The LockBit ransomware gang has launched roughly 1,700 attacks in the United States and received approximately $91 million in ransom payments, the US government says.
Active since at least January 2020, LockBit operates under the Ransomware-as-a-Service (RaaS) model, where affiliates use the malware and its infrastructure to target organizations in the critical infrastructure, education, energy, government and emergency response, financial services, food and agriculture, healthcare, manufacturing, and transportation sectors.
Last year, LockBit accounted for roughly one-fifth of all ransomware attacks observed in Australia, Canada, New Zealand, and the US, a joint advisory from Australian, Canadian, French, German, New Zealand, and US government agencies shows.
Since its first occurrence in January 2020, LockBit has received several major changes, with at least four variants currently available to RaaS affiliates, namely LockBit 2.0, LockBit 3.0, LockBit Green, and LockBit Linux-ESXi Locker. However, it appears that LockBit 3.0 widely took over previous versions.
LockBit’s operators also maintain a leak site where they publish the names of their victims and the data stolen from them, if they do not pay the ransom. However only victims subjected to double extortion are listed there.
“Because LockBit only reveals the names and leaked data of victims who refuse to pay the primary ransom to decrypt their data, some LockBit victims may never be named or have their exfiltrated data posted on leak sites. As a result, the leak sites reveal a portion of LockBit affiliates’ total victims,” the joint advisory reads.
LockBit operators have been observed using dozens of freeware and open-source tools in attacks, for reconnaissance, tunneling, remote access, credential dumping, and data exfiltration. They also use PowerShell and batch scripts and penetration-testing tools such as Metasploit and Cobalt Strike.
The attackers were also seen exploiting numerous vulnerabilities, such as the recent Fortra GoAnyhwere remote code execution (RCE) and PaperCut MF/NG improper access control flaws, as well as older bugs in Apache Log4j2, F5 BIG-IP, NetLogon, Microsoft remote desktop services, Fortinet FortiOS, and F5 iControl.
LockBit hackers were also observed attempting secondary extortion after compromising a company responsible for managing other organizations’ networks. The attackers attempted to extort the victim organization’s customers by locking down their services or by threatening to publish sensitive information.
The joint advisory also provides information on the tactics, techniques, and procedures (TTPs) used by LockBit affiliates, as well as mitigation recommendations for initial access, privilege escalation, persistence, code execution, lateral movement, credential access, and data exfiltration.