LockBit 3.0: hackers who promise to return extortionate software to its former greatness

After the collapse of Conti, LockBit is rapidly developing, coming to the fore among other groups of extortionists. The attackers released the third version of their extortionate software, created a set of rules for partners and launched the first bug bounty program in the darkweb. Let’s learn more about LockBit together, analyze interesting statistics related to ransomware groups and talk about RaaS, a new business model that has gained popularity in the hacker community.

RaaS: Even hackers pay for software

RaaS (Ransomware-as-a-Service, ransomware as a service) is a new business model in which developers of ransomware provide their programs to other attackers for a fee. RaaS provides several payment models:


One-time purchase;

A percentage of the ransom received.

Experts believe that the increased popularity of RaaS indicates the development of hacker groups, which are becoming more and more similar to organizations run by professionals. LockBit 3.0 is successfully using a new business model, which, according to analysts, will be a signal for other gangs of cybercriminals who will pick up the new trend and start releasing their extortionate software for sale.

Interesting statistics from analysts

According to the NCC Group report, the number of attacks using ransomware in June decreased by 42% compared to the previous month. However, the company warns that this is not a decline in the number of extortionate programs – rather the opposite. The decrease in activity is temporary and is due to the recent termination of Conti and the retirement of LockBit 2.0.

In addition, LockBit remains the leader in the number of victims – 55, which is 244% more than BlackBasta, which are in second place. And Conti’s attacks have decreased by 94%, as the group breaks up and merges into other, smaller gangs.

According to the NCC Group, industrial (37%), consumer cyclical (18%) and technological (11%) industries were most often attacked.

Coveware has published a report with statistics on attacks using ransomware for the second quarter of 2022. The report shows that in the second quarter of 2022, the average amount of repurchase was $228,125 (8% more than in the first quarter of 2022). However, the median repurchase amount was $36,360, which is 51% less than in the previous quarter.

It is also worth noting that hackers began to pay more and more attention to weak targets: educational organizations (the number of attacks increased by 33%), government organizations (the number of attacks increased by 25%) and manufacturing (the number of attacks increased by 24%).

LockBit: Who are they and what do we know about them?

LockBit appeared in 2019, but the first version of extortion software from the group has not gained popularity among hackers. No one paid attention to LockBit until LockBit 2.0 was released in the second half of 2021. Since then, the malware of the grouping has been constantly updated and improved.

According to experts, at one time the group “very frankly” stated that it was in the Netherlands. LockBit also stated that the countries of the former USSR will not be the targets of attacks, since most of the group’s members grew up there.

Now LockBit is one of the most important players in the cybercrime arena. Hackers have developed a completely new extortion strategy, demanding money from victims directly and not revealing the attack – at least initially. The group provides victims with “special services” for an additional fee:

Additional 24 hours to the time allotted for the payment of the ransom;

Immediate removal of stolen data;

Uploading stolen data to the victim’s servers.

Also, LockBit has a certain set of rules prohibiting encrypting systems of critical infrastructure objects. However, stealing data is not prohibited. Now the attackers are finalizing the rules, especially in terms of attacks on previously banned industries. According to the new rules, LockBit partners can attack private educational institutions, pharmaceutical companies, dental clinics and plastic surgery institutions.

Experts say that LockBit hackers “draw a line” wherever harm can be done to people, and also do not allow attacks against institutions that provide vital medical care.

To become a LockBit partner, you need to pass a strict check and make a deposit in bitcoins. Also, the grouping has a number of additional requirements for checking a potential partner:

Activity in working with the grouping software package;

The ability to earn more than 5 bitcoins per month;

The presence of profiles on various hacker forums;

Providing evidence of work experience in other similar “projects” and the current balance of cryptocurrency wallets;

Testing of knowledge and technical capabilities.

How to prevent a LockBit attack?

Experts recommend several ways:

Strengthen endpoint security;

Install security features on corporate devices. It is desirable that they have a geo-blocking function that prohibits the transfer of data to the countries selected by the user;

Monitor connections between IP addresses and networks;

Learn to identify anomalies in traffic.

But the main and most important method remains data protection from leaks. “If the attackers have nothing to steal, then nothing will work to extort,” experts say.