The LockBit ransomware gang has launched roughly 1,700 attacks in the United States and received approximately $91 million in ransom payments, the US government says.
Active since at least January 2020, LockBit operates under the Ransomware-as-a-Service (RaaS) model, where affiliates use the malware and its infrastructure to target organizations in the critical infrastructure, education, energy, government and emergency response, financial services, food and agriculture, healthcare, manufacturing, and transportation sectors.
Last year, LockBit accounted for roughly one-fifth of all ransomware attacks observed in Australia, Canada, New Zealand, and the US, a joint advisory from Australian, Canadian, French, German, New Zealand, and US government agencies shows.
Since its first occurrence in January 2020, LockBit has received several major changes, with at least four variants currently available to RaaS affiliates, namely LockBit 2.0, LockBit 3.0, LockBit Green, and LockBit Linux-ESXi Locker. However, it appears that LockBit 3.0 widely took over previous versions.
LockBit’s operators also maintain a leak site where they publish the names of their victims and the data stolen from them, if they do not pay the ransom. However only victims subjected to double extortion are listed there.
“Because LockBit only reveals the names and leaked data of victims who refuse to pay the primary ransom to decrypt their data, some LockBit victims may never be named or have their exfiltrated data posted on leak sites. As a result, the leak sites reveal a portion of LockBit affiliates’ total victims,” the joint advisory reads.
LockBit operators have been observed using dozens of freeware and open-source tools in attacks, for reconnaissance, tunneling, remote access, credential dumping, and data exfiltration. They also use PowerShell and batch scripts and penetration-testing tools such as Metasploit and Cobalt Strike.
The attackers were also seen exploiting numerous vulnerabilities, such as the recent Fortra GoAnyhwere remote code execution (RCE) and PaperCut MF/NG improper access control flaws, as well as older bugs in Apache Log4j2, F5 BIG-IP, NetLogon, Microsoft remote desktop services, Fortinet FortiOS, and F5 iControl.
LockBit hackers were also observed attempting secondary extortion after compromising a company responsible for managing other organizations’ networks. The attackers attempted to extort the victim organization’s customers by locking down their services or by threatening to publish sensitive information.
The joint advisory also provides information on the tactics, techniques, and procedures (TTPs) used by LockBit affiliates, as well as mitigation recommendations for initial access, privilege escalation, persistence, code execution, lateral movement, credential access, and data exfiltration.
Related: US Government Warns Organizations of LockBit 3.0 Ransomware Attacks
Related: LockBit Ransomware Group Developing Malware to Encrypt Files on macOS
Related: Russian National Arrested in Canada Over LockBit Ransomware Attacks

More from Ionut Arghire
- Generative AI Startup Nexusflow Raises $10.6 Million
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
- Cloudflare Users Exposed to Attacks Launched From Within Cloudflare: Researchers
- FBI Warns Organizations of Dual Ransomware, Wiper Attacks
- Lumu Raises $30 Million for Threat Detection and Response Platform
- Cisco Warns of IOS Software Zero-Day Exploitation Attempts
- Russian Zero-Day Acquisition Firm Offers $20 Million for Android, iOS Exploits
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
