LockBit Extortionists Made $91 Million from US Victims Alone Since 2020

A joint advisory by CISA and the FBI offers some interesting statistics about the LockBit ransomware operation, currently the most deployed type of ransomware across the world.

Understanding Ransomware Threat Actors: LockBit is a big effort of the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the cybersecurity authorities of Australia, Canada, the UK, Germany, France and New Zealand.

The resource describes common tools, exploitations, and tactics, techniques and procedures (TTPs) used by LockBit affiliates, along with recommended mitigations for organizations to reduce the likelihood and impact of future ransomware incidents.

The document also includes statistics about the infamous hacking group. For example, LockBit has breached a whopping 1,700 entities in the US alone since the operation started in January of 2020.

In 2022, 16% of the government ransomware incidents reported to the MS-ISAC were identified as LockBit attacks.

“This included ransomware incidents impacting municipal governments, county governments, public higher education and K-12 schools, and emergency services (e.g., law enforcement),” according to the advisory.

The group and its affiliates made some $91 million during this time - again, only from US victims, meaning the worldwide figure is much higher.

From April 2022 to March 2023, LockBit accounted for 18% of all ransomware incidents reported in Australia. In Canada, LockBit was responsible for 22% of attributed ransomware incidents in 2022.

The resource also lists some of the methods LockBit has used to attract affiliates. Unlike other players in the ransomware-as-a-service scene, LockBit’s leaders allow affiliates to receive ransom payments before sending a cut to the core group.

“This practice stands in stark contrast to other RaaS groups who pay themselves first and then disburse the affiliates’ cut,” according to the advisory.

The gang’s bosses also engage in publicity-generating stunts, such as paying people to get LockBit tattoos.

The group is also notorious for offering a simplified, point-and-click interface for its ransomware, making it accessible to affiliates who are not tech savvy.

In November 2022, 33-year-old Mikhail Vasiliev, with dual Russian and Canadian nationality, was arrested in connection with his alleged part in the LockBit ransomware conspiracy.

During a search on Oct 26, officers said they found Vasiliev in his garage, sat in front of a laptop.  They were allegedly able to restrain Vasiliev before he could lock the computer, and noted that it appeared to be logged in to the LockBit control panel.