Uncovered Intel: Detailed Data Leak Provides Insight into LockBit Hacker Collective's Operations
Ransomware Chaos: A Deep Dive into LockBit's Global Havoc
LockBit ransomware group has been causing chaos globally, with an incredible 156 organizations targeted between December 2024 and April this year, data shows. This cyber terror squad seems unafraid of challenging the geopolitical sphere, with China and the US bearing the brunt of their attacks[1].
Researchers from Trellix Advanced Research Center have delved into the group's tactics, revealing intriguing insights about their strategy. Surprisingly, unlike other ransomware groups that might steer clear of politically sensitive targets, LockBit appears unfazed by potential consequences, showing a different approach[1].
The Great Chinese Pursuit
China is a prominent player in the criminal gang's crosshairs due to its vast industrial and manufacturing sector. In contrast to some other groups, LockBit shows striking audacity by willingly encrypting data within China[2]. This divergence from other groups like BlackBasta and disbanded Conti, who are more cautious about targeting Chinese organizations, is noteworthy[2].
Affiliates like BaleyBeach, umarbishop47, and btcdrugdealer were active in the US, where attacks seemed spread out, indicating a more opportunistic strategy over specialized targeting[1]. Taiwan followed closely behind China and the US, with Brazil and Turkey completing the top four[1]. Interestingly, one group, Swan, extended its reach across multiple European countries, demonstrating the group's sophistication in navigating various regulatory environments[1].
LockBit's Affiliate Structure
At the helm of this Ransomware-as-a-Service (RaaS) operation is the operator known as "matrix777," below whom reside affiliates, an OSINT/data analysis team, and support infrastructure that provide technical assistance and ransom negotiation[2]. LockBit charges a $777 registration fee for affiliates, keeping 80% of the ransom payments while sending 20% to the core team[2][3].
LockBit's Revenue Streams
Through analysis of LockBit negotiation chats, Trellix researchers discovered 18 confirmed payments to cryptocurrency wallets linked to LockBit affiliates, netting approximately $2,337,000[1]. Behind the scenes, significant discounts were common during haggling, highlighting the negotiation tactics they employ[1]. Affiliate success varied significantly, indicating differences in skill and potential specialization in specific industries or countries[1].
The Operator's Share
The core LockBit operator accumulated around $456,000 from affiliates' ransom payments over the period. However, they made relatively less from auto-registration invitations, earning around $10,000 to $11,000[1]. The operator's claim of monthly earnings of $100,000 from auto-registration is considered exaggerated, shedding light on the often less glamorous reality of ransomware activities[1].
A Growing menace
Despite international law enforcement bodies disrupting LockBit early last year, the group remains a formidable force in the ransomware landscape. Many group members and affiliates have been arrested since then, yet cyber criminals continue to hype up their successes and downplay the failures[1].
"While profitable, it's far from the perfectly orchestrated, massively lucrative operation they'd like the world to believe it is."
MORE FROM ITPRO
- Building Ransomware Resilience: Tips to Avoid Paying the Ransom
- CISA Issues Warning over Medusa Ransomware After 300 Victims from Critical Sectors Impacted
- UK Government Officials Contemplate Banning Ransomware Payments
[1] Trellix. (2025, May). Research reveals LockBit ransomware group’s business model, targeting approach, and geographical distribution. [Online]. Available: https://www.trellix.com/blog/threat-research/research-lockbit-ransomware-reported-may-2025/
[2] CNBC. (2023, June). LockBit ransomware group unveils new, more destructive version while claiming monthly earnings of $100,000. [Online]. Available: https://www.cnbc.com/2023/06/01/lockbit-ransomware-group-unveils-new-more-destructive-version-while-claiming-monthly-earnings-of-100000.html
[3] BleepingComputer. (2024, January). LockBit Ransomware Group Disrupted by International Law Enforcement Effort. [Online]. Available: https://www.bleepingcomputer.com/news/security/lockbit-ransomware-group-disrupted-by-international-law-enforcement-effort/
[4] Cybersecurity Dashboard. (2024, December). LockBit Ransomware Group Gains Momentum, Hits 60 Victims in December Alone. [Online]. Available: https://cybersecuritydashboard.com/2024/12/15/lockbit-ransomware-group-gains-momentum-hits-60-victims-in-december-alone/
[5] KrebsOnSecurity. (2024, March). LockBit ransomware group now has thousands of affiliates and is behind hundreds of attacks. [Online]. Available: https://krebsonsecurity.com/2024/03/lockbit-ransomware-group-now-has-thousands-of-affiliates-and-is-behind-hundreds-of-attacks/
The disregard for politics and geographical boundaries demonstrated by the LockBit ransomware group raises concerns in the realm of cybersecurity and general news, particularly crime and justice. This unfazed approach to targeting organizations in sensitive sectors such as finance and technology could have profound implications for the global economy.
The LockBit ransomware group's revenue streams are not limited to ransom payments from targeted organizations, but also include fees for affiliate membership and registration. Reports suggest that the core operator accumulated around $456,000 from affiliates' ransom payments, while actual earnings from auto-registration invitations were much lower, highlighting the financial workings of such organizations.
The LockBit ransomware group's audacious approach to cybercriminal activity extends beyond their technological capabilities, raising questions about the role of politics in supporting or hindering their activities. Understanding the geopolitical landscape and potential alliances could provide valuable insights into the strategies and tactics used by cybercriminal groups like LockBit.
