Hacker using laptop with padlock network showing Lockbit ransomware

CISA Alert: LockBit Ransomware Extorted $91 Million from US Organizations

The Cybersecurity and Infrastructure Security Agency (CISA) has warned about LockBit ransomware extorting millions from US organizations after hundreds of attacks.

According to the joint advisory, LockBit Ransomware extorted approximately $91 million from US-based organizations after executing about 1,700 attacks since January 5, 2020.

The advisory was released in collaboration with the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and cybersecurity agencies in Australia, Canada, the United Kingdom, Germany, France, and New Zealand.

LockBit ransomware targeted critical infrastructure organizations

For over three years, LockBit ransomware has indiscriminately targeted multiple critical infrastructure organizations for extortion.

“Since January 2020, affiliates using LockBit have attacked organizations of varying sizes across an array of critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation,” CISA wrote.

Past LockBit high-profile victims globally include the UK Royal Mail, the Italian Revenue Service, the Californian City of Oakland, US software firm Entrust, French security firm Thales, and German automotive giant Continental.

According to antivirus provider Malwarebytes, LockBit ransomware targeted at least 76 victims in May 2023 alone.

In 2022, LockBit executed 576 attacks in the United States, with 16% of all reported State, Local, Tribal, and Tribunal (SLTT) government ransomware attacks originating from the group.

Similarly, LockBit was responsible for 18% of all ransomware attacks in Australia from April 2022 to the end of Q1 2023 and 22% of all ransomware attacks in Canada in 2022.

“In 2022, LockBit was the most deployed ransomware variant across the world and continues to be prolific in 2023,” the report indicated.

Additionally, CISA explained that the number of victims might be significantly higher than reported since the group lists only those who refuse to pay the ransom.

CISA and FBI: Implement the recommended mitigations

CISA, FBI, MS-ISAC, and global security partners published a list of freeware, proprietary, and open-source tools and tactics, techniques, and procedures (TTPs) employed by LockBit affiliates to help network defenders mitigate LockBit ransomware attacks.

The agencies noted that LockBit exploited 7-zip, FileZilla, AnyDesk, Impacket, ScreenConnect, TeamViewer, Mimikatz, Ngrok, Impacket, and Process Hacker to gain initial access, exfiltrate data, dump credentials, and perform other post-exploitation activities.

The advisory also listed LockBit’s most exploited vulnerabilities, including Fortra GoAnyhwere MFT RCE CVE-2023-0669, Apache Log4j2 RCE CVE-2021-44228, F5 BIG-IP and BIG-IQ flaw CVE-2021-22986, and NetLogon Privilege Escalation Vulnerability CVE-2020-1472 among others.

“The FBI encourages all organizations to review this CSA and implement the recommended mitigation measures to better defend against threat actors using LockBit,” the agency said.

LockBit is a rapidly evolving and professional RaaS operation

CISA noted that LockBit ransomware manages a Ransomware-as-a-Service (RaaS) operation comprising of unconnected affiliates with varying TTPs.

“This variance in observed ransomware TTPs presents a notable challenge for organizations working to maintain network security and protect against a ransomware threat,” said CISA.

Since its first detection in September 2019, LockBit ransomware has evolved several times to enhance its operations.

In June 2021, the group unveiled LockBit 2.0 (LockBit Red) with Steal Bit and malicious insiders program, and LockBit 3.0 (LockBit Black) in March 2022, which included a generous bounty program and a ZCash crypto payment option.

In October 2021, the group also released its first LockBit Linux-ESXi Locker targeting the Linux operating system and VMWare virtual machines.

In January 2023, LockBit unveiled LockBit Green incorporating source code from Conti ransomware, with France recording one incident involving the new variant, according to CISA’s alert.

LockBit affiliates apply double extortion, encrypting devices and threatening to leak sensitive information online unless the victim pays the ransom.

Additionally, LockBit ransomware operates a “simplified, point-and-click interface” to lower the entry barrier for low-skilled hackers.

“As we see more and more “attack as a service” offerings, two worrying trends emerge,” noted Dror Liwer, co-founder of Coro. “The ability to execute relatively sophisticated attacks with no deep technical knowledge, lowering the barrier to entry significantly, which results in many more threat actors.”

The group also tries to attract and retain affiliates by paying them first before taking its share, disparaging other ransomware groups, and engaging in publicity stunts, such as paying people for Lockbit tattoos.

“LockBit has worked to increase the scope and breadth of attacks by strengthening and professionalizing the business model around their affiliate network, including actively advertising in online forums,” said Sean McNee, VP of Research and Data at DomainTools.

However, LockBit affiliates have also attracted law enforcement’s attention as part of the ongoing crackdown on ransomware groups, leading to several successful arrests.

On June 15, 2023, the US Department of Justice charged a Chechen national, Ruslan Magomedovich Astamirov, 20, for allegedly executing numerous LockBit ransomware attacks in the United States, Asia, Europe, and Africa.