Cybercrime continues to reinvent itself, and LockBit is one of the most prominent examples. Active since late 2019, the group has become one of the most prolific ransomware operators ever observed. According to a recent analysis by AhnLab , the gang not only shows no signs of slowing down, but has also introduced a new variant, LockBit 5.0, which targets a wide range of organizations, from large IT operators to smaller entities like local churches.
Despite international law enforcement operations, LockBit remains operational thanks to its flexible structure and ability to rapidly adapt tools and strategies. The group adopts the Ransomware-as-a-Service (RaaS) model, a kind of criminal franchise: the main developers create the malware, while a network of affiliates handles intrusions and attacks on the ground.
The numbers reported by AhnLab confirm the group’s impact. Between August 2021 and August 2022, LockBit was responsible for 30.25% of known ransomware attacks. Throughout 2023, its share remained around 21%, still a significant percentage in the global threat landscape.
Operations follow a well-established three-phase pattern. The first involves gaining initial access, through vulnerability exploitation, brute-force attacks, or phishing campaigns. This is followed by lateral movement, during which attackers escalate privileges to gain control of the entire network. The final phase is the most destructive: ransomware distribution, including file encryption and data exfiltration using dedicated tools like Stealbit.
LockBit 5.0 represents a further technical leap forward, especially in terms of automation and speed. The malware is designed to be extremely flexible : it can receive various parameters at execution time, but can also function without specific configuration. This feature allows even less experienced affiliates to successfully carry out the attack.
As part of its strategy to pressure victims, the group operates a website dedicated to publishing stolen data, used to publicly expose those who refuse to pay the ransom. Currently, AhnLab’s report indicates that no South Korean companies appear on this list, but the number of victims remains global. The affected sectors include IT, electronics, law firms, and religious organizations.
A particularly notable aspect of LockBit 5.0 is the communication approach used in the ransom demands. The group attempts to present itself not as a simple criminal gang , but as a supposed service provider. Messages to compromised targets mention “Premium Criminal Branding Services” and promise, in exchange for payment, measures such as a delay in data disclosure or even free fixes for exploited vulnerabilities.
The notes also include an unusual “Strategic Manifesto,” in which the authors declare their intention to pursue profits without attracting excessive attention, stating that they want to be “greedy like REvil, not noisy like LockBit.” This stance appears to be at odds with the group’s already high profile.
The economic impact of these activities remains enormous. According to the report, ransom demands and recovery costs associated with LockBit attacks have caused overall losses amounting to billions of dollars. Security experts emphasize that the evolution represented by LockBit 5.0 demonstrates the resilience of the group, which continues to pose a real threat to organizations of all sizes.
The analysts’ recommendation is clear: companies must go beyond basic defenses and prepare for the specific techniques adopted by LockBit 5.0, particularly the rapid exfiltration of data that precedes system encryption.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
