LockBit 3.0 Ransomware Attack on Schmitty & Sons
Incident Date:
May 23, 2024
Overview
Title
LockBit 3.0 Ransomware Attack on Schmitty & Sons
Victim
Schmitty & Sons
Attacker
Lockbit3
Location
First Reported
May 23, 2024
LockBit 3.0 Ransomware Attack on Schmitty & Sons
Overview of the Attack
Schmitty & Sons, an employee-owned transportation company based in Lakeville, Minnesota, was recently targeted by the notorious LockBit 3.0 ransomware group. The attack led to the exfiltration and subsequent leak of sensitive data, including tax forms, financial records, and personally identifiable information (PII). This incident highlights the ongoing threat posed by sophisticated ransomware operations and the increasing vulnerability of organizations across various sectors.
About Schmitty & Sons
Established in 1952, Schmitty & Sons provides a range of transportation services, including school buses, charter buses, and shuttle services. The company has a strong commitment to sustainability and green initiatives and became an employee-owned organization in 2016. With several office locations across Minnesota, including Lakeville, Eagan, Burnsville, and Lake Elmo, Schmitty & Sons is recognized for its focus on customer experience and safety in transportation.
LockBit 3.0 Ransomware Group
LockBit 3.0, also known as LockBit Black, is the latest iteration of the LockBit ransomware family, emerging in 2022. Known for its advanced capabilities and high degree of obfuscation, LockBit 3.0 operates under a Ransomware-as-a-Service (RaaS) model. This allows various cybercriminal affiliates to use the ransomware to conduct attacks, significantly increasing its reach and impact. The group is noted for its ability to encrypt files, modify filenames, and delete traces of its presence to evade detection.
Details of the Attack
The LockBit 3.0 attack on Schmitty & Sons involved the deployment of ransomware through a high-volume email campaign, facilitated by the Phorpiex botnet. The attack began with phishing emails containing malicious attachments that, once executed, downloaded the ransomware payload. This led to the encryption of critical data and the leaking of a sample of the exfiltrated information on LockBit's dark web site.
LockBit 3.0's affiliates have been known to exploit vulnerabilities in widely used software, such as Citrix NetScaler, to gain unauthorized access to systems. Once inside, they establish persistence and move laterally across networks to maximize the impact of their attacks.
Implications and Response
The attack on Schmitty & Sons underscores the critical need for robust cybersecurity measures, particularly for companies in essential service sectors like transportation. The ability of LockBit 3.0 to quickly adapt and exploit vulnerabilities makes it a formidable threat that requires continuous vigilance and proactive defense strategies.
As ransomware groups like LockBit continue to evolve, organizations must enhance their cybersecurity frameworks and ensure regular updates and patches to their systems to mitigate the risk of such attacks.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.