top of page

LockBit Unmasked: Jon Marler of VikingCloud Delves Into the Infamous Ransomware Group and How Organizations Can Defend Themselves

In our latest LockBit Q&A, we sit down with Jon Marler, a renowned Cyber Evangelist from VikingCloud, to unravel the complexities of LockBit’s operational strategies and their recent resurgence despite law enforcement efforts. Jon offers his expert insights into the structural dynamics of this elusive group and their innovative approach to ransomware, providing valuable perspectives on the challenges and adaptations necessary in today's cybersecurity landscape.

Jon Marler, VikingCloud

Can you share insights on LockBit’s organizational structure and how they operate? 

 

LockBit is evidently run by a single person at the head of the organization who goes by the handle “LockBitSupp.” However, it is unclear whether that person has been the same person since the group’s inception. This leader sets the direction of the group, makes public statements, and directs the various teams that develop, maintain, and support their ransomware as a service product. This is somewhat comparable to the “Dread Pirate Roberts” identity from the Silk Road, where a single alias was used by multiple individuals over time. 

 

Despite recent FBI efforts to shut it down, LockBit has recently announced the relaunch of its ransomware. How is LockBit able to remain resilient? 

 

LockBit is not a new organization; it was formed from previous cyber groups and has learned from past challenges. The FBI’s recent action was not a full takedown, but rather a compromise of LockBit’s website, allowing for data extraction, exfiltration, and defacement. The FBI exploited unpatched vulnerabilities in one of LockBit’s public-facing servers, gaining access to subscriber data and leading to the arrests of some individuals using LockBit’s ransomware service. 

 

However, this operation did not dismantle the core of LockBit. Similar to how law enforcement arrests lower-level targets while the supply chain remains intact, LockBit’s key developers and leadership were not affected. I predicted that they would be back online very quickly, and I was correct. LockBit quickly restored operations, as anticipated. While the breach temporarily disrupted its cash flow, it had little long-term impact. In fact, LockBit used the increased attention to its advantage, even releasing stolen FBI data to reinforce its presence.  

 

How does LockBit’s approach to ransomware differ from traditional ransomware attacks? 

 

The primary differentiator of LockBit’s ransomware is what happens to a victim’s data once it is encrypted. Traditionally, ransomware would encrypt the data in-place and offer a decryption key in exchange for a ransom. In this scenario, if the victim refuses to pay, the group gets nothing for their efforts. LockBit goes a step further by exfiltrating the data, releasing encrypted versions of the files using BitTorrent trackers hosted on the dark web, and offering the decryption keys to anyone that pays the bounty, including the victim.  

 

Additionally, LockBit has created a ransomware-as-a-service toolkit that makes deploying the ransomware extremely easy for users that are not deeply technical. LockBit gets paid before the affiliate receives payment, so they are guaranteed to make a profit. The group offers tech support and participates in a wide range of online forums to assist their customers.  

 

What challenges might enterprises face with LockBit’s anticipated resurgence? 

 

LockBit isn’t a hacking group; rather, it provides ransomware tools to affiliates who carry out the actual attacks. This means the primary threat to enterprises comes from these affiliates, not LockBit directly. LockBit’s tools are one of many that threat actors use when compromising organizations to monetize the attack. In order to protect themselves against a wide-range of attacks, enterprises should continue to increase their cybersecurity posture by partnering with experienced cybersecurity experts to ensure their internal teams are not stretched too thin, invest in new advanced technology to stay ahead of cybercriminals, and provide thorough cyber training for their employees. 

 

What are the key vulnerabilities exploited by ransomware groups, and how can businesses proactively address them?  

 

LockBit’s tools have built-in exploits for a wide range of known vulnerabilities, but the group does not develop its own exploits or discover zero-day attacks. This means the attack methods used by LockBit are already known. However, more advanced and skilled attackers may use other techniques, including zero-day exploits, to breach well-protected targets. Once inside, they will deploy LockBit ransomware as part of their attack. Enterprises must implement proactive strategies, robust defense systems, and technology to mitigate these rapidly evolving risks. 

 

How can enterprises prepare for increasingly sophisticated cyberattacks, especially as hackers leverage advanced technologies like AI? 

 

The primary success factor is the ability to adapt and respond faster than the attackers can. Lower-skilled attackers using LockBit’s built-in exploits will be easier to defend against as they will be using known vulnerabilities with known mitigation steps. Staying ahead of attackers by hardening systems, preparing and properly executing incident management plans, and utilizing the latest cybersecurity technologies will help protect organizations against a wider range of attackers. Comprehensive breach detection monitoring can also help quickly identify breaches by advanced attackers using sophisticated tools, including AI, reducing both detection time and overall impact. 

 

What challenges do enterprises encounter when integrating new technology into their cybersecurity strategies, and what steps can they take to overcome these obstacles effectively? 

 

The biggest challenge in adopting new technologies is the skills gap. If your primary business focus is not in cybersecurity, maintaining a high knowledge and skill level in the latest technologies is extremely difficult. Without experience responding to threats across a wide range of environments, internal teams may struggle to apply their knowledge effectively. 

Enterprises can overcome this challenge by partnering with a sophisticated cybersecurity partner, like a managed security service provider, that is expert in utilizing advanced threat mitigation tools to stay ahead of sophisticated threats. 

bottom of page