Security news that informs and inspires

CISA: LockBit Most Active Ransomware Group

Since it first appeared on the scene in its current form in early 2020, the LockBit ransomware has been one of the more troublesome and prevalent strains in circulation, and according to new data from the FBI, LockBit victims in the United States alone have paid the group more than $91 million in ransoms in that time.

The LockBit operation is similar to many other ransomware-as-a-service groups in most respects, renting out their ransomware tools to affiliates who perform the actual ransomware deployment and extortion. But the group has some key differentiators, as well, including a unique payment structure in which the affiliates pay themselves first and then send the maintainers their share, which is the reverse of the way it typically works. LockBit also tends to make its admin panel and other tools simpler to use than other ransomware strains, a strategy that lowers the barrier to entry for non-technical affiliates.

The LockBit operation is extensive, and its affiliates are responsible for at least 1,600 intrusions since 2020, targeting organizations all around the globe. The affiliates employ a number of different tools and techniques in their operations, including off-the-shelf commercial tools, exploits for known vulnerabilities, and remote access tools.

“LockBit has been successful through innovation and ongoing development of the group’s administrative panel and the RaaS supporting functions. In parallel, affiliates that work with LockBit and other notable variants are constantly revising the TTPs used for deploying and executing ransomware,” a new advisory from the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and international security agencies says.

“During their intrusions, LockBit affiliates have been observed using various freeware and open-source tools that are intended for legal use.. When repurposed by LockBit, these tools are then used for a range of malicious cyber activity, such as network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration. Use of PowerShell and batch scripts are observed across most intrusions, which focus on system discovery, reconnaissance, password/credential hunting, and privilege escalation. Artifacts of professional penetration-testing tools such as Metasploit and Cobalt Strike have also been observed.”

LockBit affiliates are known to use exploits for publicly known vulnerabilities in popular products, such as VMware, F5, Apache, and Fortinet software and appliances. For example, some affiliates have targeted the Apache Log4J bug and bugs in MIcrosoft’s RDP service. The group’s affiliates also regularly use a model in which they not only demand ransoms from the primary target, but also attempt to extort the target’s customers.

In recent months, LockBit has expanded its reach, releasing a variant that targets macOS, although that variant didn’t work very well. However, given that LockBit is the most active RaaS operation in existence at the moment, the threat to enterprises and other organizations is still quite real.

“In 2022, LockBit was the most deployed ransomware variant across the world and continues to be prolific in 2023. Since January 2020, affiliates using LockBit have attacked organizations of varying sizes across an array of critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation,” the advisory says.

CISA and its partners urge enterprises to review their defensive strategies and incident response plans to ensure they’re up to date.