Connect with us

Hi, what are you looking for?



US Organizations Paid $91 Million to LockBit Ransomware Gang

LockBit ransomware operators launched 1,700 attacks in the US and received roughly $91 million in ransom payments.

The LockBit ransomware gang has launched roughly 1,700 attacks in the United States and received approximately $91 million in ransom payments, the US government says.

Active since at least January 2020, LockBit operates under the Ransomware-as-a-Service (RaaS) model, where affiliates use the malware and its infrastructure to target organizations in the critical infrastructure, education, energy, government and emergency response, financial services, food and agriculture, healthcare, manufacturing, and transportation sectors.

Last year, LockBit accounted for roughly one-fifth of all ransomware attacks observed in Australia, Canada, New Zealand, and the US, a joint advisory from Australian, Canadian, French, German, New Zealand, and US government agencies shows.

Since its first occurrence in January 2020, LockBit has received several major changes, with at least four variants currently available to RaaS affiliates, namely LockBit 2.0, LockBit 3.0, LockBit Green, and LockBit Linux-ESXi Locker. However, it appears that LockBit 3.0 widely took over previous versions.

LockBit’s operators also maintain a leak site where they publish the names of their victims and the data stolen from them, if they do not pay the ransom. However only victims subjected to double extortion are listed there.

“Because LockBit only reveals the names and leaked data of victims who refuse to pay the primary ransom to decrypt their data, some LockBit victims may never be named or have their exfiltrated data posted on leak sites. As a result, the leak sites reveal a portion of LockBit affiliates’ total victims,” the joint advisory reads.

LockBit operators have been observed using dozens of freeware and open-source tools in attacks, for reconnaissance, tunneling, remote access, credential dumping, and data exfiltration. They also use PowerShell and batch scripts and penetration-testing tools such as Metasploit and Cobalt Strike.

Advertisement. Scroll to continue reading.

The attackers were also seen exploiting numerous vulnerabilities, such as the recent Fortra GoAnyhwere remote code execution (RCE) and PaperCut MF/NG improper access control flaws, as well as older bugs in Apache Log4j2, F5 BIG-IP, NetLogon, Microsoft remote desktop services, Fortinet FortiOS, and F5 iControl.

LockBit hackers were also observed attempting secondary extortion after compromising a company responsible for managing other organizations’ networks. The attackers attempted to extort the victim organization’s customers by locking down their services or by threatening to publish sensitive information.

The joint advisory also provides information on the tactics, techniques, and procedures (TTPs) used by LockBit affiliates, as well as mitigation recommendations for initial access, privilege escalation, persistence, code execution, lateral movement, credential access, and data exfiltration.

Related: US Government Warns Organizations of LockBit 3.0 Ransomware Attacks

Related: LockBit Ransomware Group Developing Malware to Encrypt Files on macOS

Related: Russian National Arrested in Canada Over LockBit Ransomware Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.


US payments giant NCR has confirmed being targeted in a ransomware attack for which the BlackCat/Alphv group has taken credit.