• LockBit ransomware organization announced their newest ransomware-as-a-service product, LockBit 3.0 focuses on the exfiltration of information, as opposed to the encryption of data on a targeted computer.
  • LockBit 3.0 pioneers a novel ransomware concept of immediately extorting victims without – at least initially – publicly announcing an attack.

The notorious LockBit ransomware group released its latest ransomware-as-a-service offering, LockBit 3.0.

The group also released a set of “Affiliate Rules” and introduced what cybercrime professionals say is a first for the dark web: A bug bounty program. Allegedly, this offers a USD 1 million payout for those who disclose Personally Identifiable Information (PII) on high-profile individuals, as well as any web security exploits.

The new offering focuses on the exfiltration of information, as opposed to the encryption of data on a targeted computer. With the dissolution of the cybercrime syndicate Conti, this newer version of LockBit is at the forefront of the ransomware landscape. It also demonstrates the increasing prevalence and sophistication of the ransomware-as-a-service (RaaS) model.

“Ransomware-as-a-service has elevated the pace at which gangs can develop efficient new code bases and enterprise fashions,” said Darren Williams, Ph.D., CEO and founding father of cybersecurity firm BlackFog. He added, “This underground community of gangs works intently collectively and shares data to maximize earnings.”

Ransomware as a Service: A New Economic System

RaaS is a criminal take on the prevalent Software-as-a-Service (SaaS) business model. By subscribing, affiliates can utilize ransomware tools created by professional coders to conduct ransomware attacks. Associates then get a portion of ransom money that is lucrative.

According to cybersecurity experts, its growth indicates that cybercrime syndicates are increasingly resembling professionally managed organizations. It also ushers in a new phase of cybercrime commoditization.

In particular, Lockbit 3.0 continues to be early in its lifecycle, Williams identified. However, he added that “there is no such thing as a doubt” that different cybergangs will replicate its behaviors and enterprise fashions. “It doesn’t take lengthy for novel strategies to trickle right down to different teams, particularly after they have been profitable,” he stated.

According to NCC Group’s Strategic Menace Intelligence team, ransomware attacks dropped by 42% in June this year. The organization has also warned that this doesn’t mean that there has been a decline in ransomware; it’s just the opposite.

According to the NCC Group, the decline is in part due to the recent disbanding of Conti and LockBit 2.0’s retirement. With 55 victims, LockBit emerged as a leader – 244% more attacks than Black Basta, the second-top threat actor. In distinction, Conti’s attacks decreased by 94% as the group is disbanding and plitting itself into smaller syndicates.

According to NCC Group, the most targeted industries have been industrials (37%), shopper cyclical (18%), and expertise (19%). (11%).

Coveware, a ransomware incident response company, estimates that the average ransom paid by victims in the first quarter of 2022 will be USD 211,529. In addition, attackers typically demand ransom payments in Bitcoins alone.

LockBit: What it is and its most recent variant

LockBit was introduced in 2019, but its ransomware did not gain significant popularity until the release of LockBit 2.0 in the second half of 2021. After critical bugs were identified in Lockbit 2.0 in March, its makers updated encryption procedures and added additional options to deceive researchers.

Williams said that LockBit 3.0 pioneers a novel ransomware concept of extorting victims directly and not – at least initially – publicly announcing an attack. The organization provides victims with many fee-based options, including extending the time allowed to pay by 24 hours, erasing extracted data immediately, and downloading data.

“According to a monthly analysis by IT security company NCC Group, LockBit remains at the forefront of the risk landscape and is the most outstanding risk actor.”

Vetting associates

Schmitt said LockBit has also provided an “unprecedented public view” of its affiliate vetting and application process. The group said that “each prospect to join our associate’s program ought to perceive that we’re always seeking to be hacked and harmed” as its rationale for having such a heavy vetting process.

Schmitt said, “A Bitcoin deposit ensures a potential associate isn’t a journalist, security researcher, or law enforcement officer.”

Similarly, the newly implemented bug bounty program is an effort to improve the quality of malware and financially compensate individuals who contribute. Anyone who can uncover the identity of the program affiliate manager will be rewarded, said Schmitt. Similar to this, the group offers bounties to disgruntled employees to work from the inside of companies and discover vulnerabilities within their systems.