Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Inside LockBit: Technical, Behavioral, and Financial Anatomy of a Ransomware Empire

Felipe Castaño, Constantinos Patsakis, Francesco Zola, Fran Casino

TL;DR

The paper investigates LockBit, a leading ransomware-as-a-service operation, by analyzing a leaked MySQL admin panel and negotiation chats to reconstruct its technical evolution, attacker behavior, and money-flows. It maps LockBit 3.0’s enhancements over 2.0 to MITRE ATT&CK, derives a canonical negotiation playbook from NLP clustering and LLM labeling, and traces ransom payments through a graph-based cryptocurrency analysis that reveals a consistent 20/80 cash-out pattern and two large collector addresses linked to exchanges. Key findings include rapid tool iteration, a repeatable social-engineering playbook, and an industrial-scale cash-out pipeline, underscoring LockBit’s resilience as a tightly integrated service. These insights inform defensive strategies across technical, behavioral, and financial dimensions and highlight the need for cross-domain intelligence to disrupt both operations and money laundering chains.

Abstract

LockBit has evolved from an obscure Ransomware-as-a-Service newcomer in 2019 to the most prolific ransomware franchise of 2024. Leveraging a recently leaked MySQL dump of the gang's management panel, this study offers an end-to-end reconstruction of LockBit's technical, behavioral, and financial apparatus. We recall the family's version timeline and map its tactics, techniques, and procedures to MITRE ATT&CK, highlighting the incremental hardening that distinguishes LockBit 3.0 from its predecessors. We then analyze 51 negotiation chat logs using natural-language embeddings and clustering to infer a canonical interaction playbook, revealing recurrent rhetorical stages that underpin the double-extortion strategy. Finally, we trace 19 Bitcoin addresses related to ransom payment chains, revealing two distinct patterns based on different laundering phases. In both cases, a small portion of the ransom is immediately split into long-lived addresses (presumably retained by the group as profit and to finance further operations) while the remainder is ultimately aggregated into two high-volume addresses before likely being sent to the affiliate. These two collector addresses appear to belong to distinct exchanges, each processing over 200k BTC. The combined evidence portrays LockBit as a tightly integrated criminal service whose resilience rests on rapid code iteration, script-driven social engineering, and industrial-scale cash-out pipelines.

Inside LockBit: Technical, Behavioral, and Financial Anatomy of a Ransomware Empire

TL;DR

The paper investigates LockBit, a leading ransomware-as-a-service operation, by analyzing a leaked MySQL admin panel and negotiation chats to reconstruct its technical evolution, attacker behavior, and money-flows. It maps LockBit 3.0’s enhancements over 2.0 to MITRE ATT&CK, derives a canonical negotiation playbook from NLP clustering and LLM labeling, and traces ransom payments through a graph-based cryptocurrency analysis that reveals a consistent 20/80 cash-out pattern and two large collector addresses linked to exchanges. Key findings include rapid tool iteration, a repeatable social-engineering playbook, and an industrial-scale cash-out pipeline, underscoring LockBit’s resilience as a tightly integrated service. These insights inform defensive strategies across technical, behavioral, and financial dimensions and highlight the need for cross-domain intelligence to disrupt both operations and money laundering chains.

Abstract

LockBit has evolved from an obscure Ransomware-as-a-Service newcomer in 2019 to the most prolific ransomware franchise of 2024. Leveraging a recently leaked MySQL dump of the gang's management panel, this study offers an end-to-end reconstruction of LockBit's technical, behavioral, and financial apparatus. We recall the family's version timeline and map its tactics, techniques, and procedures to MITRE ATT&CK, highlighting the incremental hardening that distinguishes LockBit 3.0 from its predecessors. We then analyze 51 negotiation chat logs using natural-language embeddings and clustering to infer a canonical interaction playbook, revealing recurrent rhetorical stages that underpin the double-extortion strategy. Finally, we trace 19 Bitcoin addresses related to ransom payment chains, revealing two distinct patterns based on different laundering phases. In both cases, a small portion of the ransom is immediately split into long-lived addresses (presumably retained by the group as profit and to finance further operations) while the remainder is ultimately aggregated into two high-volume addresses before likely being sent to the affiliate. These two collector addresses appear to belong to distinct exchanges, each processing over 200k BTC. The combined evidence portrays LockBit as a tightly integrated criminal service whose resilience rests on rapid code iteration, script-driven social engineering, and industrial-scale cash-out pipelines.

Paper Structure

This paper contains 13 sections, 13 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Operation and evolution of LockBit
  3. The LockBit group leak
  4. Behavioral Analysis of Attacker-Victim Interactions
  5. Text Filtering and Preprocessing
  6. Embedding Clusterization
  7. Playbook Identification
  8. Incidental findings
  9. Cryptocurrency analysis
  10. Cryptocurrency data
  11. Graph-based approach
  12. Behavioral pattern results
  13. Lessons Learned and Conclusions

Figures (13)

  • Figure 1: Timeline of the main milestones of LockBit.
  • Figure 2: Platform usage activity by LockBit members. Notation: Red users have been paused, green users were active when the database was leaked.
  • Figure 3: Negotiation chat visibility duration.
  • Figure 4: Interaction diagram of Backend and Frontend functionalities.
  • Figure 5: Detail of the outcomes of Elbow (top) and Silhouette (bottom) for the tested number of clusters.
  • ...and 8 more figures