Today, LockBit Ransomware is the most active and successful cybercriminal organization in the world. Originating from Russian actors, LockBit has emerged from the shadows of the disbanded Conti ransomware group in early 2022.
LockBit ransomware was first discovered in September 2019 and formerly known as ABCD ransomware due to the first observed “.abcd virus” extension. LockBit operates as a Ransomware as a Service (RaaS) model. That means the affiliate makes a deposit to use the tool and splits the ransom payment with his LockBit group. Some affiliates are reported to have as much as 75% share. LockBit’s operator places ads for its affiliate program on Russian-language crime forums, does not operate in Russia or his CIS countries, and cooperates with English-speaking developers unless guaranteed by a Russian-speaking “guarantor”. I am stating that I will not.
LockBit’s initial attack vectors included phishing, spear phishing, social engineering such as business email compromise (BEC), exploitation of public applications, recruitment of initial access brokers (IABs), and valid accounts using stolen credentials. includes access to (something like: Remote Desktop Protocol (RDP), and brute force cracking attacks.
At last year’s Global Threat Forecast webinar hosted by SecurityHQ, we identified LockBit as a significant threat and highlighted it as an attacker to watch out for in 2022.
rock bit target
LockBit has typically focused its attacks on government agencies and companies in various sectors, including healthcare, financial services, and industrial products and services. Ransomware has been observed targeting countries around the world, including the United States, China, India, Indonesia, Ukraine, France, the United Kingdom, and Germany.
Another interesting feature of LockBit is that it is programmed so that it cannot be used to attack Russia or the CIS countries (Commonwealth of Independent States). This could be a precaution taken by the group to avoid potential backlash from the Russian government.
The map below shows LockBit’s target locations.
 |
| Figure 1 – SecurityHQ analysis of LockBit victims by region |
A busy year for LockBit
By analyzing data from the exfiltrated sites, we were able to pinpoint exactly how many attacks LockBit was successful in. In 2022, this group has published more successful attacks than any other ransomware group. We mapped his LockBit activity over the years compared to other well-known ransomware groups. We can see Conti’s decline as the group began to cease operations. However, it has been reported that members of the once prolific Conti ransomware group are now active within the BlackBasta, BlackByte, and Karakurt ransomware groups.
The chart below shows how LockBit performed in 2022 compared to other ransomware groups.
One of LockBit’s unique features is its bug bounty program for ransomware builders and compilers. The group offers her $1 million reward to anyone who can dock the owner. This is a significant amount of money and shows how seriously LockBit takes maintaining anonymity.
This group was recently found to be involved in an attack on Royal Mail in the UK. However, LockBit denied any involvement in the attack, saying it was carried out by an affiliate. This is not uncommon for ransomware groups. Because they often use affiliates to carry out their attacks in order to distance themselves from the consequences.
All in all, LockBit Ransomware Group is a formidable and sophisticated cyber criminal gang that poses a significant threat to businesses and organizations worldwide. With its established ransomware-as-a-service model, bug bounty program, and willingness to reward those who reveal their identity, LockBit is a force to be reckoned with in the threat landscape.
What is RaaS?
Ransomware as a Service (RaaS) has gained popularity in recent years. RaaS refers to a type of business model in which ransomware operators provide malware and tools to other individuals or organized crime groups to carry out ransomware attacks in exchange for a portion of the ransom. This allows even less technically skilled individuals to participate in ransomware attacks, increasing the number of attacks and making tracking and apprehending attackers more difficult.
what next
To strengthen their security posture, we recommend that companies take the following steps:
-
Use Managed Detection and Response (MDR) to understand, analyze, and prioritize malicious or anomalous activity to quickly respond to threats and protect your data, people, and processes.
-
Ensure your employees are trained and educated on the latest cybersecurity threats so they know how to spot attacks and respond appropriately.
To hear SecurityHQ experts discuss some of the biggest threats we’ll see through 2022, use our predictions for 2023 to discuss the consequences of breaches, and learn how to mitigate future cybersecurity threats. , download this webinar recording “Global Threat Landscape 2023 Forecast”. Learn more
Note: This article is by Aaron Hambleton, Middle East and Africa Director at SecurityHQ. With over 11 years of experience in a variety of fields including financial services, retail, insurance, government, and telecommunications, Aaron is a certified GCDA and specializes in incident response, threat hunting, vulnerability management, cybersecurity operations, and threat intelligence. , and has consulting expertise.
