4 min

Tags in this article

, ,

LockBit has been gaining notoriety with the likes of the British Royal Mail and Deutsche Bank. The ransomware is persistent and remarkably self-sufficient. How does this popular tool of cybercriminals operate?

Enterprises are going digital at an ever-increasing rate, accelerating the appeal of cybercrime along with it. The market around ransomware tools has become more complex as a result. Akin to the move to a subscription-based model adopted by legitimate software providers, cybercriminals are turning to Ransomware-as-a-Service (RaaS). Aspiring hackers can pay to access a wealth of well-maintained tools and websites that allow for the invasion and extortion of companies worldwide.

Research by security expert Arctic Wolf indicates that LockBit is the market leader among RaaS providers. On leak sites, where victims’ data gets published, LockBit occurrences are four times more common than those of competitor Alphv/BlackCat. The market leader’s popularity has grown tremendously since 2019.


Automation is another area where developments in the digital underworld mirror those taking place in mainstream business. LockBit can spread inside an organization’s network automatically. This ease of use is one of the main reasons the piece of ransomware is so popular. Typically, hackers must be actively engaged in the spread of the code inside a network. This slows the process down tremendously and makes it easier to detect. The dark web marketing of the service as “the fastest encryption software all over the world.”

A bit of false advertising there, as LockBit leaves a fair portion of the planet untouched. Like their colleagues over at RagnarLocker, the code recognizes organizations that are situated in Russia and surrounding (Moscow-friendly) states. Victims are found globally, but LockBit v2.0 targeted US organizations nearly 50 percent of the time. However, the cybercrime syndicate does possess some kind of moral compass regarding the choice of victim. When a hacker group targeted a Canadian children’s hospital with the ransomware in late 2022, LockBit blocked them from their services. It’s clear that LockBit is a big player in the world of cybercrime, but how does it actually work?

LockBit: action

Firstly, it’s evident that not all of LockBit’s characteristics are an exception to the norm. Like other software of its kind, its effectiveness relies on there being a sensitive aspect to the organization’s outward-facing services – or an unwitting individual. Targets tend to either originate from a software security flaw or an employee being fooled by a phishing email. These are the primary ways ransomware accesses a company network.

Once LockBit finds its way inside a network, the magic begins. Or rather, the ransomware developers’ unique computer code. The set of “post-exploitation” tools set out to gain as much control of the network as possible. Via Windows PowerShell, the tool searches for system administrator accounts or extends itself widely across as many devices as possible. No human needs to provide any input for this multiplication to occur. At the same time, LockBit disables various security systems and attempts to disable recovery options. Ideally (from the criminals’ point of view), there is no viable recovery method, but just slowing down the recovery process can be considered a success. Many organizations can’t afford to be out of the running for a significant amount of time, so paying for data recovery is more desirable. In addition, a tight deadline for illegally releasing data is a powerful way of pressuring the victim.

Next, the encryption payload is loaded. Throughout this process, LockBit needs no human input. The application detects sensitive information on the servers through self-developed algorithms and blocks access. Only LockBit itself holds the key: a decryption tool can provide organizations with the ability to recover the data. Usually, capitulating to the hackers also prevents publication, but there is no guarantee of that. No mechanism stops a hacker group from still making off with the stolen data.

Incidentally, macOS is not immune from LockBit. Apple’s platform is far less susceptible to all kinds of malware. Nevertheless, this port to Mac still seems to be embryonic: The Register reports that the application can only run on Apple chips, but that’s all (for now).

The release of the 3.0 version of LockBit in 2022 exemplifies how cybercriminals constantly change their tactics. Improved tools, anti-detection mechanisms, an anti-debug feature and disabling Windows Defender are among the additional features compared to version 2. A salient detail is that LockBit has started a “bug bounty” program. Fellow hackers can assist the cybercrime group in fixing bugs within the ransomware. This way, they contribute to a possible version 4.0 and later.


What can an organization do to prevent or recover from a LockBit attack? As mentioned, paying a ransom is an option but is far from desirable. While this option is not technically illegal, transferring crypto money is what allows these organizations to continue their criminal activities.

Security company Kaspersky offers advice on fighting LockBit on its own website. General advice around cybersecurity gets the obligatory mention: one must be careful about emails from outside the organization, keep data backups and ensure security software is up-to-date. In addition, complex passwords, multi-factor authentication strengthen the overall security of corporate networks. Simplifying system privileges also prevents confusion, as does deleting unused accounts.

To the surprise of absolutely no one, Kaspersky recommends using its own security services. Still, using cybersecurity services relevant to an organization’s needs is essential. Cloud environments generate new weaknesses, such as when communicating between components of a Kubernetes system or transferring data to foreign data centers.

In short, LockBit is an extremely self-sufficient ransomware application. The extensive amount of automation of distribution and encryption makes it a crafty piece of work. Ransomware could likely go even further. What if a Ransomware-as-a-Service can also search for targets of its own accord or uses an AI chatbot to contact a victim and make a deal? In the future, we are bound to face a form of cybercrime which requires less and less human input.