LockBit Dubbed “Cyber Crime Unicorn” After Reports Estimate $1B+ in Stolen Funds

Capping off a week of startling revelations following international law enforcement’s takedown of LockBit, the world’s most prolific ransomware gang, the UK’s NCA (National Crime Agency) has released more information on the group’s financial data.

The proverb “Crime doesn't pay” might need an update, as the NCA reports reveal LockBit’s total money stolen could be in excess of $1,000,000,000 from July, 2022 - February, 2024. The NCA obtained 30,000 BTC addresses from LockBit’s systems, with more than 500 of them active on the blockchain, receiving ~£100M at today’s BTC value. Their analysis showed over 2,200 BTC left unspent in excess of ~£90M.

The NCA concluded that the impact of LockBit’s ransomware attacks over its four years in operation is “in the region of multi-billions of dollars,” given that the crypto funds represent a combination of both the victim and LockBit payments, which is customarily a 20% fee paid by affiliates.

The NCA’s estimates blow past what the US Department of Justice (DOJ) had previously estimated to be more than $120 million from 2,000 victims worldwide. This did not take into account the actual ransom totals being far greater than what LockBit leadership had socked away.

In just 18 months, LockBit and its affiliates elevated ransomware operations to unprecedented levels, allegedly raking in billions and informally earning the gang “cyber crime unicorn” status after vx-underground shared the group’s financial information on X.

According to stats from Malwarebytes Labs, LockBit was responsible for the lion’s share of known ransomware attacks in January 2024, with the vast majority affecting organizations in the USA and Europe.

These attacks were spread across industry sectors, with services, manufacturing, and logistics accounting for nearly half. Although LockBit’s operations have been shut down, ransomware associated with the group is still being used in a new round of attacks targeting vet offices, health clinics, and local governments (including attacks against systems related to 911 systems).

Despite recent law enforcement actions against LockBit, the group’s leadership is still at large and its affiliates may still be active. The U.S. Department of State is offering a $15 million bounty for information leading to the arrest and/or conviction of LockBit affiliates and identification of the group’s leaders.

Vx-underground, who claims to have been in communication with LockBit’s administrative staff, said they assert that law enforcement has arrested the wrong people and that the agencies do not know their information. They have doubled the bounty they previously put on their own heads if anyone can reveal their identity.

LockBit Was Developing a Next Generation Version of Its Ransomware#

Japanese cybersecurity firm Trend Micro, in collaboration with the NCA, released a report detailing a new development version of LockBit that they believe “could form the basis of a LockBit 4.0:”

Recently, we came into possession of a sample that we believe represents a new evolution of LockBit: an in-development version of a platform-agnostic malware-in-testing that is different from previous versions. The sample appends a “locked_for_LockBit” suffix to encrypted files which, being part of the configuration and therefore still subject to change, leads us to conclude that this is an undeployed upcoming version from the group.

The newer ransomware version, although unfinished, was written in .NET and compiled using CoreRT. It removed LockBit’s trademark self-propagating capabilities as well as the ability to print ransomware notes via the user’s printers. Trend Micro published a detailed analysis in the report’s technical appendix.

The report also noted that LockBit had experienced “a number of logistical, technical, and reputational problems,” forcing them to work on a new version of their ransomware but they were delayed in getting it to market due to continued technical issues.

LockBit’s leak site is scheduled to be shut down on February 25, 2024, and it’s not clear whether the group will be able to reorganize and retain current affiliates after law enforcement has thoroughly dismantled their operations. Ransomware, and cyber crime in general, remain a global concern - with a financial impact far greater than previously suspected, as this incident is a chilling reminder that victims have been paying out billions of dollars in ransoms.