Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Ransomware

US Organizations Paid $91 Million to LockBit Ransomware Gang

LockBit ransomware operators launched 1,700 attacks in the US and received roughly $91 million in ransom payments.

The LockBit ransomware gang has launched roughly 1,700 attacks in the United States and received approximately $91 million in ransom payments, the US government says.

Active since at least January 2020, LockBit operates under the Ransomware-as-a-Service (RaaS) model, where affiliates use the malware and its infrastructure to target organizations in the critical infrastructure, education, energy, government and emergency response, financial services, food and agriculture, healthcare, manufacturing, and transportation sectors.

Last year, LockBit accounted for roughly one-fifth of all ransomware attacks observed in Australia, Canada, New Zealand, and the US, a joint advisory from Australian, Canadian, French, German, New Zealand, and US government agencies shows.

Since its first occurrence in January 2020, LockBit has received several major changes, with at least four variants currently available to RaaS affiliates, namely LockBit 2.0, LockBit 3.0, LockBit Green, and LockBit Linux-ESXi Locker. However, it appears that LockBit 3.0 widely took over previous versions.

LockBit’s operators also maintain a leak site where they publish the names of their victims and the data stolen from them, if they do not pay the ransom. However only victims subjected to double extortion are listed there.

“Because LockBit only reveals the names and leaked data of victims who refuse to pay the primary ransom to decrypt their data, some LockBit victims may never be named or have their exfiltrated data posted on leak sites. As a result, the leak sites reveal a portion of LockBit affiliates’ total victims,” the joint advisory reads.

LockBit operators have been observed using dozens of freeware and open-source tools in attacks, for reconnaissance, tunneling, remote access, credential dumping, and data exfiltration. They also use PowerShell and batch scripts and penetration-testing tools such as Metasploit and Cobalt Strike.

The attackers were also seen exploiting numerous vulnerabilities, such as the recent Fortra GoAnyhwere remote code execution (RCE) and PaperCut MF/NG improper access control flaws, as well as older bugs in Apache Log4j2, F5 BIG-IP, NetLogon, Microsoft remote desktop services, Fortinet FortiOS, and F5 iControl.

Advertisement. Scroll to continue reading.

LockBit hackers were also observed attempting secondary extortion after compromising a company responsible for managing other organizations’ networks. The attackers attempted to extort the victim organization’s customers by locking down their services or by threatening to publish sensitive information.

The joint advisory also provides information on the tactics, techniques, and procedures (TTPs) used by LockBit affiliates, as well as mitigation recommendations for initial access, privilege escalation, persistence, code execution, lateral movement, credential access, and data exfiltration.

Related: US Government Warns Organizations of LockBit 3.0 Ransomware Attacks

Related: LockBit Ransomware Group Developing Malware to Encrypt Files on macOS

Related: Russian National Arrested in Canada Over LockBit Ransomware Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

Former Wiz executive Trish Cagliostro has joined Orchid Security as Chief Revenue Officer.

Transcend has named former UnitedHealth Group CISO Aimee Cardwell as CISO in Residence.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.