China and the US were hardest-hit by the LockBit ransomware group between December 2024 and April this year, research shows, with affiliates targeting 156 organizations in all.
Trellix Advanced Research Center has released its analysis of the LockBit SQL database dump it observed in May, noting that China was probably the greatest focus because of its large industrial base and manufacturing sector.
"Unlike BlackBasta and Conti RaaS groups that occasionally probe Chinese targets without encrypting them, LockBit appears willing to operate within Chinese borders and disregard potential political consequences, marking an interesting divergence in their approach," the researchers said.
Meanwhile, affiliates such as BaleyBeach, umarbishop47, and btcdrugdealer were active in the US, where attacks appeared to be more spread out among affiliates, suggesting a more opportunistic approach rather than specialized targeting.
Taiwan was the third most-targeted country, followed by Brazil and Turkey. One group, Swan, had a broad geographic reach, targeting multiple European countries including Austria, Czech Republic, and Switzerland.
This, researchers pointed out, indicates sophistication in the group's ability to navigate different regulatory environments.
"The victimology data reveals some unexpected targeting patterns. It's particularly surprising to see such a concentrated effort on Chinese and Taiwanese organizations," the researchers said.
"Unlike other ransomware groups that might shy away from such politically sensitive targets, LockBit appears to have operated with a different calculus."
LockBit affiliates are diversifying targets
Manufacturing was the most frequently targeted sector, followed by consumer services, the finance sector, and government services.
After analyzing LockBit negotiation chats, Trellix researchers discovered 18 confirmed payments to cryptocurrency wallets believed to be under the control of LockBit affiliates, netting them around $2,337,000.
"The data paints a picture of varying strategies, with initial ransom demands ranging from modest to exorbitant. What’s clear is that substantial discounts were the norm, often between 10% and 80%, highlighting the haggling that goes on behind the scenes of these cyber extortion attempts," researchers said.
"Affiliate success within LockBit varied significantly, indicating differences in skill and potentially specialization in specific familiar industries and/or countries."
The LockBit owner appears to have been charging affiliates 20% of ransom payments, adding up to around $456,000 over the period.
It made a lot less from auto-registration invitations, though - around $10,000 to $11,000.
"The assertion made by LockBit on the RAMP underground forum, which claimed monthly earnings of $100,000 from auto-registration, is thus considered to be significantly exaggerated," the researchers said.
LockBit is still causing havoc
LockBit was once one of the most prolific and successful ransomware-as-a-service groups, but was disrupted early last year by international law enforcement bodies.
Since then, a number of group members and affiliates have been arrested.
The group's exaggerated claims of earnings, researchers said, shows how cyber criminals are inclined to hype up their successes and downplay their failures.
"What this leak truly shows is the complex and ultimately less glamorous reality of their illicit ransomware activities," they said.
"While profitable, it’s far from the perfectly orchestrated, massively lucrative operation they’d like the world to believe it is."
MORE FROM ITPRO
- Building ransomware resilience to avoid paying out
- CISA issues warning over Medusa ransomware after 300 victims from critical sectors impacted
- UK government officials consider banning ransomware payments
-
Prolific ransomware operator added to Europe’s Most Wanted list as US dangles $10 million rewardNews The US Department of Justice is offering a reward of up to $10 million for information leading to the arrest of Volodymyr Viktorovych Tymoshchuk, an alleged ransomware criminal.
-
Jaguar Land Rover “did the right thing” shutting down systems to thwart cyber attackNews The attack on Jaguar Land Rover highlights the growing attractiveness of the automotive sector
-
Ransomware attack on IT supplier disrupts hundreds of Swedish municipalitiesNews The attack on IT systems supplier Miljödata has impacted public sector services across the country
-
A notorious hacker group is ramping up cloud-based ransomware attacksNews The Storm-0501 threat group is refining its tactics, according to Microsoft, shifting away from traditional endpoint-based attacks and toward cloud-based ransomware.
-
Security researchers have just identified what could be the first ‘AI-powered’ ransomware strain – and it uses OpenAI’s gpt-oss-20b modelNews Using OpenAI's gpt-oss:20b model, ‘PromptLock’ generates malicious Lua scripts via the Ollama API.
-
Data I/O shuts down systems in wake of ransomware attack
News Regulatory filings by Data I/O suggest the costs of dealing with the attack could be significant
-
Average ransom payment doubles in a single quarterNews Targeted social engineering and data exfiltration have become the biggest tactics as three major ransomware groups dominate
-
BlackSuit ransomware gang taken down in latest law enforcement sting – but members have already formed a new groupNews The notorious gang has seen its servers taken down and bitcoin seized, but may have morphed into a new group called Chaos
