LockBit victims in the US alone paid over $90m in ransoms since 2020

Seven nations coming issued an alert, positive protection tips, astir LockBit, nan prolific ransomware-as-a-service gang.

The group's affiliates remains a world scourge, costing US victims unsocial much than $90 cardinal from astir 1,700 attacks since 2020, we're told.

The associated information advisory — issued by nan US Cybersecurity and Infrastructure Security Agency (CISA), FBI, Multi-State Information Sharing and Analysis Center (MS-ISAC), and cybersecurity authorities successful Australia, Canada, nan UK, Germany, France, and New Zealand — includes specifications of communal devices and exploits utilized by nan criminals, on pinch recommendations to debar ransomware infections aliases trim nan effect of early ones.

It's fundamentally a mini manual [PDF] to identifying, stopping, and reporting LockBit activity. The nations besides urged victims not to springiness successful to nan crew's demands:

The gang, now connected type 3.0 of its data-encrypting-and-stealing malware, began incorporating root codification from nan Conti ransomware successful January, and using encryptors targeting macOS arsenic seen connected VirusTotal. 

LockBit, some nan halfway unit and its connection operators, target organizations crossed an array of captious infrastructure sectors, including financial services, nutrient and agriculture, education, energy, authorities and emergency services, healthcare, manufacturing, and transportation.

Some of nan much caller victims see Managed Care of North America, 1 of nan biggest government-backed dental attraction and security providers successful nan US. Earlier this year, nan criminals collapsed into MCNA's servers, hung astir for 10 days and extracted info connected astir 9 cardinal people. 

In January, nan pack "formally apologized" for breaking into nan systems of Canada's largest children's hospital, SickKids, blaming a since-ditched connection group for an extortion onslaught and offering a free decryptor for nan unfortunate to retrieve nan files.

But earlier reasoning that nan ransomware-as-a-service group has gone soft, it's worthy remembering nan gang's ransomware attack past summertime against France's Center Hospitalier Sud Francilien.

The unit has been linked to Russia, and successful May Uncle Sam sanctioned a Russian national, Mikhail Pavlovich Matveev, accused of utilizing LockBit and different ransomware to extort a rule enforcement agency and nonprofit healthcare statement successful New Jersey, arsenic good arsenic nan Metropolitan Police Department successful Washington DC, among "numerous" different unfortunate organizations successful nan US and globally.

These Kremlin ties are different logic not to pay, according to Tom Kellermann, SVP of cyber strategy astatine Contrast Security.

"Lockbit's cybercrime activity is significant, notably nan proceeds of which helped Russia offset immoderate occidental economical sanctions," Kellermann told The Register. "The astir nefarious ransomware gangs are affiliated pinch cybercrime cartels that bask a pax mafiosa pinch nan Russian government."    

MLM, but make it ransomware

LockBit was nan astir utilized ransomware successful 2022 globally and frankincense acold successful 2023, according to nan 7 countries. This is mostly owed to nan gang's ample number of affiliates, which, successful speech for paying upfront and subscription fees, get a trim of nan ransom payments.

They besides employment a bunch of publicity stunts to pull caller members, including paying group to get LockBit tattoos and hyping a $1 cardinal bounty connected accusation related to nan personality of nan large boss, who goes by "LockBitSupp." 

"Due to nan ample number of unconnected affiliates successful nan operation, LockBit ransomware attacks alteration importantly successful observed tactics, techniques, and procedures (TTPs)," nan advisory notes.

This includes utilizing immoderate 30 freeware and open-source tools, each of which are elaborate successful nan information alert, and nan FBI has mapped much than 40 of nan gang's TTPs to nan MITRE ATT&CK frameworks.

• Criminals spent 10 days successful US dental insurer's systems extracting information of 9 million
• LockBit unit cooks up half-baked Mac ransomware
• Ransomware-as-a-service groups rainfall money connected their affiliates
• Feds connection $10m reward for info connected alleged Russian ransomware crim

The criminals person besides been spotted exploiting "numerous" CVEs. These see nan Fortra GoAnyhwere Managed File Transfer distant codification execution (RCE) vulnerability (CVE-2023-0669), nan PaperCut MF/NG improper entree power flaw (CVE-2023-27350), nan Log4j RCE (CVE-2021-44228), nan F5 BIG-IP and BIG-IQ Centralized Management iControl REST RCE (CVE-2021-22986), a NetLogon privilege escalation bug (CVE-2020-1472), a Microsoft distant desktop RCE (CVE-2019-0708), and a Fortinet FortiOS SSL-VPN way traversal vulnerability (CVE-2018-13379). 

The second is not to beryllium confused pinch another captious bug successful nan FortiOS SSL-VPN that was discovered, patched, and apt exploited this week. 

After breaking in, encrypting, and past stealing organizations' data, LockBit affiliates people names and sometimes screenshots of stolen information connected their leak sites to effort to unit nan victims to salary nan ransom demand. 

Naming and shaming victims

Between January 2020 and nan first 4th of 2023, a full of 1,653 alleged victims person been named connected LockBit leak sites — although, according to nan cyber agencies, this number only represents "a portion" of nan affiliates' victims since it only includes those who garbage to pay. 

Also, nan leak sites aren't a very reliable parameter of erstwhile nan attacks occurred because nan day of information publication "may beryllium months" aft nan LockBit affiliates initially infected firm systems, according to nan alert.

Given these caveats, here's a look astatine really LockBit compares to different ransomware infections crossed nan globe:

From April 1, 2022, to March 31, 2023, LockBit made up 18 percent of full reported Australian ransomware incidents. 

In 2022, LockBit was responsible for 22 percent of attributed ransomware incidents successful Canada.

In 2022, New Zealand received 15 reports of LockBit ransomware, representing 23 percent of nan year's ransomware reports.

In 2022, 16 percent of nan US State, Local, Tribal, and Tribunal authorities ransomware incidents reported to nan MS-ISAC were identified arsenic LockBit attacks. This included ransomware incidents impacting municipal governments, region governments, nationalist higher acquisition and K-12 schools, and emergency services specified arsenic rule enforcement. ®