The attackers behind the LockBit ransomware as a service (RaaS) scheme have extorted $91 million in hundreds of attacks against numerous US organizations since 2020.
This is according to a joint bulletin issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multinational Information Sharing and Analysis Center (MS-ISAC) and other partner authorities in Australia and Canada. , , France, Germany, New Zealand, United Kingdom
“LockBit ransomware-as-a-service (RaaS) has attracted affiliates to use LockBit to carry out ransomware attacks, resulting in a large and diverse web of unconnected attackers. attack will be carried out,” the agency said.
First appearing in late 2019, LockBit continues to be devastating and devastating, targeting as many as 76 victims in May 2023 alone, according to statistics shared by Malwarebytes last week. Russia-affiliated cartels have so far claimed responsibility for at least 1,653 ransomware attacks.
This cybercriminal operation attacked a wide range of critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation.
LockBit has received three major upgrades so far: LockBit Red (June 2021), LockBit Black (March 2022) and LockBit Green (January 2023). last of which This work is based on leaked source code from the now disbanded Conti Gang.
This ransomware has since been adapted to target Linux, VMware ESXi, and Apple macOS systems, turning it into an ever-evolving threat. The RaaS movement is also known for paying people to get its insignia tattooed and introducing the first-ever bug bounty program.
The business model is that core developers rent out their warez to affiliates, who then perform the actual ransomware deployment and extortion. But as a twist, the group allows affiliates to receive ransom payments before sending rewards to the main crew.
The attack chain, including LockBit, exploited recently disclosed flaws in Fortra GoAnywhere Managed File Transfer (MFT) and PaperCut MF/NG servers, as well as Apache Log4j2, F5 BIG-IP and BIG-IQ, to gain initial access. Exploited other known bugs in Fortinet devices. .
Affiliates also use over 30 freeware and open source tools that enable network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration. This intrusion has been found to further abuse legitimate red team software such as Metasploit and Cobalt Strike.
“LockBit is committed to the innovation and continuous development of the Group’s admin panel (i.e. a simplified point-and-click interface that makes ransomware deployment accessible even to those with low technical skills), affiliate support features, and continuous revisions. We have been successful through TTP,” said the agency.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
join the session
This development follows CISA’s issuance of binding Operational Directive 23-02, which provides federal agencies with the ability to discover firewalls, routers, switches, and other network devices exposed to the public Internet. I instructed them to take steps to protect and minimize their attack surface within 14 days.
“All too often, attackers can use network devices to gain unrestricted access to an organization’s network, resulting in a full-blown compromise,” said Jen Easterly, CISA Director. “Needs proper management and mitigation […] This is an important step in reducing the risk to federal private companies. ”
This advisory follows a new advisory that highlights threats to baseboard management controller (BMC) implementations, noting that attackers may be able to establish a “beachhead that may be executed before boot”. .
“Hardened credentials, firmware updates, and network segmentation options are often overlooked, leading to vulnerable BMCs,” CISA and the U.S. National Security Agency (NSA) said in a joint warning.
“Furthermore, malicious attackers can disable security solutions such as Trusted Platform Modules (TPMs) and UEFI Secure Boot, manipulate data on attached storage media, and even implant or infect entire network infrastructures. It may propagate destructive instructions.”
