U.S. and international cybersecurity authorities said in a joint LockBit ransomware advisory that the gang successfully extorted roughly $91 million following approximately 1,700 attacks against U.S. organizations since 2020.
This Ransomware-as-a-Service (RaaS) operation was the leading global ransomware threat in 2022, boasting the highest number of victims claimed on their data leak site, said the U.S. authorities and their international partners in Australia, Canada, United Kingdom, Germany, France, and New Zealand.
According to reports received by the MS-ISAC throughout last year, approximately 16% of ransomware incidents affecting State, Local, Tribal, and Tribunal (SLTT) governments were LockBit attacks.
In these incidents, LockBit affiliates targeted municipal governments, county governments, public higher education institutions, K-12 schools, and emergency services such as law enforcement.
“In 2022, LockBit was the most deployed ransomware variant across the world and continues to be prolific in 2023,” the joint advisory warns.
“Since January 2020, affiliates using LockBit have attacked organizations of varying sizes across an array of critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation.”
Today’s advisory includes a list of roughly 30 freeware and open-source tools and a detailed MITRE ATT&CK mapping of over 40 Tactics, Techniques, and Procedures (TTPs) employed by LockBit affiliates in attacks.
The cybersecurity authorities shared commonly observed vulnerabilities and exposures (CVEs) exploited by LockBit and an in-depth exploration of the evolutionary trajectory of the LockBit RaaS operation since it first surfaced in September 2019.
The joint advisory also provides recommended mitigation measures to help defenders thwart LockBit activity targeting their organizations.
“The FBI encourages all organizations to review this CSA and implement the recommended mitigation measures to better defend against threat actors using LockBit. If you believe you are the victim of a cyber crime, please contact your local FBI field office,” said Bryan Vorndran, Assistant Director of the FBI’s Cyber Division, today.
LockBit ransomware emerged in September 2019 as a ransomware-as-a-service (RaaS) operation and resurfaced as the LockBit 2.0 RaaS in June 2021 in response to the ban on ransomware groups on cybercrime forums.
In a February 2022 flash alert, the FBI shared LockBit indicators of compromise and advised victims to report any LockBit attacks urgently.
Several months later, LockBit 3.0 was unveiled with noteworthy upgrades such as Zcash cryptocurrency payment options, innovative extortion tactics, and the first ransomware bug bounty program.
Since then LockBit claimed several high-profile victims worldwide, including the Continental automotive giant, the Italian Internal Revenue Service, the UK Royal Mail, and the City of Oakland.