Product
Jake Trujillo
Apr 10, 2024
Latest headline
The LockBit Ransomware-as-a-service (RaaS) operation is struggling to recover after being targeted by an international law enforcement operation called "Operation Cronos." It resulted in the seizure of domains, source code, decryption keys, and the arrest of two suspected members.
Despite restoring servers shortly after the takedown, LockBit's reputation within the Ransomware community has suffered. Lockbit's operator was banned from popular hacker forums, and there has been minimal new activity linked to LockBit since the disruption.
Key points:
Initially emerged in 2019
Major evolutions in 2021 and 2022
Targeted by law enforcement in Feb 2024
10,423 IOCs as of publication
Fletch is constantly monitoring the threat landscape. The data in this guide is most up to date as of publication. Check out LockBit's Threat Board for any updates or join the waitlist to be in the know for every threat.
LockBit Ransomware summary
The LockBit RaaS group first emerged as a significant threat in the cybercrime landscape in 2019. It gained significant traction and underwent considerable evolution with the release of LockBit 2.0 in June 2021. Their evolution continued with LockBit 3.0 (LockBit Black) in June 2022, showcasing enhanced capabilities and enabling them to attack a broader range of businesses.
However, their forward momentum has taken a serious hit. In February 2024, LockBit was targeted by the U.K.'s National Crime Agency with “Operation Cronos.” LockBit’s technical infrastructure and public-facing leak site were seized by law enforcement agencies.
The fallout from this operation is affecting the group on all fronts. They have suffered legal repercussions, such as the arrest of two alleged LockBit members. There have been significant disruptions to their operations, such as the freezing of more than 200 crypto accounts linked to the group.
But perhaps the most significant harm done to LockBit came in the form of the reputational damage that has been done in the minds of other threat actors, due to a ‘name-and-shame’ tactic in which agency press releases and decryption keys on their own leak site.
Severity: Low, Quiet
Maturity: Mainstream
IOCs: 10408 Malware hashes and 15 vulnerabilities
Targets: 31 tech targets, 51 industry targets, and 153 geo targets
Learn more about Fletch’s metrics in the Fletch Help Center.
LockBit Ransomware victims and motivations
Once known for exploiting vulnerable smaller businesses, since the release of LockBit 3.0 and their vastly increased capabilities, notable attacks have been carried out against larger corporations like Boeing, Continental, and the Port of Nagoya, as well as various government entities and sectors. The higher value and sensitivity of the compromised data in these attacks allowed them to demand higher ransom, and increased their publicity bolstering their reputation in the cybercriminal community and among cybersecurity practitioners.
LockBit has an indiscriminate approach to victim selection, targeting organizations that span a wide range of sectors, including financial services, healthcare, education, government, energy, and more. The majority of their victims are located in North America, Europe, and the Asia Pacific region. Their targets have changed as their tactics have evolved, and because they are a RaaS (Ransomware as a Service) group, their list of affiliates has also grown their list of targets.
Their motivations are simple. They target opportunistically and sell their services to others in order to achieve as much financial gain as possible.
LockBit Ransomware tactics
The longevity and success of LockBit to this point has lent itself to the group’s versatility and adaptability. They employ various methods to infiltrate networks including phishing, exploiting vulnerabilities in applications, brute-forcing remote desktop protocol (RDP) accounts and more. They are capable of bypassing common security mechanisms like antivirus and EDR solutions.
Much like their targets have changed with growth, so have their tactics. With the release of LockBit 2.0 in June 2021, they introduced double extortion techniques, wherein they not only encrypted sensitive data, but threatened to release it publicly or sell it on the dark web as well.
With LockBit 3.0 (LockBit Black) in June 2022, they enhanced their capabilities for rapid Ransomware deployment and data theft, enabling them to attack an even broader range of businesses.
Mitigation Advice
At the time of publication this was the mitigation advice against LockBit:
Short-Term:
Conduct regular backups of critical data and store them securely offsite
Implement strong access controls and limit user privileges
Ensure all internet-facing applications are up-to-date and patched
Long-Term:
Create strong, unique passwords for all local administrator accounts on the network
Limit the use of privileged accounts and follow best practices for network administration
Make sure all important information is kept safe at rest and in motion by using strong encryption
You can check out the most recent mitigation measures by creating a workspace when you join the Fletch waitlist.
Communication
On top of mitigation advice, Fletch also provides Beta AI generated communications so you can educate your different company stakeholders. At the time of publication, this was what was recommended for the following:
For employees:
For customers:
For more templates for your different stakeholders, create a workspace when you join the Fletch waitlist.
Takeaway
While LockBit is currently struggling to maintain its brand and recover from the recent take down operation, it appears they are working on a new version of LockBit's Ransomware which will feature a new codebase. It will likely reemerge, but when that day comes you can be prepared.
The persistence and sophistication of the LockBit APT group underscore the critical need for continuous vigilance and adaptive security strategies among organizations in various sectors.
LockBit is just one example of an ever evolving threat that requires in-depth cyber intelligence to stay on top of. Fletch helps you keep track of, and prioritizes, them all.
As the de facto record on the threat landscape, our AI engine is constantly scanning and indexing the threat landscape for you so you can plug the gaps in your security. You can use Fletch to prioritize your alerts, detect threats to your tech and people early, or simply to become an instant expert on any threat at any time.
Learn more about Fletch’s threat intelligence or join the waitlist and try it for yourself.
1. CISA [#StopRansomware: LockBit 3.0](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a)
2. TechTarget [Trend Micro: LockBit ransomware gang's comeback is failing](https://www.techtarget.com/searchsecurity/news/366577762/Trend-Micro-LockBit-ransomware-gangs-comeback-is-failing)
3. Cybernews [Boeing claimed by LockBit ransom gang](https://cybernews.com/news/boeing-lockbit-ransomware-attack/)
4. Unit 42 [LockBit 2.0: How This RaaS Operates and How to Protect Against It](https://unit42.paloaltonetworks.com/lockbit-2-ransomware/)
5. World Economic Forum [LockBit: How an international operation seized control of ‘the world’s most harmful cybercrime group’](https://www.weforum.org/agenda/2024/02/lockbit-ransomware-operation-cronos-cybercrime/)