LockBit frequently expands its malware with new features, but above all, the malware’s characteristic trait is that it's simple and easy to use. At its core, the ransomware has always offered anti-detection capabilities, tools for circumventing Microsoft Windows defenses, and features for privilege escalation within a compromised device. LockBit uses publicly available hacking tools when it can, but it also develops custom capabilities. The 2022 FBI report noted that the group sometimes uses previously unknown or zero day vulnerabilities in its attacks. And the group has the capability to target many different types of systems.

“It's not just Windows. They'll attack Linux, they'll go after your virtual host machines,” Mackenzie says. “They offer a solid payment system. There's a lot of backend infrastructure that comes with this. It's just a well-made product, unfortunately.” In October, it was reported that LockBit’s malware was deployed after a zero day was used to hack Microsoft Exchange servers—a relatively rare occurrence when it comes to ransomware gangs.

“Theer are additional features that make the ransomware more dangerous—for example, having worm components to it,” Segura adds. “They've also discussed things like doing denial-of-service attacks against victims, in addition to the extortion.”  

With the release of LockBit 3.0, the group also signaled its intention to evolve. It introduced the first ransomware bug bounty scheme, promising to pay legitimate security researchers or criminals who could identify flaws in its website or encryption software. LockBit said it would pay anyone $1 million if they could name who is behind LockBitSupp, the public persona of the group.

The core members at the top of LockBit seem to include its leader and one or two other trusted partners. Analyst1’s DiMaggio, who has tracked the actors for years, notes that the group claims to be based in the Netherlands. Its leader has said at various times that he personally operates out of China or even the United States, where he has said he is a part owner of two restaurants in New York City. LockBit members all seem to be Russian-speaking, though, and DiMaggio says that while he cannot be certain, he believes the group is based in Russia.

“The leader doesn’t seem to have any concern about being arrested. He thinks he’s a supervillain, and he plays the part well,” DiMaggio says. “But I do believe he has a healthy concern that if the Russian government were to get their hooks in him, he would have to make the decision to turn over most of his money to them or do work for them like helping them with the Ukraine war.”

Despite LockBit’s relative professionalism, the group has, at times, slipped into showboating and bizarre behavior. During desperate efforts to get attention—and attract affiliates—in its early months, the criminal group held an essay-writing competition and paid prizes to the winners. And in September 2022, the group memorably posted a message on a cybercrime forum claiming it would pay anyone $1,000 if they got the LockBit logo tattooed on themselves. Around 20 people shared photos and videos with their feet, wrists, arms, and chests all branded with the cybercrime gang’s logo.

LockBit’s meteoric rise and recent attacks against high-profile targets could ultimately be its downfall, though. Notorious ransomware groups have been infiltrated, exposed, and disrupted in recent years. Before Russia’s full-scale invasion of Ukraine in February 2022, the Russian Federal Security Service (FSB) arrested high-profile REvil hackers, although the group has since returned. Meanwhile, the US military hacking unit Cyber Command has admitted to disrupting some ransomware groups. And a Ukrainian cybersecurity researcher contributed to the downfall of the Conti ransomware brand last year after infiltrating the group and publishing more than 60,000 of the group’s internal chat messages.