The U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and the cybersecurity authorities of Australia, Canada, United Kingdom, Germany, France, and New Zealand (CERT NZ, NCSC-NZ) have released a joint cyber security advisory covering the tools and tactics of the LockBit ransomware gang.
The advisory, which is published as Understanding Ransomware Threat Actors: LockBit, is a comprehensive resource detailing common tools and exploits, as well as tactics, techniques, and procedures (TTPs) used by LockBit affiliates.
The publication also covers recommended mitigations for organisations to reduce the likelihood and impact of future ransomware incidents.
Advisory headlines
The advisory details:
- Approx. 30 tools used by LockBit affiliates to target and compromise victims
- Over 40 TTPs mapped to the MITRE ATT&CK framework
- A list of known CVEs targeted for exploitation
- Resourses, services, and mitigations for protection against ransomware attacks
“Ransomware remains a major threat to businesses worldwide, including in the UK, and the LockBit operation has been the most active, with widespread consequences. It is essential for organisations to understand the serious consequences that ransomware attacks can have on their operations, finances and reputation”
Paul Chichester – NCSC Director of Operations
Evolution of LockBit
In 2022, LockBit was the most deployed ransomware variant across the world and was the most active global ransomware group and RaaS provider in terms of the number of victims claimed on their data leak site. LockBit continues to be prolific in 2023
Date | Event |
September 2019 | First observed activity of ABCD ransomware, the predecessor to LockBit. |
January 2020 | LockBit-named ransomware first seen on Russian-language based cybercrime forums. |
June 2021 | Appearance of LockBit version 2 (LockBit 2.0), also known as LockBit Red including StealBit, a built-in information-stealing tool. |
October 2021 | Introduction of LockBit Linux-ESXi Locker version 1.0 expanding capabilities to target systems to Linux and VMware ESXi. |
March 2022 | Emergence of LockBit 3.0, also known as LockBit Black, that shares similarities with BlackMatter and Alphv (also known as BlackCat) ransomware. |
September 2022 | Non-LockBit affiliates able to use LockBit 3.0 after its builder was leaked. |
January 2023 | Arrival of LockBit Green incorporating source code from Conti ransomware. |
April 2023 | LockBit ransomware encryptors targeting macOS seen on VirusTotal |
LockBit have targeted organisations in most countries across the globe:
- Australia: From April 1, 2022, to March 31, 2023, LockBit made up 18% of total reported Australian ransomware incidents. This figure includes all variants of LockBit ransomware, not solely LockBit 3.0.
- Canada: In 2022, LockBit was responsible for 22% of attributed ransomware incidents in Canada.
- New Zealand: In 2022, CERT NZ received 15 reports of LockBit ransomware, representing 23% of 2022 ransomware reports.
- United States: In 2022, 16% of the State, Local, Tribal, and Tribunal (SLTT) government ransomware incidents reported to the MS-ISAC were identified as LockBit attacks. This included ransomware incidents impacting municipal governments, county governments, public higher education and K-12 schools, and emergency services (e.g., law enforcement).
- France: Since 2020 11% of ransomware attacks have been atributable to LockBit
Reaping the rewards
In the US alone, since 2020, LockBit have received approx. USD $91M in payments from organisations targeted with the LockBit ransomware vairiants.