LockBit victims in the US alone paid over $90m in ransoms since 2020

Seven nations today issued an alert, plus protection tips, about LockBit, the prolific ransomware-as-a-service gang.

The group's affiliates remains a global scourge, costing US victims alone more than $90 million from roughly 1,700 attacks since 2020, we're told.

The joint security advisory — issued by the US Cybersecurity and Infrastructure Security Agency (CISA), FBI, Multi-State Information Sharing and Analysis Center (MS-ISAC), and cybersecurity authorities in Australia, Canada, the UK, Germany, France, and New Zealand — includes details of common tools and exploits used by the criminals, along with recommendations to avoid ransomware infections or reduce the impact of future ones.

It's essentially a mini manual [PDF] to identifying, stopping, and reporting LockBit activity. The nations also urged victims not to give in to the crew's demands:

The gang, now on version 3.0 of its data-encrypting-and-stealing malware, began incorporating source code from the Conti ransomware in January, and using encryptors targeting macOS as seen on VirusTotal. 

LockBit, both the core crew and its affiliate operators, target organizations across an array of critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation.

Some of the more recent victims include Managed Care of North America, one of the biggest government-backed dental care and insurance providers in the US. Earlier this year, the criminals broke into MCNA's servers, hung around for 10 days and extracted info on nearly 9 million people. 

In January, the gang "formally apologized" for breaking into the systems of Canada's largest children's hospital, SickKids, blaming a since-ditched affiliate group for an extortion attack and offering a free decryptor for the victim to recover the files.

But before thinking that the ransomware-as-a-service group has gone soft, it's worth remembering the gang's ransomware attack last summer against France's Center Hospitalier Sud Francilien.

The crew has been linked to Russia, and in May Uncle Sam sanctioned a Russian national, Mikhail Pavlovich Matveev, accused of using LockBit and other ransomware to extort a law enforcement agency and nonprofit healthcare organization in New Jersey, as well as the Metropolitan Police Department in Washington DC, among "numerous" other victim organizations in the US and globally.

These Kremlin ties are another reason not to pay, according to Tom Kellermann, SVP of cyber strategy at Contrast Security.

"Lockbit's cybercrime wave is significant, notably the proceeds of which helped Russia offset some western economic sanctions," Kellermann told The Register. "The most nefarious ransomware gangs are affiliated with cybercrime cartels that enjoy a pax mafiosa with the Russian government."    

MLM, but make it ransomware

LockBit was the most used ransomware in 2022 globally and thus far in 2023, according to the seven countries. This is largely due to the gang's large number of affiliates, which, in exchange for paying upfront and subscription fees, get a cut of the ransom payments.

They also employ a bunch of publicity stunts to attract new members, including paying people to get LockBit tattoos and hyping a $1 million bounty on information related to the identity of the big boss, who goes by "LockBitSupp." 

"Due to the large number of unconnected affiliates in the operation, LockBit ransomware attacks vary significantly in observed tactics, techniques, and procedures (TTPs)," the advisory notes.

This includes using some 30 freeware and open-source tools, all of which are detailed in the security alert, and the FBI has mapped more than 40 of the gang's TTPs to the MITRE ATT&CK frameworks.

• Criminals spent 10 days in US dental insurer's systems extracting data of 9 million
• LockBit crew cooks up half-baked Mac ransomware
• Ransomware-as-a-service groups rain money on their affiliates
• Feds offer $10m reward for info on alleged Russian ransomware crim

The criminals have also been spotted exploiting "numerous" CVEs. These include the Fortra GoAnyhwere Managed File Transfer remote code execution (RCE) vulnerability (CVE-2023-0669), the PaperCut MF/NG improper access control flaw (CVE-2023-27350), the Log4j RCE (CVE-2021-44228), the F5 BIG-IP and BIG-IQ Centralized Management iControl REST RCE (CVE-2021-22986), a NetLogon privilege escalation bug (CVE-2020-1472), a Microsoft remote desktop RCE (CVE-2019-0708), and a Fortinet FortiOS SSL-VPN path traversal vulnerability (CVE-2018-13379). 

The latter is not to be confused with another critical bug in the FortiOS SSL-VPN that was discovered, patched, and likely exploited this week. 

After breaking in, encrypting, and then stealing organizations' data, LockBit affiliates publish names and sometimes screenshots of stolen data on their leak sites to try to force the victims to pay the ransom demand. 

Naming and shaming victims

Between January 2020 and the first quarter of 2023, a total of 1,653 alleged victims have been named on LockBit leak sites — although, according to the cyber agencies, this number only represents "a portion" of the affiliates' victims since it only includes those who refuse to pay. 

Also, the leak sites aren't a very reliable indicator of when the attacks occurred because the date of data publication "may be months" after the LockBit affiliates initially infected corporate systems, according to the alert.

Given these caveats, here's a look at how LockBit compares to other ransomware infections across the globe:

From April 1, 2022, to March 31, 2023, LockBit made up 18 percent of total reported Australian ransomware incidents. 

In 2022, LockBit was responsible for 22 percent of attributed ransomware incidents in Canada.

In 2022, New Zealand received 15 reports of LockBit ransomware, representing 23 percent of the year's ransomware reports.

In 2022, 16 percent of the US State, Local, Tribal, and Tribunal government ransomware incidents reported to the MS-ISAC were identified as LockBit attacks. This included ransomware incidents impacting municipal governments, county governments, public higher education and K-12 schools, and emergency services such as law enforcement. ®