“If you are a cyber criminal, and you are operating in these marketplaces, or forums or platforms, you cannot be certain that law enforcement are not in there observing you and taking action against you,” says Paul Foster the head of the NCA’s National Cyber Crime Unit.
Rise of Supp
LockBit first emerged in 2019 as a fledgling “ransomware-as-a-service” (RaaS) platform. Under this setup, a core handful of individuals, organized by the LockBitSupp handle, created the group’s easy-to-use malware and launched its leak website. This group licenses LockBit’s code to “affiliate” hackers who launched attacks and negotiated ransom payments, eventually providing LockBit with around 20 percent of their profits.
Despite launching thousands of attacks, the group initially tried to keep a low profile compared to other ransomware groups. Over time, as LockBit became more well-known and started to dominate the cybercrime ecosystem, its members became more brazen and arguably careless. The NCA senior investigator says they pulled data about 194 affiliates from LockBit’s systems and are piecing together their offline identities—only 114 of them didn’t make any money, the investigator says. “There were some that were incompetent and didn’t carry out attacks,” they say.
However, at the center of it all was the LockBitSupp persona. The NCA investigator says there were “numerous” examples of the LockBit administrator directly “taking responsibility” for high-profile or high-ransom negotiations after affiliates had initially attacked the companies or organizations.
Jon DiMaggio, a researcher at cybersecurity firm Analyst1, has spent years researching LockBit and communicating with the LockBitSupp handle. “He treated it like a business and often sought out feedback from his affiliate partners on how he could make the criminal operation more effective,” DiMaggio says. The LockBitSupp character would ask affiliates what they needed to be able to more effectively do their work, the researcher says.
“He did not simply take money for himself, but he reinvested it into developing his operation and making it more desirable to criminals,” DiMaggio says. Throughout the lifecycle of the LockBit group, two major updates and releases of its malware happened, with each more capable and easier to use than the last. Analysis from the law enforcement operation by security company Trend Micro shows it was working on a new version too.
DiMaggio says the person he was speaking to privately using the LockBitSupp moniker was “arrogant” but “all business and very serious”—aside from sending cat stickers as part of chats. Publicly, on Russian language cybercrime forums where hackers trade data and discuss hacking politics and news, LockBitSupp was entirely different, DiMaggio says.
“The persona he amplified on the Russian hacking forums was a mix of a supervillain and Tony Montana from Scarface,” DiMaggio says. “He flaunted his success and money, and it rubbed people the wrong way at times.”
As well as setting a bounty on their own identity, LockBitSupp’s more innovative and erratic side also organized an essay writing competition on the hacking forums, offered a “bug bounty” if people found flaws in LockBit’s code, and said they would pay $1,000 to anyone who got the LockBit logo as a tattoo. Around 20 people posted pictures and videos of their tattoos.