According to a joint advisory by U.S. and international cybersecurity authorities, the LockBit ransomware gang has successfully extorted approximately $91 million through around 1,700 attacks targeting U.S. organizations since 2020.
This Ransomware-as-a-Service (RaaS) operation emerged as the top global ransomware threat in 2022, with the highest number of victims claimed on their data leak site. The advisory reveals that LockBit targeted a wide range of sectors, including government, healthcare, education, financial services, and emergency services.
Reports from the MS-ISAC indicate that LockBit attacks accounted for approximately 16% of ransomware incidents affecting State, Local, Tribal, and Tribunal (SLTT) governments.
Affiliates of LockBit specifically targeted municipal and county governments, public higher education institutions, K-12 schools, as well as emergency services like law enforcement. The joint advisory emphasizes that LockBit remains highly active and prolific, being the most deployed ransomware variant globally in 2022 and continuing its operations in 2023.
The advisory offers valuable insights into LockBit’s tactics, techniques, and procedures (TTPs), including a detailed MITRE ATT&CK mapping of over 40 TTPs employed by LockBit affiliates. It also provides a list of around 30 freeware and open-source tools commonly used by the gang. The cybersecurity authorities share information about vulnerabilities and exposures (CVEs) exploited by LockBit, along with recommended mitigation measures to help organizations defend against this threat. The FBI encourages all organizations to review the advisory and implement the recommended measures to enhance their defenses.
LockBit ransomware first emerged in September 2019 as a RaaS operation and later resurfaced as LockBit 2.0 RaaS in June 2021, responding to the ban on ransomware groups on cybercrime forums. LockBit 3.0 was introduced with significant upgrades, including Zcash cryptocurrency payment options, innovative extortion tactics, and the introduction of the first ransomware bug bounty program.
Notable victims of LockBit include the Continental automotive giant, the Italian Internal Revenue Service, the UK Royal Mail, and the City of Oakland.
