The HHS Health Sector Cybersecurity Coordination Center (HC3) is warning of a rising threat from LockBit, a two-year-old ransomware variant that in June released a new version with faster encryption plus double extortion of victims.

LockBit also has restarted its affiliate program, which allows experienced hackers to set their own ransom and choose the method of payment, paying the LockBit gang around 20% of the total, HC3 said.^[1]

“LockBit is ransomware as a service,” Senad Aruc, lead cybersecurity architect for Cisco, said during a recent webinar on the variant sponsored by the International Information System Security Certification Consortium.^[2] “We all know software as a service, right? We’ve managed to evolve to ransomware as a service.”

Ransomware as a service, or RaaS, is a new business model in which the ransomware creators sell or lease their ransomware variants to affiliates, who then use them to carry out attacks, Aruc said. The business model often includes a platform in the form of a management panel, he said, and customers of LockBit service use this management panel to create new ransomware samples, manage victims and get statistics about their attacks.

“They hire people—actually through a job posting,” Aruc said. “They hire very skillful hackers who are going to use their platform for free to attack victims.” The creators then receive 10% to 30% of the ransomware proceeds as a commission, he said, adding, “it’s a pure, very well designed business.”

In addition, the ransomware owners often provide virtual machines, exploits and tools for their affiliates to support their attacks, Aruc said. “Each affiliate has access to a panel where they can monitor their victims and communicate with them,” he said. Meanwhile, the ransomware creators “are always going to push [their affiliates] to overachieve,” Aruc said, potentially increasing the rewards as affiliates earn money. “The business is huge,” he said. “They know, out of 10 victims, two of them are going to pay or one of them is going to pay.”