Clement Brako Akomea Table of Contents
According to the US government, the LockBit ransomware gang has carried out approximately 1,700 attacks in the United States, amassing ransom payments of around $91 million.
Key Takeaways to LockBit Ransomware Gang:
- The LockBit ransomware gang has conducted around 1,700 attacks in the United States, resulting in approximately $91 million in ransom payments.
- LockBit operates under the Ransomware-as-a-Service (RaaS) model and targets organizations in various sectors, including critical infrastructure, education, energy, government, financial services, healthcare, and more.
- The gang maintains a leak site where they publish the names of victims and stolen data if the ransom is not paid, but only victims subjected to double extortion are listed.
LockBit Ransomware Gang’s Operations and Reach
The group has been active since at least January 2020 and operates through the Ransomware-as-a-Service (RaaS) model.
Targeted Sectors and International Impact
LockBit affiliates utilize the malware and infrastructure to target organizations across various sectors. These sectors include critical infrastructure, education, energy, government and emergency response, financial services, food and agriculture, healthcare, manufacturing, and transportation.
In a joint advisory, government agencies from Australia, Canada, France, Germany, New Zealand, and the US revealed that LockBit accounted for nearly one-fifth of all observed ransomware attacks in these countries.
Evolution of LockBit and RaaS Variants
Since its initial emergence, LockBit has undergone significant changes. Presently, there are four known variants available to RaaS affiliates: LockBit 2.0, LockBit 3.0, LockBit Green, and LockBit Linux-ESXi Locker. LockBit 3.0 seems to be the most widely used version, superseding the previous iterations.
Leak Site and Double Extortion
LockBit’s operators maintain a leak site where they publish the names of victims and the stolen data if the primary ransom is not paid. However, it is important to note that only victims subjected to double extortion, where data is also exfiltrated, are listed on the leak site. As a result, the disclosed information represents only a portion of LockBit affiliates’ total victims.
Tactics and Tools Employed by LockBit
LockBit operators employ various freeware and open-source tools for different stages of their attacks, including reconnaissance, tunneling, remote access, credential dumping, and data exfiltration. They utilize scripting languages such as PowerShell and batch scripts, as well as penetration-testing tools like Metasploit and Cobalt Strike.
The exploitation of Vulnerabilities and Secondary Extortion
The attackers have been observed exploiting multiple vulnerabilities, including recent flaws like Fortra GoAnyhwere remote code execution (RCE) and PaperCut MF/NG improper access control, as well as older bugs in Apache Log4j2, F5 BIG-IP, NetLogon, Microsoft Remote Desktop Services, Fortinet FortiOS, and F5 iControl. Furthermore, LockBit hackers have attempted secondary extortion by targeting a company responsible for managing other organizations’ networks, aiming to extort the victim organization’s customers by restricting services or threatening to disclose sensitive information.
Conclusion
The LockBit ransomware gang has posed a significant threat to organizations, with a wide range of sectors falling victim to their attacks.
Their operations have resulted in substantial ransom payments, highlighting the urgent need for robust cybersecurity measures and adherence to mitigation recommendations provided by government agencies.
Proactive defense strategies and timely patching of vulnerabilities are crucial in mitigating the impact of such ransomware attacks.
