What is LockBit ransomware and how does it operate?

Name of malware and criminal group behind it, LockBit has been blamed for attack on Royal Mail

LockBit has emerged as the most prolific name in ransomware attacks and has now been blamed for an incident that has hit Royal Mail’s international operations. Here is what we know about LockBit and how it operates.

What is ransomware?

Ransomware is a piece of malicious software, or malware, that is often inserted into an entity’s computer network via a so-called “phishing attempt”. This involves tricking the receiver into downloading the malware, commonly by clicking on a link or attachment contained in an email. The phishing attempt can also include trying to access the person’s user name and password to get into the network, by fooling them into thinking they are logging on to the network in question.

The malware then encrypts infected computers, making it impossible to access their content. The rogue actor behind the attack then demands money from the affected entity – typically a company or government organisation – for those computers to be unlocked or decrypted. According to the US Treasury, US banks and financial institutions alone processed approximately $1.2bn (£990m) in ransomware payments in 2021.

How does LockBit work?

LockBit is the name given to a specific piece of malware, with the criminal organisation behind it also carrying that name. The LockBit group also sells this malware to other operators for financial gain, in a model known as ransomware as a service (Raas). On underground forums the malware has been advertised as “the fastest encryption software all over the world”.

“We have seen a real trend in ransomware gangs operating an ‘affiliate model’ where they sell access to this malware on the dark web in exchange for payment, often in cryptocurrency,” says Toby Lewis, the global head of threat analysis at Darktrace, a UK cybersecurity firm. “This helps LockBit to scale its operations like a franchise.”

Lewis says LockBit operators do not just encrypt the files but also commit “double extortion” where they steal the data and threaten to release it online. Some of the features of the malware include being able to print ransom demands on affected network printers, a detail that has been reported in the Royal Mail hack, with the Daily Telegraph reporting that a ransomware note stated: “Lockbit Black Ransomware. Your data is stolen and encrypted.”

LockBit, like most ransomware groups, demands to be paid in cryptocurrency. Bitcoin has been the preferred payment method historically but according to Sophos, a British cybersecurity company, LockBit is demanding payment in other digital assets. “Many like LockBit have moved over to the cryptocurrency monero instead, due to the increased anonymity it provides,” says Peter Mackenzie, who leads the incident response team at Sophos.

He adds: “LockBit ransom demands can range from the hundreds of thousands into the tens of millions, typically based on the amount damage believed to have been caused, type of data stolen and how much they believe the victim can afford.”

Who is behind LockBit?

Most ransomware groups tend to operate from eastern Europe, former Soviet Republics and Russia itself. “LockBit falls into the same category,” says Lewis. In November the US Department of Justice charged a dual Russian and Canadian national, Mikhail Vasiliev, over alleged participation in LockBit’s ransomware campaign. The DoJ said LockBit had been deployed against at least 1,000 victims in the US and around the world, has made at least $100m in ransom demands and has “extracted tens of millions of dollars in actual ransom payments”.

Victims of LockBit attacks include Pendragon, a UK car dealership company, which has refused to pay a $60m ransomware demand.

According to Trustwave, a US cybersecurity firm, the LockBit group “dominates the ransomware space” and uses large payments to recruit experienced actors. It accounted for 44% of ransomware attacks in January-September last year, according to Deep Instinct, an Israeli cybersecurity firm.

The malware was previously known as “.abcd”, after the file extension that was added to encrypted files as they were made inaccessible. Ransomware, and the groups behind it, often undergoes name changes in order to avoid law enforcement or a company-style rebranding exercise after becoming excessively notorious.

“Rebranding is often a common occurrence. This may be to avoid law enforcement or it is simply to do with marketing,” says Lewis.

Can ransomware attacks be disabled?

This is difficult. Once the attack has got in, it is really hard to stop. “Your best chance is to stop the attack in the first place,” says Lewis. Cleanups often involve rebuilding systems and networks. “If you have got ransomware on your network it’s really hard to get reassurance any other way than to rebuild the systems from scratch.”

Is it illegal to pay ransomware demands?

Last year the UK data watchdog, the Information Commissioner’s Office, and the National Cyber Security Centre wrote to legal professionals in England and Wales stressing that law enforcement did “not encourage” the payment of ransoms although payments were not usually unlawful. For instance, it is illegal to pay ransoms if the affected entity knows, or has reason to suspect, the proceeds will be used to fund terrorism. The ICO and NCSC letter said: “Payment incentivises further harmful behaviour by malicious actors and does not guarantee decryption of networks or return of stolen data.”

In the US, payment of ransoms is discouraged by the government, but an advisory note from the US Treasury in 2020 emphasised this was “explanatory only” and did “not have the force of law”.


Dan Milmo Global technology editor

The GuardianTramp

Related Content

Article image
How the growing Russian ransomware threat is costing companies dear
With KP Snacks the latest cyber-attack victim, firms must learn to defend themselves against a mounting menace

Rob Davies and Dan Milmo

05, Feb, 2022 @10:00 AM

Article image
WannaCry attack lifts shares in cybersecurity firm Sophos to record high
Oxfordshire-based firm inundated with calls in wake of last week’s ransomware attack on NHS and other businesses

Angela Monaghan

17, May, 2017 @1:51 PM

Article image
Russian ransomware attacks increased during 2021, joint review finds
Britain, the US and Australia point to growth in ‘sophisticated, high-impact ransomware incidents’

Dan Sabbagh Defence and security editor

09, Feb, 2022 @2:07 PM

Article image
Travelex services begin again after ransomware cyber-attack
Foreign currency firm restores some systems after £4.6m demand from hackers

Rupert Jones

13, Jan, 2020 @1:35 PM

Article image
Ransomware attack hero condemns 'super-invasive' tabloids
Marcus Hutchins says he will have to move house after newspaper identified him and published his full address

Nadia Khomami

22, May, 2017 @8:44 AM

Article image
What is WannaCry ransomware and why is it attacking global computers?
Malicious software has attacked computers across the NHS and companies in Spain, Russia, the Ukraine and Taiwan. What is it and how is it holding data to ransom?

Alex Hern and Samuel Gibbs

12, May, 2017 @4:16 PM

Article image
'Petya' ransomware attack strikes companies across Europe and US
Ukraine government, banks and electricity grid hit hardest, but companies in France, Denmark and Pittsburgh, Pennsylvania also attacked

Jon Henley European affairs correspondent and Olivia Solon in San Francisco

27, Jun, 2017 @2:55 PM

Article image
Cybersecurity stocks boom after ransomware attack
Companies see share prices rise sharply amid expected increase in spending on IT security after WannaCry hack

Nick Fletcher and Haroon Siddique

16, May, 2017 @3:35 PM

Article image
UK faces mass 'ransomware' email attack from cybercriminal gangs
Police warn of viral scams disguised as messages from banks, followed by demand for Bitcoin payment to unlock devices

Charles Arthur and agencies

15, Nov, 2013 @6:22 PM

Article image
Ransomware attack 'like having a Tomahawk missile stolen', says Microsoft boss
Brad Smith says ‘WannaCry’ virus attack that locked up to 200,000 computers in 150 countries is a ‘wake-up call’ amid fears more will be hit as week begins

Guardian staff and agencies

15, May, 2017 @12:10 AM