“If you are a cybercriminal and you operate on these marketplaces, forums or platforms, you cannot be sure that law enforcement is not there watching you and taking action against you,” says Paul Foster, director of the NCA. National Cyber Crime Unit.
Increased support
LockBit first emerged in 2019 as a nascent “ransomware as a service” (RaaS) platform. Under this setup, a core group of individuals, organized by the handle LockBitSupp, created the group’s user-friendly malware and launched their leak website. This group licenses LockBit’s code to “affiliate” hackers who launched attacks and negotiated ransom payments, ultimately providing LockBit with about 20 percent of its profits.
Despite launching thousands of attacks, the group initially attempted to keep a low profile compared to other ransomware groups. Over time, as LockBit became more well-known and began to dominate the cybercrime ecosystem, its members became more brazen and possibly careless. NCA lead investigator says they extracted data on 194 affiliates from LockBit systems and are reconstructing their identities offline; only 114 of them did not earn money, says the researcher. “There were some who were incompetent and did not carry out attacks,” he says.
At the center of it all was the personality of LockBitSupp. The NCA investigator says there were “numerous” examples where LockBit’s administrator “directly took responsibility” for high-profile or high-ransom negotiations after affiliates had initially attacked the companies or organizations.
Jon DiMaggio, a researcher at cybersecurity firm Analyst1, has spent years researching LockBit and communicating with the handle LockBitSupp. “He treated it like a business and often sought feedback from his affiliate partners on how he could make the criminal operation more effective,” DiMaggio says. The LockBitSupp character asked affiliates what they needed to do their jobs more effectively, the researcher says.
“He didn’t just take money for himself, he reinvested it in developing his operation and making it more attractive to criminals,” DiMaggio says. Over the life cycle of the LockBit group, there have been two major updates and releases of their malware, each more capable and easier to use than the last. Analysis of the police operation by Security company Trend Micro shows I was also working on a new version.
DiMaggio says the person he was speaking to privately using the nickname LockBitSupp was “arrogant” but “very professional and very serious,” as well as sending cat stickers as part of the chats. Publicly, on Russian-language cybercrime forums where hackers exchange data and discuss politics and hacking news, LockBitSupp was completely different, DiMaggio says.
“The persona he amplified on Russian hacking forums was a mix of supervillain and Tony Montana from Scarface” says DiMaggio. “He flaunted his success and his money, and that sometimes bothered people.”
In addition to setting up a bounty for its own identity, the more innovative and erratic side of LockBitSupp also hosted an essay writing contest on hacking forums, offered a “bug bounty” if people found flaws in LockBit’s code, and said they would pay $1,000 for anyone who got a tattoo of the LockBit logo. About 20 people He posted photos and videos of his tattoos..
