LockBit Ransomware Hits Northeast Florida Community Action Agency

Incident Date:

September 15, 2024

World map

Overview

Title

LockBit Ransomware Hits Northeast Florida Community Action Agency

Victim

The Northeast Florida Community Action Agency, Inc. (NFCAA)

Attacker

Lockbit3

Location

Jacksonville, USA

Florida, USA

First Reported

September 15, 2024

LockBit Ransomware Group Targets Northeast Florida Community Action Agency (NFCAA)

The Northeast Florida Community Action Agency, Inc. (NFCAA) has recently fallen victim to a ransomware attack orchestrated by the notorious LockBit group. This attack has compromised the agency's systems, potentially exposing sensitive data and disrupting its operations. LockBit, known for its sophisticated encryption techniques and high ransom demands, has added NFCAA to its list of targets, further highlighting the persistent threat posed by ransomware groups to public service organizations.

About NFCAA

Established in 1964, the Northeast Florida Community Action Agency, Inc. (NFCAA) is a non-profit organization dedicated to improving the lives of low-income individuals and families in Northeast Florida. The agency operates across several counties, including Baker, Clay, Duval, Flagler, Nassau, Putnam, and St. Johns. NFCAA's mission focuses on eliminating poverty and promoting self-sufficiency through a variety of programs and services.

NFCAA offers a comprehensive array of programs designed to meet the diverse needs of the community. These include utility assistance through the Low-Income Home Energy Assistance Program (LIHEAP), the Family Self-Sufficiency Program (FSSP), the Weatherization Assistance Program (WAP), and the Data Busters STEAM Program for youth development. The agency's holistic approach to community assistance sets it apart, emphasizing both immediate aid and long-term economic stability.

Attack Overview

The ransomware attack on NFCAA was explicitly claimed by the LockBit group via their dark web leak site. LockBit, active since September 2019, has become one of the most active ransomware groups, responsible for a significant portion of ransomware attacks in recent years. The group employs "double extortion" tactics, exfiltrating sensitive data and threatening to release it publicly if the ransom is not paid.

LockBit uses a combination of RSA-2048 and AES-256 encryption algorithms to encrypt victims' files, making it extremely difficult to recover data without paying the ransom. The ransomware is designed to exploit vulnerabilities in Remote Desktop Protocol (RDP) services and unsecured network shares, allowing it to spread quickly across a network. Additionally, LockBit performs a check to avoid executing on systems with languages common to the Commonwealth of Independent States (CIS) region.

Potential Vulnerabilities

Public service organizations like NFCAA are particularly vulnerable to ransomware attacks due to their reliance on digital systems for service delivery and the sensitive nature of the data they handle. The agency's extensive outreach and service programs, while beneficial to the community, also increase its attack surface, making it an attractive target for threat actors. The use of RDP services and potentially unsecured network shares could have provided an entry point for the LockBit ransomware.

About LockBit

LockBit distinguishes itself through its ransomware-as-a-service (RaaS) model, allowing affiliates to use its ransomware in exchange for a share of the ransom payments. The group is known for its modular ransomware, which encrypts its payload until execution to hinder malware analysis and detection. LockBit's sophisticated techniques and high ransom demands have made it a formidable threat in the cybersecurity landscape.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.