LockBit attacks Sierra Construction

Incident Date:

April 21, 2024

World map



LockBit attacks Sierra Construction


Sierra Construction




Woodstock, Canada

Ontario, Canada

First Reported

April 21, 2024

Sierra Construction Attacked by LockBit Ransomware Gang


Sierra Construction, a Pacific Northwest general contractor and construction management company founded in 1986, has fallen victim to the ransomware gang LockBit. Unfortunately, no further details are currently available about the attack.

About LockBit

LockBit is a Ransomware as a Service (RaaS) that has been active since 2019. Known for its expertise in evading security tools and its rapid encryption speed, LockBit employs various methods of extortion. In addition to demanding a ransom for the encryption key, victims may also be asked to pay for any sensitive information that was exfiltrated during the attack.

Modus Operandi

LockBit utilizes publicly available file-sharing services and a custom tool called Stealbit for data exfiltration. The ransomware operation gained notoriety in Q4-2023 when it exposed a significant amount of exfiltrated Boeing data. LockBit has demanded ransoms exceeding $50 million and targeted major companies like Taiwan Semiconductor Manufacturing Company (TSMC) with a $70 million ransom demand.

Evolution and Threat

LockBit continues to evolve its RaaS platform, with the release of LockBit 3.0 in June 2022. In April 2023, it introduced the first macOS ransomware variant. The latest versions of LockBit feature advanced anti-analysis capabilities and pose a threat to both Windows and Linux systems. The ransomware employs a custom Salsa20 algorithm for file encryption and exploits remote desktop protocol (RDP) vulnerabilities for infection.

Target and Affiliates

LockBit primarily targets large enterprises capable of meeting high ransom demands, although it has shown a preference for healthcare organizations. The ransomware operation runs a well-organized affiliate program, offering generous payouts of up to 75% of the ransom proceeds to attackers. LockBit operators have been observed exploiting vulnerabilities like the Citrix Bleed vulnerability (CVE 2023-4966) to further their malicious activities.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.