The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and its international cybersecurity agency partners have issued a cybersecurity advisory about the LockBit ransomware operation, which has extorted $91 million from organizations in the United States since 2020 across 1,700 attacks.
“This joint advisory on LockBit is another example of effective collaboration with our partners to provide timely and actionable resources to help all organizations understand and defend against this ransomware activity,” said CISA Executive Assistant Director for Cybersecurity, Eric Goldstein. “As we look to the future, we must all work together to evolve to a model where ransomware actors are unable to use common tactics and techniques to compromise victims and work to ensure ransomware intrusions are detected and remediated before harm can occur.”
The LockBit ransomware-as-a-service operation is the most prolific RaaS group, having listed more victims on its data leak site than any other ransomware operation. LockBit was behind 16% of ransomware attacks on state, local, tribal, and tribunal (SLTT) governments in 2022 and was the most commonly deployed ransomware variant last year. The group has attacked organizations of all sizes, including critical infrastructure entities such as financial services, food & agriculture, education, and healthcare, and 2023 attacks have continued in high numbers.
There are several reasons why LockBit has become the most prolific RaaS operation. Affiliates are recruited to conduct attacks and receive a share of the ransoms they generate, as is the case with other RaaS operations; however, LockBit pays its affiliates faster and provides them with their cut of ransom payments before payment is received by core members of the group. The group has developed an easy-to-use interface for its affiliates which lowers the bar for new affiliates, who require less technical skill to start conducting ransomware attacks than with other ransomware variants. The group also engages in publicity-generating exercises, disparages other RaaS operations, and has even taken steps to discourage individuals from disclosing the identity of the lead member of the group (LockBitSupp) to law enforcement by offering a $1 million bounty on information that could lead to LockBitSupp’s identification.
Get the FREE
HIPAA Compliance Checklist
Delivered via email so please ensure you enter your email address correctly.
Your Privacy Respected
Due to the large number of affiliates working within the LockBit operation, the tactics, techniques, and procedures (TTPs) used in attacks are diverse so network defenders face significant challenges defending against attacks. The security advisory details the TTPs that CISA, the FBI, and their international cybersecurity partners have observed in LockBit ransomware attacks over the past 3 years, along with a lengthy list of mitigations to help network defenders take proactive steps to improve their defenses against LockBit attacks. The advisory includes around 30 different freeware and open source tools that have been used by LockBit affiliates, 9 CVEs that are known to have been exploited, and more than 40 MITRE ATT&CK techniques for initial access, discovery, credential access, privilege escalation, lateral movement, persistence, defense evasion, collection, command and control, data exfiltration, and execution.
“The FBI encourages all organizations to review this CSA and implement the recommended mitigation measures to better defend against threat actors using LockBit,” said Bryan Vorndran, Assistant Director of the FBI’s Cyber Division, and encouraged all victims of cybercrime to report incidents to their local FBI field office.