On May 7, 2024, the UK’s National Crime Agency (NCA), alongside international partners, unveiled detailed metrics from the infamous ransomware group LockBit, revealing a deep-rooted affiliate network with substantial flaws and vulnerabilities. Their findings provide unique insights into the challenges affiliates face and what this means for future ransomware-as-a-service (RaaS) models. This article provides CISOs with a comprehensive understanding of LockBit’s structure, strategic missteps, and recommendations for countering such threats.
LockBit’s Business Model Breakdown
LockBit operates as a RaaS platform, allowing a network of affiliates to conduct ransomware attacks using its tools and infrastructure. Affiliates receive comprehensive toolkits, including customizable ransomware payloads, data exfiltration software, and negotiation guides. The platform facilitates the entire attack lifecycle, directing victims to a dark web leak site for ransom negotiations while exposing non-paying victims. Affiliates earn around 70-80% of the ransom, while LockBit administrators keep the rest. LockBitSupp, the group’s super admin, oversees the network, managing ransom demands and enforcing policies.
Analyzing the Affiliate Network Metrics
Despite onboarding 194 affiliates, only 148 managed to build and execute attacks. Of those, 119 entered negotiations with their victims, and just 80 received ransom payments. This means that 114 affiliates (59%) never saw any return on their investment, underscoring high competition, ineffective tactics, and limited support. Only 67% of negotiating affiliates could convert victims into paying clients. Affiliates often overestimated the willingness of their targets to pay or lacked strong negotiation strategies. Internal competition for high-value targets further diluted the chances of success.
Geographic Insights and Market Analysis
The USA dominated the attack volume with 1,299 targeted entities, accounting for 18% of all LockBit attacks. The UK, France, Germany, and China followed. Although only 30% of these attacks led to negotiation, the USA accounted for nearly half of those cases, indicating a cultural or economic propensity to negotiate. LockBit administrators marked 72 victims as “important,” primarily based in the USA. This prioritization reflects a deliberate strategy to target entities more likely to pay significant ransoms.
Economic Implications and Competitive Analysis
- Market Saturation: LockBit’s network of affiliates overcrowded the market, creating a competitive landscape where attacks overlapped and profitability declined. Internal conflicts, oversaturation of ransom demands, and lack of differentiation strategies hindered affiliate success.
- Risk vs. Reward: Affiliates face significant risks in LockBit’s centralized model, where LockBitSupp tightly controls infrastructure and revenue sharing. Many affiliates lacked proper targeting methods or negotiation tactics, while competition for limited targets and external disruptions (like Operation Cronos) impacted the network’s ability to operate.
- Comparison with Other Ransomware Groups: Compared to other RaaS groups, LockBit’s comprehensive tools offered less skilled affiliates easy access to execute attacks but at the cost of high failure rates. While decentralized groups like Maze and Babuk built smaller networks to diversify, the centralized models of groups like REvil and Conti faced similar challenges to LockBit.
Prospective Evolution of RaaS Business Ecosystem and Operations
- Targeting and Segmentation Strategies: Affiliates must refine their understanding of target vulnerabilities and identify regions where negotiation cultures are more favorable. They can analyze regulatory pressures, insurance practices, and business reputations to align ransom demands accordingly. CISOs should monitor emerging patterns to identify strategic shifts and strengthen collaboration across governments, companies, and vendors for region-specific security measures.
- Improved Negotiation Capabilities: Psychological profiling and understanding victim behavior can enhance negotiation outcomes. Affiliates might integrate negotiation playbooks into RaaS toolkits, offering data-driven guides to predict victim responses. Security teams need to prepare negotiation playbooks and train key stakeholders to resist psychological pressure while improving incident response planning.
- Diversification: Affiliates should expand into other cybercrime verticals like business email compromise (BEC) and supply chain breaches, complementing ransomware tactics. CISOs should observe changes in tactics and encourage organizations to implement zero-trust architectures, improve vendor risk assessments, and enhance collaboration tool security.
- Decentralized Business Architecture: Future RaaS models may shift toward semi-autonomous, peer-to-peer networks to reduce reliance on centralized control. Blockchain technology and smart contracts could help affiliates share intelligence and distribute ransom payments transparently. Monitoring conversations around decentralized protocols in criminal forums will be key, as will enhancing information sharing between governments and cybersecurity firms.
Conclusion
The data revealed by the NCA shows the high-risk, high-failure nature of LockBit’s business model and the challenges faced by its affiliates. Despite high attack volumes, competition, inadequate support, and centralized control resulted in most affiliates failing to profit. However, ransomware remains a lucrative market, and future iterations of RaaS will evolve toward decentralized networks, diversified tactics, and improved targeting strategies. Security teams must continue to understand these dynamics to preempt evolving threats and safeguard their organizations.