LockBit: The Ransomware Empire

Malmon Profile

Classification: Ransomware/Criminal ⭐⭐⭐
Discovery Credit: Multiple security vendors, 2019
First Documented: September 2019
Threat Level: Advanced (Ransomware-as-a-Service operation)

Malmon Card Reference

LockBit

Ransomware/Criminal
⭐⭐⭐
LockBit

LockBit is a sophisticated ransomware-as-a-service operation that became one of the most prolific ransomware families. Operating through affiliate networks, LockBit combines rapid file encryption with data theft for double extortion tactics. Its professional criminal infrastructure includes customer support, negotiation services, and automated payment systems. LockBit's efficiency and widespread deployment made it a dominant threat in the ransomware landscape until major law enforcement disruptions in 2024.

🔥
Ransomware-as-a-Service
Professional criminal operation with affiliate network and customer support
Double Extortion
Combines file encryption with data theft for increased payment pressure
🔮
Rapid Encryption
Extremely fast file encryption algorithms minimize detection window
⬆️
Criminal Enterprise
Expands into multiple criminal services with international reach
💎
Backup Systems
Defeated by comprehensive, tested backup and recovery procedures
🔍5
🔒7
📡8
💣10
🥷7
Discovered By:Security Vendors
Habitat:Enterprise networks, high-value targets
Property Icons:
🔍Detection
🔒Persistence
📡Spread
💣Payload
🥷Evasion

Technical Characteristics

MITRE ATT&CK Mapping

  • Initial Access: T1566.001 (Spearphishing Attachment)
  • Lateral Movement: T1210 (Exploitation of Remote Services)
  • Impact: T1486 (Data Encrypted for Impact)

Detailed ATT&CK Analysis

🎯 MITRE ATT&CK Technique Analysis

Technique Tactic Description Mitigation Detection
T1566.001
Spearphishing Attachment		 Initial Access Initial access through malicious email attachments and compromised RDP Email security, RDP hardening, multi-factor authentication Email analysis, RDP monitoring, authentication logging
T1486
Data Encrypted for Impact		 Impact Encrypts files using advanced encryption and demands ransom payment Backup systems, file monitoring, incident response planning File modification monitoring, encryption behavior, ransom notes
T1210
Exploitation of Remote Services		 Lateral Movement Exploits vulnerabilities in remote services for network propagation Patch management, network segmentation, service hardening Network monitoring, exploit detection, vulnerability scanning
IM Facilitation Notes:
  • Use these techniques to guide player investigation questions
  • Help players connect evidence to specific ATT&CK techniques
  • Highlight type effectiveness relationships in responses
  • Encourage discussion of real-world mitigation strategies

Core Capabilities

Ransomware-as-a-Service Model:

  • Sophisticated affiliate program with profit sharing
  • Automated deployment and management tools
  • Professional customer support for victims
  • +3 bonus to organizational disruption and profit generation

Double Extortion Strategy:

  • Encrypts files AND steals sensitive data before encryption
  • Threatens public release of stolen data if ransom isn’t paid
  • Uses leaked data as additional pressure for payment
  • +2 bonus to victim compliance and payment success

StealBit Data Theft Module (Hidden Ability):

  • Automatically identifies and exfiltrates valuable data
  • Targets specific file types and sensitive information
  • Uploads stolen data to attacker-controlled infrastructure
  • Triggers evolution to triple extortion with DDoS attacks

Type Effectiveness Against LockBit

Understanding which security controls work best against advanced Ransomware threats like LockBit:

Trojan
Weak to: Detection
Resists: Training
Worm
Weak to: Isolation
Resists: Backup
Ransomware
Weak to: Backup
Resists: Encryption
Rootkit
Weak to: Forensics
Resists: Detection
APT
Weak to: Intelligence
Phishing
Weak to: Training
Botnet
Weak to: Coordination
Infostealer
Weak to: Encryption

Key Strategic Insights for IMs:

  • Most Effective: Backup Systems (defeats encryption), Business Continuity Planning, Network Isolation (prevents spread)
  • Moderately Effective: Behavioral Analysis (detects encryption activities), System Restoration, Law Enforcement Coordination
  • Least Effective: Signature Detection (constantly evolving), User Education (professional operations), Payment/Negotiation

Ransomware-as-a-Service Considerations:
This represents professional criminal operations - emphasize business continuity, backup integrity, and coordinated response over technical containment alone.

Vulnerabilities

Law Enforcement Disruption:

  • Centralized infrastructure creates single points of failure
  • International cooperation can disrupt operations
  • -3 penalty when coordinated law enforcement action occurs

Backup and Recovery Resilience:

  • Organizations with tested offline backups can recover without payment
  • Business continuity planning reduces impact
  • Immutable backup systems defeat encryption attacks

Facilitation Guide

Pre-Session Preparation

Choose LockBit When:

  • Advanced teams ready for sophisticated criminal operations
  • Business continuity and crisis management concepts need emphasis
  • Double extortion and data protection should be demonstrated
  • Organizational decision-making under pressure is a learning objective
  • Law enforcement coordination scenarios are desired

Avoid LockBit When:

  • New teams who haven’t mastered basic ransomware response
  • Technical-only focus where business impact isn’t relevant
  • Organizations uncomfortable with payment/compliance discussions

Session Structure Guidance

Discovery Phase (Round 1) Facilitation

Initial Symptoms to Present:

  • “All workstations displaying identical ransom messages”
  • “File servers showing widespread file encryption”
  • “Threat actors contacted executives directly about stolen data”
  • “Business operations completely halted across all locations”

IM Question Progression:

  1. “What distinguishes this from typical ransomware attacks?”
  2. “How does data theft change the threat landscape?”
  3. “What does professional criminal operation suggest about capabilities?”
  4. “How do you respond when attackers have already stolen your data?”

Double Extortion Revelation: Introduce: “The attackers are threatening to publish your stolen customer data if you don’t pay within 72 hours…”

Investigation Phase (Round 2) Facilitation

Business Impact Assessment:

  • “How do you calculate the cost of data exposure versus ransom payment?”
  • “What stakeholders need to be involved in payment decisions?”
  • “How do you assess damage when both encryption and theft occurred?”

Criminal Operation Analysis:

  • “What does the sophistication of this operation tell us about the threat actors?”
  • “How do you investigate when facing professional criminal enterprises?”
  • “What law enforcement resources might be available for this type of threat?”

Response Phase (Round 3) Facilitation

Strategic Decision Making:

  • “How do you balance immediate recovery with long-term security?”
  • “What factors determine whether to involve law enforcement?”
  • “How do you coordinate response when facing multiple simultaneous threats?”

Recovery and Prevention:

  • “What changes are needed to prevent future ransomware success?”
  • “How do you rebuild stakeholder confidence after a major breach?”

LockBit represents the professionalization of cybercrime, teaching lessons about business continuity, crisis decision-making, and the evolving landscape of financially motivated threats.