LockBit Ransomware Group Targets Northeast Florida Community Action Agency (NFCAA)

The Northeast Florida Community Action Agency, Inc. (NFCAA) has recently fallen victim to a ransomware attack orchestrated by the notorious LockBit group. This attack has compromised the agency's systems, potentially exposing sensitive data and disrupting its operations. LockBit, known for its sophisticated encryption techniques and high ransom demands, has added NFCAA to its list of targets, further highlighting the persistent threat posed by ransomware groups to public service organizations.

About NFCAA

Established in 1964, the Northeast Florida Community Action Agency, Inc. (NFCAA) is a non-profit organization dedicated to improving the lives of low-income individuals and families in Northeast Florida. The agency operates across several counties, including Baker, Clay, Duval, Flagler, Nassau, Putnam, and St. Johns. NFCAA's mission focuses on eliminating poverty and promoting self-sufficiency through a variety of programs and services.

NFCAA offers a comprehensive array of programs designed to meet the diverse needs of the community. These include utility assistance through the Low-Income Home Energy Assistance Program (LIHEAP), the Family Self-Sufficiency Program (FSSP), the Weatherization Assistance Program (WAP), and the Data Busters STEAM Program for youth development. The agency's holistic approach to community assistance sets it apart, emphasizing both immediate aid and long-term economic stability.

Attack Overview

The ransomware attack on NFCAA was explicitly claimed by the LockBit group via their dark web leak site. LockBit, active since September 2019, has become one of the most active ransomware groups, responsible for a significant portion of ransomware attacks in recent years. The group employs "double extortion" tactics, exfiltrating sensitive data and threatening to release it publicly if the ransom is not paid.

LockBit uses a combination of RSA-2048 and AES-256 encryption algorithms to encrypt victims' files, making it extremely difficult to recover data without paying the ransom. The ransomware is designed to exploit vulnerabilities in Remote Desktop Protocol (RDP) services and unsecured network shares, allowing it to spread quickly across a network. Additionally, LockBit performs a check to avoid executing on systems with languages common to the Commonwealth of Independent States (CIS) region.

Potential Vulnerabilities

Public service organizations like NFCAA are particularly vulnerable to ransomware attacks due to their reliance on digital systems for service delivery and the sensitive nature of the data they handle. The agency's extensive outreach and service programs, while beneficial to the community, also increase its attack surface, making it an attractive target for threat actors. The use of RDP services and potentially unsecured network shares could have provided an entry point for the LockBit ransomware.

About LockBit

LockBit distinguishes itself through its ransomware-as-a-service (RaaS) model, allowing affiliates to use its ransomware in exchange for a share of the ransom payments. The group is known for its modular ransomware, which encrypts its payload until execution to hinder malware analysis and detection. LockBit's sophisticated techniques and high ransom demands have made it a formidable threat in the cybersecurity landscape.

Sources

• Northeast Florida Community Action Agency
• SOCRadar: Dark Web Profile - LockBit 3.0 Ransomware
• Cyber.gov.au: Ransomware Profile - LockBit 3.0
• Red Piranha: A Look at LockBit 3.0 Ransomware
• CISA: Ransomware Profile - LockBit 3.0