I gotta story to tell…
The LockBit ransomware gang is one of the most notorious organized cybercrime syndicates that exists today. The gang is behind attacks targeting private-sector corporations and other high-profile industries worldwide. News and media outlets have documented many LockBit attacks, while security vendors offer technical assessments explaining how each occurred. Although these provide insight into the attacks, I wanted to know more about the human side of the operation to learn about the insights, motivations, and behaviors of the individuals on the other side of the keyboard. To prepare for this project, I spent months developing several online personas and established their credibility over time to gain access to the gang’s operation.
Over the months, I spent my time on criminal forums and private chat groups used by ransomware criminals and gained inside knowledge about the LockBit gang itself. I identified the accounts and infrastructure used by the gang and the criminals they interacted with. I could see the tools and resources used to manage and conduct attacks from the adversary’s perspective. More importantly, I learned about the opinions, personal habits, motivations, and insecurities of the human criminals behind the operation. Then, I took many of the public events and high-profile attacks to include theories previously made
about the LockBit gang and tried to capture its side of this very interesting story.
Next, I will walk through the entire lifecycle of LockBit activity from September 2019 until January 2022. I will detail the gang’s criminal operation and add LockBit’s version of events to tell the story, as it has not been detailed before. In conducting this research and analysis, I found several mistakes made in attributing the early activities of the LockBit gang, which I will discuss. Finally, I will provide a complete intelligence assessment focused on my findings, open-source information, technical data, and human intelligence gained while profiling LockBit itself.
If you are not interested in the larger story, you may want to skip to the “Unmasking Lockbit” section near the end of this report for a summary of unique findings derived from the human intelligence I gained from my interactions with Lockbit. However, the screen shots and details surrounding each conversation are included throughout the body of the report itself in the order in which they toolk place.
Before I begin, here are a few things I learned about LockBit and its operation over the course of my research:
• The individual currently leading and directing the LockBit ransomware operation, who often uses the online persona “LockBitSupp,” is demonstrating narcissistic traits that feed his ever-growing ego. Over the past several months, there has been increasingly negative sentiment toward the “LockBitSupp” persona. The dislike stems from arrogant comments it makes on criminal forums and media interviews. Many
criminals do not appreciate the “look at me” approach that LockBit takes to promote its ransomware program. Additionally, many criminals are tired of LockBit’s attentiondriven publicity stunts, such as paying individuals to obtain “LockBit”-themed tattoos1 and posting the images2 on social media.
• Over the last six months, the LockBitSupp persona has conducted several propagandabased
“smear campaigns” against rival gangs. LockBit uses legitimate information and events, which it presents with alternative messaging across underground forums to support a storyline that benefits its own self-interests while trying to damage the reputation of fellow gangs.
• The leader of LockBit claims he stores the PGP keys, Crypto wallets, key files, and other sensitive data on two disk drives. The drives are stored separately from one another to prevent anyone from obtaining access. He keeps one flash drive on a necklace he always wears, and another is stored on a drive kept by a third party at a remote location for safekeeping.
• LockBit leadership claims it accesses its back-end infrastructure via Starlink, a US satellite internet service owned by SpaceX.3
• LockBit leadership claims it primarily relies on Bitcoin exchanges in Hong Kong and China to launder its money. It believes China’s adversarial relationship with the US makes it safer and easier to conduct laundering operations.
• According to the leader of LockBit, the developer of DarkSide ransomware is the same individual who developed BlackMatter and LockBit Black ransomware and previously developed malware for Fin7, another cybercrime group. This individual is tied to many high-level cybercriminals and should be a target for law enforcement and government operations. Additionally, the developer may have firsthand knowledge of the identities of key members across several cybercrime syndicates.
• The previous attribution made by a third party linking LockBit to Gogalocker and Megacortex ransomware is false. After reviewing and analyzing the evidence used by a third-party security vendor to make the original attribution, I believe it was made in error and is incorrect.
• LockBit engages and communicates with several other ransomware gangs, DarkSide/BlackMatter, BlackCat, REvil, Hive, and BlackBasta. The relationships are adversarial, but the individuals behind these gangs appear to know one another and have/had direct lines of communication with each other.
• LockBit believes Conti and now BlackBasta, secretly work and support the Russian government. LockBit believes the gang directly provides support the FSB.
• In 2020, LockBit sponsored a “summer paper contest” in which applicants would submit academic-style papers pertaining to hacking and exploit techniques. LockBit would select the best paper and award the author a monetary prize. This was one of its early attempts to gain recognition among cybercriminals and demonstrates its “outside-of-the-box” approach to identifying and recruiting smart upcoming criminals.
Download & read the complete report below 👇👇👇
