After a brief slowdown in activity from the LockBit ransomware gang following increased attention from law enforcement, LockBit is back with a new affiliate program, improved payloads and a change in infrastructure. According to IBM X-Force, a major spike in data leak activity on the gang’s new website indicates that their recruitment attempts have been successful. IBM’s data shows that LockBit is nearly six times more active than other groups, such as the Conti ransomware operators. This blog post delves into LockBit’s 2.0 version, its recent activity and an analysis of the new payloads.
LockBit is a ransomware-as-a-service (RaaS) gang that writes and distributes its malware through affiliates. RaaS has become an increasingly popular business model for ransomware operators in the past few years, helping gangs expand their reach without growing their core team or their expenses. These groups are able to make a profit while turning over the actual deployment of their ransomware payloads to affiliates, who also shoulder part of the risk of being exposed by law enforcement.
Announcing LockBit 2.0
The LockBit gang was first found advertising their affiliate program in January 2020 on a well-known, Russian-speaking forum known as XSS. This underground forum has been used by many RaaS gangs in the past to advertise their malware and hunt for new affiliates. That includes gangs like REvil/Sodinokibi, DarkSide, Netwalker and others. But with increased attention from law enforcement, XSS banned all ransomware topics from their forum in early 2021.
With this avenue shut down, LockBit’s owners pivoted to using their own infrastructure for advertising. At the end of June 2021, those behind LockBit posted a page o ..
Support the originator by clicking the read the rest link below.
