LockBit hackers carried out nearly half of all ransomware attacks in Vietnam in 2024, using 30,000 digital wallet addresses, sharing 20-80 with branches.
Since starting operations in 2019, LockBit has become a cybersecurity threat to organizations and businesses around the world. According to statistics from Flashpoint in 2023, LockBit carried out more than 1,000 attacks, accounting for 21% of large-scale attacks recorded globally, twice as high as the group behind it, BlackCat. The group’s famous cases include encrypting data from semiconductor company TSMC, aircraft manufacturer Boeing, and the UK’s Royal Mail postal service.
“LockBit can be considered the largest ransomware organization today,” said Jon DiMaggio, security analyst at cybersecurity company Analyst1.
At the Security Bootcamp 2024 event in Hanoi last week, the group’s activities were one of the topics of interest to Vietnamese cybersecurity experts, in the context of increasing ransomware attacks.
According to statistics from Viettel Cyber Security (VCS), since the beginning of the year, Vietnam has recorded at least 26 ransomware cases from 12 hacker groups. Of these, LockBit was the agent in 12 cases, accounting for nearly 50%, with the method of distributing malware through branches, typically the attack on VnDirect’s system in March.
Dividing 80% of ransom to branches
In September 2019, an organization named LockBitSupp appeared with the ABCD malware. Since 2020, the group has switched to operating under the Ransomware as a Service (RaaS) business model, then expanded its dual extortion method, which is both encryption and data theft.
According to Mr. Nguyen Duc Kien, an analyst at VCS, the recent proliferation of ransomware attacks is due to the development of the RaaS model. In which, LockBit plays the role of providing and operating the ransomware infrastructure, also known as the Operator. They accept to take only 20% of the money collected in each extortion case. The remaining 80% is divided among affiliates, which are groups that specialize in infiltration to spread malware.
“This is a great motivation for attack groups to expand their scope of operations and hunt for new victims, including Vietnamese organizations and businesses,” said Mr. Kien.
Operators and Affiliates found each other through cybercrime forums, in which RAMP, xss.is or exploit.in are places where these hacker groups promote and support illegal withdrawals.
In most attacks, victims are asked to pay in cryptocurrencies such as BTC, ETH, USDT, ZCASH, then these groups use “mixers” to erase the origin. Vietnamese experts cited statistics showing that this group uses more than 30,000 cryptocurrency wallet addresses, of which about 500 wallets are still active.
In addition, the danger of LockBit lies in its professional operating model. With a large financial potential of about one billion USD, the group continuously reinvests to improve. After 5 years of existence, Lockbit released version 3.0, called Black, which is recognized by encrypting data with file extensions of 9 random numbers and letters. Security experts in Vietnam also identified LockBit 3.0 as the malware used to target VnDirect and many other organizations in recent times.
In the RaaS world, ransomware groups themselves compete with each other to attract affiliates, using advanced techniques or successful extortion rates. According to security firm Trendmicro, LockBit’s special feature compared to other malware groups is its ability to spread. When a server in the network is infected with ransomware, LockBit can search for other nearby targets and try to continue infecting – a technique that is not common in the ransomware world. In addition, the group is also willing to act as a ransom negotiator between Affiliates and victims.
LockBit is famous for its arrogance. When version 3.0 is released in 2022, the group will even hold a contest to find the malware’s bug, or challenge people to find the identity of the LockBit leader with a reward of up to $1 million.
Dealing with LockBit
Some security experts predict that LockBit is based in Russia. However, the group claims to not be affiliated with any government. On a dark web page, the group once said it was “based in the Netherlands, completely apolitical, only interested in money”.
LockBit also faces internal conflicts as well as a worldwide manhunt. Dmitry Yuryevich Khoroshev, 31 years old from Russia, is believed to be the leader of this group with the nickname “LockBitSupp”, becoming the target of law enforcement agencies. According to information on the US Treasury Department’s website, Khoroshev is not only the core leader of the group but also directly develops the ransomware. This person takes on multiple operational roles within the team such as upgrading infrastructure, participating in recruiting new developers, and managing LockBit branches.
In February, Operation Cronos, a joint operation between the UK’s National Crime Agency (NCA), the US Federal Bureau of Investigation (FBI) and Europol, claimed initial success in cracking down on LockBit. For example, the alliance seized several servers, around 7,000 data unlock codes, and arrested several people involved.
“From today, LockBit is dismantled. We have had a good fight and caused serious damage to the reputation of this anonymous group,” the Guardian quoted NCA Director General Graeme Biggar as saying.
However, Affiliates’ activities have not stopped and are still rampant around the world. According to Mr. Nguyen Duc Kien, Affiliates often infiltrate organizations’ information technology systems through four main routes, including leaked system accounts; hacked and sold servers; password discovery through brute force attacks or phishing scams; and attacks through system security holes.
To deal with ransomware in general and LockBit in particular, VCS experts recommend that organizations ensure the safety of their backup data systems, separating the IT system and the backup database so that data remains safe even when attacked.
In addition, the nature of data encryption attacks is that it often takes a long time to understand the system and find important data, so organizations need to periodically review and prioritize the use of continuous monitoring tools to detect risks early and prevent them in time.
At the digital transformation event at the end of September, Mr. Le Van Tuan, Director of the Department of Information Security – Ministry of Information and Communications, assessed that the problem of ransomware has increased in Vietnam in recent times, when data is increasingly valuable in the operations of organizations and businesses. Since the beginning of the year, a series of large units in the fields of finance, oil and gas, and logistics have become victims of this method.
“Previously, hackers were less interested in the Vietnamese market, but since they knew that businesses could pay, the risk of being attacked has increased,” he said.
According to vnexpress