Despite remaining a highly active threat, a series of setbacks, including behind-the-scenes issues and squabbles, had left LockBit reeling in its last months, and the operation appears to have been on a downward slope long before it was compromised and brought down by a multinational law enforcement sting, according to researchers at Trend Micro.
Trend Micro’s research team worked alongside the UK’s National Crime Agency (NCA) – the lead agency on Operation Cronos – providing technical assistance as the gang’s infrastructure and locker were dissected and hung out to dry, and enjoyed unfettered access to the operation.
Trend said that the gang’s journey from ransomware-as-a-service (RaaS) pioneers to a much-reduced operation – its admins had even been banned from certain underground forums – highlighted the challenges faced by cyber criminal operations, such as internal strife, technical issues and reputational damage.
“While Lockbit where without doubt the largest and most impactful Ransomware operation globally, we hope that this disruption makes it very clear that all criminal affiliates should strongly reconsider any involvement with them in the future, and that in partnering with this organisation these associates have put themselves at increased risk of law enforcement action,” said Bob McArdle, Trend Micro director of forward threat research.
Security incidents
Over the past few days, there has been some discussion of LockBit’s apparently somewhat lax approach to its own operational cyber security – it is possible that it was ultimately compromised via an unpatched PHP vulnerability – and this would not be the first time the group has had security issues.
In the eyes of a security professional, some of the gang’s issues fall under the category of insider threat; thanks to the distributed and semi-anonymous nature of LockBit, and how its affiliates and operators interacted, this was an almost-inevitable problem.
Its period of decline seems to have set in in September 2022, when a disgruntled developer leaked a build of the gang’s locker. This incident had more of an impact than LockBit let on, as it lowered the barrier of entry for others to develop their own clones and launch their own RaaS operations independently, severely hindering any technological advantage LockBit had.
This incident had knock-on effects across the security industry, which suddenly found itself dealing with other such operations using LockBit payloads, or outright masquerading as LockBit to their victims.
In one such incident, a group calling itself Spacecolon used email addresses and URLs that gave victims the impression they were negotiating with LockBit. Spacecolon even built itself a very similar-looking leak site.
For LockBit’s operators, the leak couldn’t have been much worse – signalling internal problems to outsiders would have been a concern to operational or potential affiliates, and of great interest to other gangs.
“A leak like this should be called out for what it is – a security failure,” wrote Trend Micro’s researchers. “If their core build can be leaked, then affiliates might wonder if there are other security concerns. An incident like this in a software company would be seen as a complete failure of internal processes and controls, or worse, the absence of them.”
The leak also likely damaged the LockBit brand, even though its operators, including its main spokesperson who goes by the handle LockBitSupp, tried to put on a brave face. The gang’s core members likely realised at this point that they would need to pull something special out of the hat to consolidate and strengthen their hard-won position as a leading RaaS “supplier”.
Did they do this? No. According to Trend Micro’s insight, development of the locker’s code stagnated. Perhaps, the researchers speculated, the gang had actually split with one of its key developers.
Throughout the following months, Trend Micro says it observed a “downshift” in confidence in the gang, a result of several factors. In April 2023, for example, the group added a number of new posts to its dark web leak site, some of which related to fake victims with made-up data. It is, of course, possible that this was an error made during internal testing, but according to Trend Micro, an equally plausible scenario is that the postings were an attempt to cook the books and give onlookers the impression LockBit was still a successful operation.
Over the course of 2023, LockBit’s infrastructure itself seemed to become more unstable, and observers of its dark web leak site saw frequent accessibility and stability errors. Trend Micro also saw some unusual behaviour relating to the leak site mirrors, including inconsistencies when trying to access them, and erroneous redirects.
Clearly things were not going well, and in September 2023, LockBitSupp proposed to implement new rules for affiliates, including minimum payments and fixed discounts, and mandating that payments should not be less than that of the amount covered by the victim’s cyber insurance policy. Trend Micro suggested that LockBit had seen a decline in successful payments, and that the problems that had beset the operation had meant that it was not able to attract as many highly skilled cyber criminals to act as affiliates as it was during its pomp.
Faith no more
“It’s clear that LockBit has been having issues throughout 2023, and it stands to reason that this is having a negative impact on their ability to attract or retain affiliates,” said the researchers.
There are a number of reasons for this. First, affiliates were clearly losing faith in the programme, and LockBit’s operators appeared increasingly unresponsive. Others may have felt the newly introduced rules standardising ransom demands and constraining their earnings were too onerous, while the delay in any new releases of the locker, hinting at a brain drain at the heart of LockBit, would also have soured others.
More recently, a call by LockBit’s operators for affiliates of the ALPHV/BlackCat and NoEscape crews to come and join LockBit following similar law enforcement operations carried “an air of desperation” given how people had been clamouring to sign up barely a year earlier.
Things seemed to come to a head at the end of January 2024, when a user going by the handle michon – apparently an initial access broker (IAB) – opened an arbitration thread on the underground XSS forum claiming that LockBitSupp had refused to pay for access that they had provided which led to a successful ransomware payment.
It turned out michon had only themselves to blame. Being relatively new to the scene they had not properly outlined their desired conditions of sale. However, as the thread attracted more and more posts, the denizens of XSS began to turn on LockBitSupp, rejecting their defence. Ultimately, LockBitSupp was made to pay 10% of the ransomware payout to michon.
The Trend Micro team, reviewing the thread, said LockBitSupp came across as arrogant and disdainful, particularly towards the arbitrator, and was likely trying to use their reputation to punch above their weight. They noted that this type of behaviour has been seen before with other RaaS operators who have got too big for their boots.
“There are no positives for LockBitSupp with regards to this arbitration. The malicious actor has quite likely alienated their peers, potential access suppliers, and affiliates,” said the team.
In any case, LockBitSupp was banned from XSS on 30 January and branded a “ripper/scammer”. They were also banned from the Exploit forum around the same time.
New locker under development
What was LockBit doing about these problems? During the course of the investigation, Trend’s team found evidence that the crew was pinning its hopes of survival on a new version of its ransomware locker – Trend has dubbed this LockBit-NG-Dev – a platform-agnostic malware that was significantly different from previous versions.
The team believes that this variant formed the basis of a LockBit 4.0 version, which may still be being worked on despite the takedown.
Some of the key changes in LockBit-NG-Dev include:
- A shift to .NET code compiled using CoreRT, which when deployed allows the malware to operate across platforms;
- The .NET codebase is completely new, which will mean new security patterns will need to be created to detect it – this could be a future issue for defenders should LockBit survive;
- LockBit has removed previously featured self-propagating capabilities, and LockBit-NG-Dev can no longer print ransom notes via the victim’s printers;
- The locker’s execution date now has a period of validity, which Trend suspects is to help the operators keep a watchful eye on what their affiliates are up to, and to defy any automated cyber analysis tools.
However, there are some similarities. For example, LockBit-NG-Dev still has a configuration containing flags for routings, processes and service names to terminate, and files and directories to avoid, and it retains the ability to rename encrypted files randomly.
Too big to fail?
“The criminal group behind the LockBit ransomware has proven to be successful in the past, having consistently been among the top impactful ransomware groups during their whole operation. In the past couple of years, however, they seem to have had a number of logistical, technical and reputational problems,” the Trend Micro team wrote.
“This has forced LockBit to take action by working on a new much-awaited version of their malware. However, with the seeming delay in the ability to get a robust version of LockBit to the market, compounded with continued technical issues, it remains to be seen how long this group will retain their ability to attract top affiliates and hold its position. In the meantime, it is our hope that LockBit is the next major group to disprove the notion of an organisation being too big to fail.”