LockBit: the ransomware gang explained

In January 2021, Analyst1 cybersecurity expert Jon DiMaggio published the first volume of a long investigation into the LockBit ransomware gang. Entitled Ransomware Diaries: Volume 1, it recounts an attempt to infiltrate the group.

The analyst applied to become a LockBit affiliate. Although he failed the evaluation test, he remained in the gang’s Tox messaging channel. This allowed him to follow many of the group’s discussions. He then posed as a German subcontractor and maintained conversations with LockBitSupp, the account of the cybercrime group’s leaders.

Jon DiMaggio thinks that there were at least two people behind LockBitSupp. He also believes that LockBit’s leaders probably come from Russia or an Eastern European country.

For the analyst, LockBit remains vulnerable even though it is currently the most profitable RaaS group in the world. He thinks that with a good cover story, a governmental agent could become a LockBit affiliate and access sensitive information.

But in his view, LockBit’s main weakness is its dominant position. Former key members of the group or cybercriminal competitors could benefit from weakening it.

In September 2022, some of the ransomware’s source code was leaked. LockBit attributed this breach to a former developer with alcohol problems. Authorities now consider this man to be a « high-value target« .

LockBit is also said to have a terrible reputation among other cybercriminals. The gang is struggling with its success, certain dubious advertising campaigns – like paying anonymous people to get « LockBit » tattooed on their skin – and its tendency to smear other cybercrime groups.

For Jon DiMaggio, this need to « spend time and energy…complaining about their competition » is one thing that sets LockBit apart. It could come back to haunt the group, he says.