Everything you want to know about the LockBit ransomware gang

Cybersecurity agencies from seven countries including Canada and the U.S. have released a joint background paper on the Lockbit ransomware gang to help defenders watch for signs of compromise.

It’s a prolific operation: Up to Q1 2023, 1,653 alleged victims had been listed on LockBit leak sites since 2020.

According to a report from Flashpoint, last month ransomware gangs listed 344 victims on their data leak sites. LockBit claimed 96 of them.

The U.S. estimates victim organizations in that country alone have paid the gang US$91 million in ransoms since LockBit activity was first seen in January, 2020.

Canada estimates LockBit was responsible for 22 per cent of attributed ransomware incidents here last year. The U.S. says 16 per cent of reported ransomware attacks on government entities in the country — including schools and police forces — were identified as LockBit.

Despite actions by police in many countries to stamp out ransomware gangs, LockBit — and others — continue to thrive. The most recent LockBit attack in the U.S. was detected in May.

LockBit is a Ransomware-as-a-Service (RaaS) model, where affiliates are recruited to conduct ransomware attacks using the gang’s tools and infrastructure. Due to the large number of unconnected affiliates in the operation, the report notes, LockBit ransomware attacks vary significantly in observed tactics, techniques, and procedures (TTPs). “This variance in observed ransomware TTPs presents a notable challenge for organizations working to maintain network security and protect against a ransomware threat,” the report says.

One way the gang gets the loyalty of crooks: Affiliates receive their ransom payments before a cut goes to the LockBit creators. “This practice stands in stark contrast to other RaaS groups who pay themselves first and then disburse the affiliates’ cut,” the report notes.

Now in version 3.0, also known as LockBit Black, the malware shares similarities with the BlackMatter and the BlackCat/AlphV ransomware strains.

Defenders should note that LockBit attackers often use PowerShell and batch scripts for system discovery, reconnaissance, password/credential hunting and privilege escalation.  Another tip-off: Unapproved evidence of professional penetration-testing tools such as Metasploit and Cobalt Strike.

Defenders should also watch for unapproved evidence of common open-source tools used by LockBit affiliates for initial access, including 7-zip, AnyDesk, BackStab, TeamViewer and others.

LockBit affiliates rely on unpatched application vulnerabilities to break into networks. The most recent are:

  • CVE-2023-0669: Fortra GoAnywhere Managed File Transfer (MFT) Remote Code Execution Vulnerability and
  • CVE-2023-27350: PaperCut MF/NG Improper Access Control Vulnerability.

The report adds one other warning: LockBit affiliates take advantage of supply chain opportunities. New Zealand’s Computer Emergency Response Team (CERT NZ) notes that if a Lockbit affiliate cracks an organization responsible for managing other organizations’ networks — like a managed service provider — it will attempt to break into the customers’ networks. The service provider’s customers may be also extorted by LockBit affiliates threatening to release those customers’ sensitive information.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including ITBusiness.ca. Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs