FBI and CISA Release Joint Advisory on LockBit Ransomware Operations

Date:

June 14, 2023

World map

The FBI and CISA, along with partners at the MS-ISAC, have issued a joint advisory detailing the threat posed by the LockBit ransomware gang.

LockBit is one of the most prolific and successful Ransomware-as-a-Service (RaaS) operators to date, with numerous confirmed attacks against a wide range of verticals including financial services, food and agriculture production, the education and energy sectors, government and emergency services, healthcare providers, other manufacturing and transportation organizations.

Given the scale of the LockBit operation and the sheer number of affiliate attackers who use the platform, there is a wide variance on the TTPs employed in attacks, making LockBit difficult to detect.

“LockBit has been successful through innovation and ongoing development of the group’s administrative panel and the RaaS supporting functions,” the advisory states. “In parallel, affiliates that work with LockBit and other notable variants are constantly revising the TTPs used for deploying and executing ransomware.”

Ransomware incidents attributed to LockBit:  

  • Australia: From April 1, 2022, to March 31, 2023, LockBit made up 18% of total reported Australian ransomware incidents. This figure includes all variants of LockBit ransomware, not solely LockBit 3.0.
  • Canada: In 2022, LockBit was responsible for 22% of attributed ransomware incidents in Canada.
  • New Zealand: In 2022, CERT NZ received 15 reports of LockBit ransomware, representing 23% of 2022 ransomware reports.
  • United States: In 2022, 16% of the State, Local, Tribal, and Tribunal (SLTT) government ransomware incidents reported to the MS-ISAC were identified as LockBit attacks. This included ransomware incidents impacting municipal governments, county governments, public higher education and K-12 schools, and emergency services (e.g., law enforcement).

Takeaway: LockBit has been active since 2019 and is enabled with security tool evasion capabilities and an extremely fast encryption speed. LockBit is noted for using a triple extortion model where the victim may also be asked to purchase their sensitive information in addition to paying the ransom demand for decrypting systems.

LockBit raced to the lead position of the RaaS group threats during 2022, overtaking Pysa early in the year by volume of attacks, and until very recently boasted the fastest encryption speed.

The group continues to improve their attack platform and introduced LockBit 3.0 in June of 2022 which bore some similarities to the BlackMatter ransomware. The latest version incorporates advanced anti-analysis features and is a threat to both Windows and Linux systems. LockBit employs a Base64-encoded hash and an RSA public key in its configuration and hashes it with MD5. LockBit also created their own bug bounty program.

LockBit tends to target larger enterprises across any industry vertical with the ability to pay high ransom demands, but also tends to favor Healthcare targets. LockBit has demanded ransoms in excess of $50 million.

LockBit has a very well-run affiliate program and a great reputation amongst the affiliate (attacker) community for the maturity of the platform as well as for offering high payouts of as much as 75% of the attack proceeds. LockBit is known to employ multiple extortion techniques including data exfiltration to compel payment.

Read the full advisory here.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.