LockBit: The godfather of cybercrime

Forget the old hacker stereotypes — the computer nerd in the basement or the international spy with an ambiguous accent. The most powerful cybercrime gang in the world, LockBit, operates like a cross between a Mafia family and a modern corporation, with an administrative staff and customer service. And business — the digital extortion business, that is — has never been better.

The LockBit ransomware strain, first identified in September of 2019, was responsible for more ransomware and digital extortion attacks than any other group in both 2022 and 2023, according to Infosecurity Magazine. Originally known as the ".abcd virus," LockBit is designed to infect all systems on a network, steal data, block user access to system files, and deliver ransom notes with payment instructions and blackmail threats, according to cybersecurity firm Kaspersky.

LockBit is one of many ransomware operators who rely on the Ransomware-as-a-Service (RaaS) affiliate model, selling its services to cybercriminals in exchange for a cut of the profits, according to ZDNET. Customers, called affiliates, pay an initial deposit and gain access to a central control panel where they can customize their ransomware, track victims, and review performance statistics. The control panel even makes it easier to follow through on blackmail threats — affiliates can use the blogging feature to leak stolen data to the rest of the Lockbit cybercrime family.

Little is known about the core LockBit gang, which claims to be based in the Netherlands. Jon DiMaggio, chief security strategist for threat intelligence group Analyst1, told Wired Magazine that he believes the group is really based in Russia. The leader, known only as LockBitSupp, has also claimed to live in the U.S. and China at various times, and to co-own two restaurants in New York City. At least two more trusted affiliates are thought to support LockBitSupp behind the scenes.

While LockBit bills itself as a Robin Hood-style gang and technically forbids attacks against critical infrastructure, those standards appear to be flexible. During the past two years, their affiliates have extorted a children's hospital in Canada, paralyzed several Italian hospitals and leaked patient medical and financial data, and shut down the Royal Mail's international shipments in the U.K. for six weeks. It's a crime spree that would even make Michael Corleone blush.