Everything you want to know about the LockBit ransomware gang

Cybersecurity agencies from seven countries including Canada and the U.S. have released a joint background paper on the Lockbit ransomware gang to help defenders watch for signs of compromise.

It’s a prolific operation: Up to Q1 2023, 1,653 alleged victims had been listed on LockBit leak sites since 2020.

According to a report from Flashpoint, last month ransomware gangs listed 344 victims on their data leak sites. LockBit claimed 96 of them.

The U.S. estimates victim organizations in that country alone have paid the gang US$91 million in ransoms since LockBit activity was first seen in January, 2020.

Canada estimates LockBit was responsible for 22 per cent of attributed ransomware incidents here last year. The U.S. says 16 per cent of reported ransomware attacks on government entities in the country — including schools and police forces — were identified as LockBit.

Despite actions by police in many countries to stamp out ransomware gangs, LockBit — and others — continue to thrive. The most recent LockBit attack in the U.S. was detected in May.

LockBit is a Ransomware-as-a-Service (RaaS) model, where affiliates are recruited to conduct ransomware attacks using the gang’s tools and infrastructure. Due to the large number of unconnected affiliates in the operation, the report notes, LockBit ransomware attacks vary significantly in observed tactics, techniques, and procedures (TTPs). “This variance in observed ransomware TTPs presents a notable challenge for organizations working to maintain network security and protect against a ransomware threat,” the report says.

One way the gang gets the loyalty of crooks: Affiliates receive their ransom payments before a cut goes to the LockBit creators. “This practice stands in stark contrast to other RaaS groups who pay themselves first and then disburse the affiliates’ cut,” the report notes.

Now in version 3.0, also known as LockBit Black, the malware shares similarities with the BlackMatter and the BlackCat/AlphV ransomware strains.

Defenders should note that LockBit attackers often use PowerShell and batch scripts for system discovery, reconnaissance, password/credential hunting and privilege escalation.  Another tip-off: Unapproved evidence of professional penetration-testing tools such as Metasploit and Cobalt Strike.

Defenders should also watch for unapproved evidence of common open-source tools used by LockBit affiliates for initial access, including 7-zip, AnyDesk, BackStab, TeamViewer and others.

LockBit affiliates rely on unpatched application vulnerabilities to break into networks. The most recent are:

  • CVE-2023-0669: Fortra GoAnywhere Managed File Transfer (MFT) Remote Code Execution Vulnerability and
  • CVE-2023-27350: PaperCut MF/NG Improper Access Control Vulnerability.

The report adds one other warning: LockBit affiliates take advantage of supply chain opportunities. New Zealand’s Computer Emergency Response Team (CERT NZ) notes that if a Lockbit affiliate cracks an organization responsible for managing other organizations’ networks — like a managed service provider — it will attempt to break into the customers’ networks. The service provider’s customers may be also extorted by LockBit affiliates threatening to release those customers’ sensitive information.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now