin around $1,600,000. This number may vary between each matter as the demands are typically based on what the threat actors believe the company can afford to pay.
  • FINAL DEMANDS: LockBit operators or affiliates have full decision control of the final amount. Discounts depend on a variety of factors including the ability to negotiate appropriately with the affiliates.
  • DURATION: Negotiation durations with LockBit are relatively quick and can run from 2 days to 6 days.

DECRYPTION: LockBit decryptor is 97% effective in decrypting files. Speed of decryption is dependant upon a number of factors including hardware capabilities and size of encrypted files.

RECOVERY and REMEDIATION: CYPFER’s post breach recovery teams have worked a number of LockBit matters, and recovery of an environment while it depends on impact, hardware capacity and available resources will typically take 14 business days.