Formation | 2019 |
---|---|
Type | Hacking |
LockBit is a cybercriminal group proposing ransomware as a service (RaaS). Software developed by the group (also called ransomware) enables malicious actors who are willing to pay for using it to carry out attacks in two tactics where they not only encrypt the victim's data and demand a ransom but also threaten to leak it if their demands are not met.[1]
According to a joint statement by various government agencies, LockBit was the world's most prolific ransomware in 2022.[2] It is estimated to be responsible for 44% of all ransomware incidents globally.[3]
In the United States between January 2020 and May 2023, Lockbit was used in approximately 1,700 ransomware attacks, totaling $91 million in paid ransom to hackers.[4]
Government agencies did not formally attribute the group to any nation-state.[5] Software with the name "LockBit" appeared on a Russian-language based cybercrime forum in January 2020.[4] The group is financially-motivated.[3]
Description
LockBit has gained attention for its creation and use of the malware called "StealBit", which automates the exfiltration of data. This tool was introduced with the release of LockBit 2.0, which possess fast and efficient encryption capabilities. To expand their reach, LockBit also released Linux-ESXI Locker version 1.0, targeting Linux hosts, particularly ESXi servers.[1]
LockBit's recruits affiliates and develops partnerships with other criminal groups. They hire network access brokers, cooperate with organizations like Maze, and recruit insiders from targeted companies. To attract talented hackers, they have sponsored underground technical writing contests.[1]
LockBit has targeted various industries globally, however, healthcare and education sectors are the biggest victims. According to Trend Micro, in terms of attack attempts, United States, India and Brazil are the top targeted countries.[1]
LockBit is efficient and adaptable : they emphasize their malware's speed and capabilities to attract victims. They take external factors like data privacy laws into consideration when targeting potential victims. LockBit's success also relies heavily on their affiliate program, which helps them innovate and compete in the ransomware landscape.[1]
History
Lockbit malware was previously known as “.abcd”, after the file extension that was added to encrypted files as they were made inaccessible.[6]
LockBit was first observed in September 2019.[7]
LockBit 2.0
LockBit 2.0 appeared in 2021[7] and came into the spotlight with their attack on Accenture the same year, where an insider probably helped the group entering the network. LockBit published some of the stolen data from this attack.[8][1]
In January 2022, the electronics group Thales was one of the victims of Lockbit 2.0.[9]
In July 2022, the administrative and management services of La Poste Mobile were attacked.[10]
In September 2022, the group's hackers claimed cyberattacks against 28 organizations, 12 of which involved French organizations.[11] Among them, the Corbeil Essonnes hospital was targeted with a ransom demand of $10 million.[12]
In October 2022, the Lockbit group claimed responsibility for an attack on Pendragon PLC, a group of automotive retailers in the UK. The ransom to decode the files and not reveal their contents is $60 million.[13]
On October 31, 2022, the Lockbit hacker group claims to have attacked the Thales group for the second time. The Lockbit group does not demand a ransom, but displays a countdown ending on November 7, when the data will be released. The hacker group is offering assistance to Thales customers affected by the theft, in order to lodge a complaint against Thales, a group "that has greatly disregarded confidentiality rules".[14] On November 10, 2022, the LockBit 3.0 group publishes the stolen information on the darknet. The 9.5 GB archive contains information on Thales contracts in Italy and Malaysia.[15][16]
In August 2022, German equipment manufacturer Continental suffered a ransomware attack from the LockBit 3.0 group. In November 2022, with no response to its ransom demand, the hacker group published part of the stolen data and offered access to all of it for 50 million euros. Among the hacked data are the private lives of the Group's employees, as well as exchanges with German car manufacturers. Beyond the theft of data, the danger lies in opening the way to industrial espionage. Indeed, among the exchanges with Volkswagen are IT aspects, from automated driving to entertainment, in which Volkswagen wanted Continental to invest.[17]
In November 2022, OEHC - Office d'Équipement Hydraulique de Corse - was the victim of a cyberattack that encrypted the company's computer data. A ransom demand was made by the hacker group, to which OEHC did not respond.[18]
In December 2022, the Lockbit hacker group claimed responsibility for the attack on the California Finance Administration. The governor's office acknowledged being the victim of an attack, without specifying its scale. Lockbit claims to have stolen 246,000 files with a total volume of 75.3 Gb.[19]
In December 2022, the hacker group claimed to have attacked the port of Lisbon. The ransom was set at $1.5 million, to be paid by January 18, 2023.[20]
On December 18, 2022, a group of hackers attacked Toronto's Hospital for Sick Children. After realizing their blunder, the hacker group stopped the attack, apologized and offered a free solution to recover the encrypted files.[21]
LockBit 3.0
In late June 2022, the group launched "LockBit 3.0", the latest variant of their ransomware, after two months of beta testing. Notably, the group introduced a bug bounty program, the first of its kind in the realm of ransomware operations. They invited security researchers to test their softwares to improve their security, offering substantial monetary rewards ranging from $1,000 to $1 million.[1]
In November 2022, the United States Department of Justice announced the arrest of Mikhail Vasiliev, a dual Russian and Canadian national, in connection with the LockBit ransomware campaign. According to the charges, Vasiliev allegedly conspired with others involved in LockBit, a ransomware variant that had been used in over 1,000 attacks globally as of November 2022. According to reports, the operators of LockBit had made at least $100 million in ransom demands and extracted tens of millions in actual ransom payments from victims. The arrest followed a 2.5 year investigation into the LockBit ransomware group by the Department of Justice.[22]
In January 2023, the hacker group claimed to have attacked the French luxury goods company Nuxe[23] and the Elsan group (a French group of private clinics), the hacker group subdued 821 GB of data from the company's headquarters.[24] The same month, Royal Mail's international export services were severely disrupted because of a ransomware attack by lockbit.[25][26]
In February 2023, the group claimed responsibility for the attack on Indigo Books and Music, a chain of Canadian bookstores.[27]
In March 2023, the group claimed responsibility for attacking the BRL group, a water specialist in the Occitania region of France.[28]
On May 16, 2023, the hacker group claimed responsibility for attacking the Hong Kong branch of the Chinese newspaper China Daily. This is the first time the hacker group has attacked a company linked to Chinese power. Just as Lockbit does not attack Russian power, it avoids attacking allies of Russian power.[29]
In May 2023, the hacker group claimed responsibility for the attack on Voyageurs du monde. The hacker group stole some 10,000 identity documents from the company's customer files.[30]
In June 2023, the United States Department of Justice announced criminal charges against Ruslan Magomedovich Astamirov, a Russian national, for his alleged participation in the LockBit ransomware campaign as an affiliate. The charges allege that Astamirov directly executed at least five ransomware attacks against victims and received a portion of ransom payments in bitcoin.[31]
At the end of June 2023, the TSMC group falls victim to a ransomware attack via one of its suppliers. The ransom demanded by LockBit was $70 million.[32]
In July 2023, Lockbit attacked the Port of Nagoya in Japan, which handles 10% of the country's trade. The attack forced a shutdown of container operations.[33]
In October 2023, Lockbit claimed to have stolen sensitive data from Boeing.[34] Boeing acknowledged they were aware of a cyber incident affecting some of their parts and distribution business a few days later, though it did not affect flight safety and they did not name the suspected attackers.[35]
In November 2023, Lockbit attacked the U.S. subsidiary of the Chinese state-owned Industrial and Commercial Bank of China.[36] The US unit of ICBC at the time was considered the world's largest lender by assets, as reported by Bloomberg.[37]
In November 2023, Lockbit also released internal data from Boeing onto the internet which the group had obtained a month earlier.[38]
In November 2023, the Lockbit gang added the Chicago Trading Company and Alphadyne Asset Management as victims of its ransomware attacks. The CTC had apparently been hacked, according to Bloomberg, in October. Bloomberg also stated that over the prior year, Lockbit had "become the world’s most prolific ransomware group." Since 2020, it had reportedly carried out 1,700 attacks and extorted $91 million, according to the US Cybersecurity and Infrastructure Security Agency.[39] The Register reported in late November 2023 that LockBit was facing growing internal frustrations, and that its leaders were overhauling some of its negotiation methods with victims in response to the low pay rate.[40]
Techniques and tactics
LockBit operators frequently gain initial access by exploiting vulnerable Remote Desktop Protocol (RDP) servers or compromised credentials purchased from affiliates. Initial access vectors also include phishing emails with malicious attachments or links, brute forcing weak RDP or VPN passwords, and exploiting vulnerabilities like CVE-2018-13379 in Fortinet VPNs.[1]
Once inside a system, LockBit ransomware is often executed via command-line arguments, scheduled tasks, or PowerShell scripts like PowerShell Empire. LockBit uses tools like Mimikatz, GMER, Process Hacker, and registry edits to gather credentials, disable security products, and evade defenses. It enumerates network connections to identify high-value targets like domain controllers using scanners like Advanced Port Scanner.[1] In the case of LockBit 1.0, after implementing privilege escalation, the malware leverages a now-elevated process to execute a sequence of data recovery exceptions with the assistance of built-in Windows tools. Subsequently, it clears the logs, and then the software commences the file encryption process.[41]
For lateral movement, LockBit spreads through SMB file sharing connections inside networks, using credentials gathered earlier. Other lateral movement techniques include distributing itself via compromised Group Policy objects, or using tools like PsExec or Cobalt Strike.[1]
LockBit's ransomware payload encrypts files and network shares using AES and RSA encryption. It encrypts only the first few KB of each file for faster processing and adds a ".lockbit" extension. LockBit also replaces the desktop wallpaper with a ransom note recruiting affiliates. It can print ransom notes to attached printers. The goal is to disrupt systems and restrict access to extort ransom payments.[1]
References
- 1 2 3 4 5 6 7 8 9 10 11 "Ransomware Spotlight: LockBit – Security News". www.trendmicro.com. Retrieved 2023-07-07.
- ↑ "Understanding Ransomware Threat Actors: LockBit | CISA". www.cisa.gov. 2023-06-14. Retrieved 2023-11-25.
- 1 2 Tunney, Catharine (February 3, 2023). "Intelligence agency says ransomware group with Russian ties poses 'an enduring threat' to Canada". Canadian Broadcasting Corporation. Archived from the original on November 25, 2023. Retrieved November 25, 2023.
- 1 2 "Understanding Ransomware Threat Actors: LockBit | CISA". www.cisa.gov. 2023-06-14. Retrieved 2023-11-25.
- ↑ Siddiqui, Zeba; Pearson, James; Pearson, James (2023-11-10). "Explainer: What is Lockbit? The digital extortion gang on a cybercrime spree". Reuters. Retrieved 2023-11-25.
- ↑ Milmo, Dan (2023-01-13). "What is LockBit ransomware and how does it operate?". The Guardian. ISSN 0261-3077. Retrieved 2023-07-20.
- 1 2 "What Is LockBit Ransomware?". www.blackberry.com. Retrieved 2023-07-20.
- ↑ "LockBit 2.0 Ransomware: An In-Depth Look at Lockfile & LockBit". Avertium. Retrieved 2023-07-07.
- ↑ à 13h44, Par Damien Licata Caruso Le 18 janvier 2022 (2022-01-18). "Thales refuse le chantage, des hackers publient les données volées à sa branche aérospatiale". leparisien.fr (in French). Retrieved 2023-07-21.
{{cite web}}
: CS1 maint: numeric names: authors list (link) - ↑ "Qui est LockBit 3.0, le cyber-rançonneur de La Poste Mobile ?". La Tribune (in French). 2022-07-08. Retrieved 2023-07-21.
- ↑ Bodnar, Bogdan (2022-09-14). "Les hackers de l'hôpital de Corbeil-Essonnes revendiquent 12 cyberattaques d'organismes français". Numerama (in French). Retrieved 2023-07-21.
- ↑ "Cybercriminalité : l'hôpital de Corbeil-Essonnes refuse de payer la rançon, les hackeurs ont commencé à diffuser des données". Le Monde.fr (in French). 2022-09-25. Retrieved 2023-07-21.
- ↑ "Pendragon car dealer refuses $60 million LockBit ransomware demand". BleepingComputer. Retrieved 2023-07-21.
- ↑ "INFO FRANCEINFO. Un groupe de hackers revendique une cyberattaque contre Thales". Franceinfo (in French). 2022-10-31. Retrieved 2023-07-21.
- ↑ "Cybersécurité : des données volées à Thales publiées sur le darkweb". LEFIGARO (in French). 2022-11-11. Retrieved 2023-07-21.
- ↑ "Thales : Lockbit diffuse des données volées, l'entreprise dément toute intrusion dans son système". Le Monde.fr (in French). 2022-11-11. Retrieved 2023-07-21.
- ↑ "Continental victime d'une cyberattaque à 50 millions de dollars". Les Echos (in French). 2022-11-15. Retrieved 2023-07-21.
- ↑ "Cyberattaque : L'OEHC refuse de négocier, et promet un retour à la normale le plus rapidement possible". France 3 Corse ViaStella (in French). 2022-11-16. Retrieved 2023-07-21.
- ↑ "LockBit claims attack on California's Department of Finance". BleepingComputer. Retrieved 2023-07-21.
- ↑ "LockBit ransomware claims attack on Port of Lisbon in Portugal". BleepingComputer. Retrieved 2023-07-21.
- ↑ "Ransomware : après l'attaque d'un hôpital pour enfants, comment ce gang de pirates s'est excusé". Clubic.com (in French). 2023-01-02. Retrieved 2023-07-21.
- ↑ "Russian-Canadian arrested over global LockBit ransomware campaign". BBC News. 2022-11-10. Retrieved 2023-07-20.
- ↑ Thierry |, Par Gabriel (2023-01-13). "Le gang LockBit tente de faire chanter l'entreprise Nuxe". ZDNet France (in French). Retrieved 2023-07-21.
- ↑ Thierry |, Par Gabriel (2023-01-26). "Le leader français de la santé privée visé par LockBit". ZDNet France (in French). Retrieved 2023-07-21.
- ↑ "Royal Mail faces threat from ransomware group LockBit". 2023-02-08. Retrieved 2023-07-20.
- ↑ "Royal Mail cyberattack linked to LockBit ransomware operation". BleepingComputer. Retrieved 2023-07-21.
- ↑ "Qu'est-ce que LockBit, le rançongiciel utilisé contre les librairies Indigo?". www.lesaffaires.com (in French). Retrieved 2023-07-21.
- ↑ Thierry |, Par Gabriel (2023-04-18). "LockBit étoffe encore son tableau de chasse hexagonal". ZDNet France (in French). Retrieved 2023-07-21.
- ↑ Bodnar, Bogdan (2023-05-16). "Cyberattaque contre un grand média chinois, pourquoi est-ce inédit ?". Numerama (in French). Retrieved 2023-07-21.
- ↑ Thierry |, Par Gabriel (2023-06-01). "Le piratage de Voyageurs du monde se solde par la fuite de plusieurs milliers de copies de passeports". ZDNet France (in French). Retrieved 2023-07-21.
- ↑ "Office of Public Affairs | Russian National Arrested and Charged with Conspiring to Commit LockBit Ransomware Attacks Against U.S. and Foreign Businesses | United States Department of Justice". www.justice.gov. 2023-06-15. Retrieved 2023-07-20.
- ↑ "TSMC denies LockBit hack as ransomware gang demands $70 million". BleepingComputer. Retrieved 2023-07-21.
- ↑ Robinson, Teri (2023-07-14). "Lockbit 3.0 Claims Credit for Ransomware Attack on Japanese Port". Security Boulevard. Retrieved 2023-07-21.
- ↑ Vigliarolo, Brandon (2023-10-30). "LockBit alleges it boarded Boeing, stole 'sensitive data'". The Register. Retrieved 2023-11-19.
- ↑ Dobberstein, Laura (2023-11-02). "Boeing acknowledges cyberattack on parts and distribution biz". The Register. Retrieved 2023-11-19.
- ↑ "World's Biggest Bank Forced to Trade Via USB Stick After Hack". Bloomberg.com. 2023-11-10. Retrieved 2023-11-10.
- ↑ https://www.bloomberg.com/news/articles/2023-11-09/icbc-seen-hit-by-ransomware-gang-linked-to-boeing-ion-attacks?srnd=undefined
- ↑ "Boeing data published by Lockbit hacking gang". Reuters. November 10, 2023.
- ↑ https://www.bloomberg.com/news/articles/2023-11-17/lockbit-gang-hacks-into-another-firm-and-threatens-to-dump-data?srnd=undefined#xj4y7vzkg
- ↑ https://www.theregister.com/2023/11/17/lockbit_cracks_whip_on_affiliates/
- ↑ "LockBit Ransomware Malware Analysis, Overview by ANY.RUN".