2 min

LockBit has been claiming a hefty share of ransomware damage for years. Now the criminal organization is in danger of being pushed away by competing gangs and malicious actors that imitate them.

When LockBit was targeted by Europol and other authorities in February, the impact on the cybercrime group’s operations seemed limited. Indeed, just a few days later, the group returned with updated encryptors and new servers.

Decrease in relevance

Still, according to a report by Trellix’s Advance Research Center, LockBit’s relevance has declined. Although attackers repeatedly present themselves as LockBit reps, they often turn out to be impersonators. This claim is made more credible by the software showing strong similarities to the LockBit ransomware itself.

After all, the source code of the LockBit 3.0 builder leaked in 2022 via a disgruntled developer, after which other parties used it for their own aims. This was a major setback for the cybercrime group, as it needs to maintain a certain reputation to be effective. Ransom demands are only credible if sensitive data is decrypted again and an imminent data breach fails to materialize. Without retaining control over the selection of LockBit members, the organization loses power over the cybercrime landscape.

No selection process

By August 2023, this leak already appeared to have had a major effect: multiple threat actors used it to create LockBit variants of their own.

Normally, LockBit candidates had to prove themselves to gain access to the ransomware tools, accept rules about certain targets, and commit to handing over a portion of the ransom to LockBit. According to the Trellix report, other gangs chose instead to undermine the group’s Ransomware-as-a-Service revenue model.

New groups

In addition to this competition, the LockBit leak appears to give new groups a chance to grow. Some parties change only the ransom note and contact information to leave the rest of the LockBit 3.0 builder untouched.

Above all, these developments show two things. First, even the most successful criminal groups appear to be susceptible to coordinated operations by the authorities. Second, it appears once again that these organizations can soon be replaced by other attackers, who learn the lessons of their predecessors whenever possible.

Also read: Four-year sentence for hacker of LockBit ransomware group