Cybersecurity agencies from seven countries including Canada and the U.S. have released a joint background paper on the Lockbit ransomware gang to help defenders watch for signs of compromise.
It’s a prolific operation: Up to Q1 2023, 1,653 alleged victims had been listed on LockBit leak sites since 2020.
According to a report from Flashpoint, last month ransomware gangs listed 344 victims on their data leak sites. LockBit claimed 96 of them.
The U.S. estimates victim organizations in that country alone have paid the gang US$91 million in ransoms since LockBit activity was first seen in January, 2020.
Canada estimates LockBit was responsible for 22 per cent of attributed ransomware incidents here last year. The U.S. says 16 per cent of reported ransomware attacks on government entities in the country — including schools and police forces — were identified as LockBit.
Despite actions by police in many countries to stamp out ransomware gangs, LockBit — and others — continue to thrive. The most recent LockBit attack in the U.S. was detected in May.
LockBit is a Ransomware-as-a-Service (RaaS) model, where affiliates are recruited to conduct ransomware attacks using the gang’s tools and infrastructure. Due to the large number of unconnected affiliates in the operation, the report notes, LockBit ransomware attacks vary significantly in observed tactics, techniques, and procedures (TTPs). “This variance in observed ransomware TTPs presents a notable challenge for organizations working to maintain network security and protect against a ransomware threat,” the report says.
One way the gang gets the loyalty of crooks: Affiliates receive their ransom payments before a cut goes to the LockBit creators. “This practice stands in stark contrast to other RaaS groups who pay themselves first and then disburse the affiliates’ cut,” the report notes.
Now in version 3.0, also known as LockBit Black, the malware shares similarities with the BlackMatter and the BlackCat/AlphV ransomware strains.
Defenders should note that LockBit attackers often use PowerShell and batch scripts for system discovery, reconnaissance, password/credential hunting and privilege escalation. Another tip-off: Unapproved evidence of professional penetration-testing tools such as Metasploit and Cobalt Strike.
Defenders should also watch for unapproved evidence of common open-source tools used by LockBit affiliates for initial access, including 7-zip, AnyDesk, BackStab, TeamViewer and others.
LockBit affiliates rely on unpatched application vulnerabilities to break into networks. The most recent are:
- CVE-2023-0669: Fortra GoAnywhere Managed File Transfer (MFT) Remote Code Execution Vulnerability and
- CVE-2023-27350: PaperCut MF/NG Improper Access Control Vulnerability.
The report adds one other warning: LockBit affiliates take advantage of supply chain opportunities. New Zealand’s Computer Emergency Response Team (CERT NZ) notes that if a Lockbit affiliate cracks an organization responsible for managing other organizations’ networks — like a managed service provider — it will attempt to break into the customers’ networks. The service provider’s customers may be also extorted by LockBit affiliates threatening to release those customers’ sensitive information.