Ddos 
Ransom Note | Image: AhnLab
The hydra of the cybercrime world has grown another head. Since its emergence in late 2019, the LockBit gang has arguably become the most prolific ransomware operator in history. Now, a new analysis by AhnLab confirms that the group is far from finished, unleashing LockBit 5.0 to terrorize industries ranging from IT giants to local churches.
Despite high-profile law enforcement crackdowns, the group’s ability to pivot and upgrade its arsenal keeps it at the top of the threat landscape.
LockBit operates on a Ransomware-as-a-Service (RaaS) model, essentially a franchise system for cybercriminals. The core developers create the sophisticated encryption malware, while affiliates conduct the intrusions.
According to the AhnLab report, “From August 2021 to August 2022, LockBit accounted for 30.25% of known ransomware attacks, and in 2023, it made up around 21% of the attacks”.
The group utilizes a ruthless three-stage attack methodology:
- Initial Access: Gained via vulnerability exploits, brute force, or phishing.
- Lateral Movement: Escalating privileges to own the network.
- Deployment: Encrypting files and exfiltrating data using tools like Stealbit.
The latest variant, LockBit 5.0, represents a continued evolution in automation and speed. The malware is designed for flexibility. As noted in the analysis, “LockBit 5.0 can receive various parameters upon execution, but it can operate normally” without them, ensuring that even clumsy affiliates can successfully detonate the payload.
The group maintains a dedicated Data Leak Site (DLS) to shame victims who refuse to pay. While the report notes that “no South Korean companies are included on the list” currently, the global scope is massive, with victims identified in “IT, electronics, law firms, and churches”.
Perhaps the most chilling aspect of LockBit 5.0 is the psychological warfare embedded in its ransom notes. The group presents itself not as thugs, but as a high-end service provider.
The ransom note explicitly advertises “Premium Criminal Branding Services,” promising that paying the ransom will grant the victim a “data breach delay” or even “complimentary vulnerability remediation”.
The note even includes a bizarre “Strategic Manifesto,” where the attackers claim, “We want greedy like REvil, not loud like LockBit”. This suggests a desire to maximize profits while potentially trying to minimize the kind of law enforcement heat that dismantled other groups—though their continued notoriety makes “staying quiet” unlikely.
The financial toll of these attacks is immense. The report highlights that “the group’s extortion demands and recovery costs have resulted in billions of dollars in losses”.
Security experts warn that this new version proves the group’s resilience. “Despite the efforts of law enforcement agencies, LockBit continues to pose a serious threat to cybersecurity worldwide”.
Organizations are urged to look beyond basic defenses and prepare for the specific tactics used by LockBit 5.0, including the rapid exfiltration of data before encryption occurs.
Donate