Who is Lockbit? Cybercrime Gang Adds Major Bank to List of Victims

Reed McIntire
29 December 2023
Arabic version | Chinese version | German version | Spanish version

The cybercrime gang Lockbit has claimed responsibility for a ransomware attack on the Industrial and Commercial Bank of China (ICBC), a world leader in asset lending. While ICBC swiftly regained control of its systems by paying an undisclosed ransom, the attack has left many worried about future similar incidents. First emerging in 2019, the group has quickly made a name for itself with its widespread cyberattacks against high-profile targets.

The name Lockbit refers both to the group and to the ransomware software they have become known for. Ransomware refers to a specific type of malware which is used to infect systems and lock out the primary users unless certain demands are met. These attacks are often initiated through “phishing attempts” where a link or file is sent to a system and opened by an unwitting user, thus allowing the virus to enter the system. Lockbit has developed its own version of this malware and also sells it to other malicious actors on the so-called ‘dark web’. Lockbit ransomware is among the most popular, being used in an estimated 28% of all ransomware attacks in the past year.

Increasingly, groups such as Lockbit have been offering their services to other organizations. This “ransomware-as-a-service” (Raas) complicates matters further, making motivations and identities even murkier. However, many of the high-profile attacks on record have been claimed by Lockbit itself.

Currently, the group has targeted extremely high-profile institutions and businesses. The UK’s Royal Post and Ministry of Defence, Boeing, and Japanese manufacturer Shimano are among the most prominent victims, but the group has also targeted 2000 individuals in the US. Usually, the group demands money in return for system control and victim data. These demands have reportedly made Lockbit more than $100 million in the United States alone, as US banks have reported.

The ICBC has since cleared its systems of Lockbit’s malware, but the threat remains for many others. Strangely, the attack was only targeted against the US branch of the bank, leaving the others branches unaffected. Whether this has any political reason is unclear. In June, the US Department of Justice charged a Russian national for suspected ties to Lockbit attacks around the world. However, the group remains unfazed and its decentralized nature makes it difficult for law enforcement to act.

The Lockbit group remains a mystery to the public. They are said to originate from post-Soviet countries in Eastern Europe. However, their own website claims they are based in the Netherlands. So far, their attacks have had no overt political bias and they have never claimed allegiance to a state or ideology.

Their website also defines certain potential targets as forbidden, such as critical infrastructure, institutions whose compromise could lead to death, and former Eastern bloc nations such as Russia, Lithuania or Moldova. However, these measures do not entirely prevent damage from being done. Earlier this year, a Canadian children’s hospital was victimized by the group, but Lockbit subsequently released an apology and released decryption tools as well as claiming to remove the affiliate responsible for the attack.

With Lockbit still at large, cybersecurity experts advise strong passwords, account management and network monitoring to minimize cybercrime risk. By increasing security, damages from malware can be minimized or maybe even avoided.

Lockbit’s business model is lucrative and effective. With RAAS success on the rise, other dark-web actors are cashing in on this multi-million-dollar criminal enterprise. The public and authorities are wondering who the next target will be.