Lockbit

Source: Wikipedia, the free encyclopedia.
Lockbit
Formation2019
TypeCybercrime

LockBit is a

encrypt the victim's data and demand payment of a ransom, but also threaten to leak it publicly if their demands are not met.[1]

According to a joint statement by various government agencies, LockBit was the world's most prolific ransomware in 2022.[2] It was estimated in early 2023 to be responsible for 44% of all ransomware incidents globally.[3]

In the United States between January 2020 and May 2023, Lockbit was used in approximately 1,700 ransomware attacks, with

US$91 million paid in ransom to hackers.[4]

Government agencies did not formally attribute the group to any nation-state.[5] Software with the name "LockBit" appeared on a Russian-language based cybercrime forum in January 2020.[4] The group is financially-motivated.[3]

In February 2024 law enforcement agencies seized control of LockBit dark web sites used for attacks.[6][7] However, further attacks with LockBit ransomware were later reported, with the group attempting to perform a comeback. [8][9]

Description

LockBit software, written in the

zero-day exploits, in the same way as other malware. LockBit then takes control of the infected system, collects network information, and steals and encrypts data. Demands are then made for the victim to pay a ransom for their data to be decrypted so that it is again available, and for the perpetrators to delete their copy, with the threat of otherwise making the data public.[10] (While the data are not published if the ransom is paid, it was found when LockBit was taken down by law enforcement that it had not been deleted.[11]
)

LockBit gained attention for its creation and use of the malware called "StealBit", which automates transferring data to the intruder. This tool was introduced with the release of LockBit 2.0, which has fast and efficient encryption capabilities. To expand their reach, LockBit also released Linux-ESXI Locker version 1.0, targeting Linux hosts, particularly VMware ESXi servers.[1]

LockBit recruits affiliates and develops partnerships with other criminal groups. They hire network access brokers, cooperate with organizations like Maze, and recruit insiders from targeted companies. To attract talented hackers, they have sponsored underground technical writing contests.[1]

LockBit has targeted various industries globally, however, healthcare and education sectors are the biggest victims. According to Trend Micro, in terms of attack attempts, United States, India and Brazil are the top targeted countries.[1]

LockBit is efficient and adaptable: they emphasize their malware's speed and capabilities to attract victims. They take external factors like data privacy laws into consideration when targeting potential victims. LockBit's success also relies heavily on their affiliate program, which helps them innovate and compete in the ransomware landscape.[1]

On its site on the dark web, LockBit stated that it was "located in the Netherlands, completely apolitical and only interested in money".[12]

Techniques and tactics

LockBit operators frequently gain initial access by exploiting vulnerable

VPNs.[1]

Once installed, LockBit ransomware is often executed in

domain controllers using scanners such as Advanced Port Scanner.[1]

For

Cobalt Strike.[1]

LockBit's ransomware payload encrypts files and network shares using

RSA encryption. It encrypts only the first few kilobytes of each file for faster processing, and adds a ".lockbit" extension. LockBit then replaces the desktop wallpaper with a ransom note; it can also print ransom notes to attached printers. The goal is to extort payment of a ransom to reverse system disruption and restore file access.[1]

History

Lockbit malware was previously known as ".abcd", after the file extension that was added to encrypted files as they were made inaccessible.[13]

LockBit was first observed in September 2019.[14]

LockBit 2.0

LockBit 2.0 appeared in 2021[14] and came into the spotlight with their attack on Accenture the same year, where an insider probably helped the group entering the network. LockBit published some of the data stolen in this attack.[15][1]

In January 2022, the electronics company Thales was one of the victims of Lockbit 2.0.[16]

In July 2022, the administrative and management services of La Poste Mobile were attacked.[17]

In September 2022, the group's hackers claimed cyberattacks against 28 organizations, 12 of which involved French organizations.[18] Among them, the Corbeil Essonnes hospital was targeted with a ransom demand of US$10 million.[19]

In October 2022, the Lockbit group claimed responsibility for an attack on

Pendragon PLC, a group of automotive retailers in the UK, demanding a ransom of US$60 million to decrypt the files and not leak them; the company stated that they refused the demand.[20]

On October 31, 2022, the Lockbit hacker group claimed to have attacked Thales Group for the second time and did not demand a ransom, but said that the data would be released. The hacker group offered assistance to Thales customers affected by the theft, in order to lodge a complaint against Thales, a group "that has greatly disregarded confidentiality rules".[21] On November 10, 2022, the LockBit 3.0 group published on the darknet a 9.5 GB archive with stolen information on Thales contracts in Italy and Malaysia.[22][23]

In November 2022, OEHC - Office d'Équipement Hydraulique de Corse - was the victim of a cyberattack that encrypted the company's computer data. A ransom demand was made by the hacker group, to which OEHC did not respond.[24]

In December 2022, the Lockbit hacker group claimed responsibility for the attack on the California Finance Administration. The governor's office acknowledged being the victim of an attack, without specifying its scale. Lockbit claims to have stolen 246,000 files with a total size of 75.3 GB.[25]

In December 2022, the hacker group claimed to have attacked the port of Lisbon. The ransom was set at US$1.5 million, to be paid by January 18, 2023.[26]

On December 18, 2022, a group of hackers attacked Toronto's Hospital for Sick Children. After realizing their blunder, the hacker group stopped the attack, apologized and offered a free solution to recover the encrypted files.[27]

LockBit 3.0

In late June 2022, the group launched "LockBit 3.0", the latest variant of their ransomware, after two months of

US$1,000 to $1 million.[1]

In August 2022, German equipment manufacturer Continental suffered a Lockbit ransomware attack. In November 2022, with no response to its ransom demand, the hacker group published part of the stolen data and offered access to all of it for 50 million euros. Among the stolen data are the private lives of the Group's employees, as well as exchanges with German car manufacturers. Beyond the theft of data, the danger lies in opening the way to industrial espionage. Indeed, among the exchanges with Volkswagen are IT aspects, from automated driving to entertainment, in which Volkswagen wanted Continental to invest.[28]

In November 2022, the United States Department of Justice announced the arrest of Mikhail Vasiliev, a dual Russian and Canadian national, in connection with the LockBit ransomware campaign. According to the charges, Vasiliev allegedly conspired with others involved in LockBit, a ransomware variant that had been used in over 1,000 attacks globally as of November 2022. According to reports, the operators of LockBit had made at least $100 million in ransom demands, of which tens of millions had been paid by victims. The arrest followed a 2.5 year investigation into the LockBit ransomware group by the Department of Justice.[29]

In January 2023, the hacker group claimed to have attacked the French luxury goods company Nuxe[30] and ELSAN, a French group of private clinics. The hacker group filched 821 GB of data from the company's headquarters.[31] The same month, Royal Mail's international export services were severely disrupted by a Lockbit ransomware attack.[32][33]

In February 2023, the group claimed responsibility for an attack on Indigo Books and Music, a chain of Canadian bookstores.[34]

In March 2023, the group claimed responsibility for attacking BRL Group [fr], a water specialist in France.[35]

On May 16, 2023, the hacker group claimed responsibility for attacking the Hong Kong branch of the Chinese newspaper China Daily. This is the first time the hacker group has attacked a Chinese company. Lockbit does not attack Russian entities and avoids attacking Russian allies.[36]

In May 2023, the hacker group claimed responsibility for the attack on fr:Voyageurs du Monde. The hacker group stole some 10,000 identity documents from the company's customer files.[37]

In June 2023, the United States Department of Justice announced criminal charges against Ruslan Magomedovich Astamirov, a Russian national, for his alleged participation in the LockBit ransomware campaign as an affiliate. The charges allege that Astamirov directly executed at least five ransomware attacks against victims and received a portion of ransom payments in bitcoin.[38]

At the end of June 2023, the TSMC group fell victim to a ransomware attack via one of its suppliers. LockBit demanded a $70 million ransom.[39]

In July 2023, Lockbit attacked the Port of Nagoya in Japan, which handles 10% of the country's trade. The attack forced a shutdown of container operations.[40] In October 2023, Lockbit claimed to have stolen sensitive data from Boeing.[41] Boeing acknowledged they were aware of a cyber incident affecting some of their parts and distribution business a few days later, though it did not affect flight safety; they did not name the suspected attackers.[42]

In November 2023, Lockbit attacked the U.S. subsidiary of the Chinese state-owned Industrial and Commercial Bank of China.[43] Bloomberg reported that the US unit of ICBC at the time was considered the world's largest lender by assets.[44]

In November 2023, Lockbit released internal data that the group had stolen a month earlier from Boeing onto the Internet.[45]

In November 2023, the Lockbit gang attacked the Chicago Trading Company and Alphadyne Asset Management. Bloomberg reported that the CTC had been hacked in October, and that over the prior year Lockbit had "become the world’s most prolific ransomware group." Since 2020, it had reportedly carried out 1,700 attacks and extorted $91 million, according to the US Cybersecurity and Infrastructure Security Agency.[46] The Register reported in late November 2023 that LockBit was facing growing internal frustrations, and that its leaders were overhauling some of its negotiation methods with victims in response to the low pay rate achieved.[47]

In January 2024, the Lockbit gang attacked Fulton County computers.[48][49] The county released a statement on the attack the following month, saying they had not paid the ransom, that it was not associated with the election process, they were not aware of any extraction of sensitive information about citizens or employees.[48][49]

LockBit-NG-Dev (LockBit 4?)

When the LockBit server was closed down by law enforcement in February 2024, it was found that a new version, LockBit-NG-Dev, probably to be released as LockBit 4.0, had been under advanced development;[50] Trend Micro published a detailed report on it.[51]

Seizure by law enforcement in 2024

On February 19, 2024, the National Crime Agency in collaboration with Europol and other international law enforcement agencies seized control of darknet websites belonging to the LockBit ransomware gang as a part of Operation Cronos.[52][53][54][6][7] An unverified report said that Lockbit had said that its servers running on the programming language PHP had been hit, but that it had backup servers without PHP that were "not touched".[12] One person was arrested in Ukraine, one in Poland, and two in the United States. Two Russians were also named, but have not been arrested. According to Graeme Biggar, Director General of the National Crime Agency, law enforcement has "taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems."[11] A decryptor for LockBit 3.0 was made using the seized keys and released for free use on No More Ransom.[55]

After the takedown, law enforcement posted information about the group on its dark web site, including that it had at least 188 affiliates.[8] Law enforcement also obtained 30,000 Bitcoin addresses used for managing the group's profits from ransom payments, which contained 2,200 BTC ($112 million USD).[56]

As of 22 February 2024 LockBit ransomware was still spreading.[57][8]

On 24 February 2024 a new website claiming to be run by Lockbit appeared.[58] The new site listed more than a dozen alleged victims including the FBI, hospitals and Fulton County, Georgia.[58] The new site threatened to release information relating to Fulton County unless a ransom was paid by March 2 2024.[58] The new site claimed to have the identities of members of a jury in a murder trial.[58] There was also a threat to release Fulton County documents relating to court cases involving Donald Trump if the ransom wasn't paid.[58]

References

  1. ^ a b c d e f g h i j k "Ransomware Spotlight: LockBit". Trendmicro. Archived from the original on 2023-07-07. Retrieved 2023-07-07.
  2. ^ "Understanding Ransomware Threat Actors: LockBit". CISA. 2023-06-14. Archived from the original on 2023-11-25. Retrieved 2023-11-25.
  3. ^ a b Tunney, Catharine (February 3, 2023). "Intelligence agency says ransomware group with Russian ties poses 'an enduring threat' to Canada". Canadian Broadcasting Corporation. Archived from the original on November 25, 2023. Retrieved November 25, 2023.
  4. ^ a b "Understanding Ransomware Threat Actors: LockBit". CISA. 2023-06-14. Archived from the original on 2023-11-25. Retrieved 2023-11-25.
  5. ^ Siddiqui, Zeba; Pearson, James; Pearson, James (2023-11-10). "Explainer: What is Lockbit? The digital extortion gang on a cybercrime spree". Reuters. Archived from the original on 2023-11-25. Retrieved 2023-11-25.
  6. ^ a b Sharwood, Simon (2024-02-20). "LockBit ransomware gang disrupted by global operation". The Register. Archived from the original on 2024-02-21. Retrieved 2024-02-21.
  7. ^ a b Jones, Conor (2024-02-20). "Cops turn LockBit ransomware gang's countdown timers against them". The Register. Archived from the original on 2024-02-21. Retrieved 2024-02-21.
  8. ^ a b c d Gatlan, Sergiu (22 February 2024). "ScreenConnect servers hacked in LockBit ransomware attacks". BleepingComputer. Archived from the original on 23 February 2024. Retrieved 23 February 2024. despite the law enforcement operation against LockBit, it seems as though some affiliates are still up and running.
  9. ^ "Latest LockBit news". BleepingComputer. Archived from the original on 21 February 2024. Retrieved 23 February 2024. Developments added as they happen; latest 22 February 2024
  10. ^ "How LockBit Ransomware Works (TT&P)". BlackBerry. Archived from the original on 20 February 2024. Retrieved 20 February 2024.
  11. ^
    ISSN 0261-3077. Archived
    from the original on 2024-02-20. Retrieved 2024-02-20.
  12. ^ a b "Prolific cybercrime gang disrupted by joint UK, US and EU operation". The Guardian. Reuters. 19 February 2024. Archived from the original on 20 February 2024. Retrieved 20 February 2024.
  13. ISSN 0261-3077. Archived
    from the original on 2023-06-14. Retrieved 2023-07-20.
  14. ^ a b "What Is LockBit Ransomware?". Blackberry. Archived from the original on 2023-07-20. Retrieved 2023-07-20.
  15. ^ "LockBit 2.0 Ransomware: An In-Depth Look at Lockfile & LockBit". Avertium. Archived from the original on 2023-07-07. Retrieved 2023-07-07.
  16. ^ Damien Licata Caruso (18 January 2022). "Thales refuse le chantage, des hackers publient les données volées à sa branche aérospatiale". Le Parisien (in French). Archived from the original on 5 June 2023. Retrieved 21 July 2023.
  17. ^ "Qui est LockBit 3.0, le cyber-rançonneur de La Poste Mobile ?". La Tribune (in French). 2022-07-08. Archived from the original on 2023-06-04. Retrieved 2023-07-21.
  18. ^ Bodnar, Bogdan (2022-09-14). "Les hackers de l'hôpital de Corbeil-Essonnes revendiquent 12 cyberattaques d'organismes français". Numerama (in French). Archived from the original on 2022-09-15. Retrieved 2023-07-21.
  19. ^ "Cybercriminalité : l'hôpital de Corbeil-Essonnes refuse de payer la rançon, les hackeurs ont commencé à diffuser des données". Le Monde (in French). 2022-09-25. Archived from the original on 2024-03-20. Retrieved 2023-07-21.
  20. ^ "Pendragon car dealer refuses $60 million LockBit ransomware demand". BleepingComputer. 24 October 2022. Archived from the original on 2 June 2023. Retrieved 21 July 2023.
  21. ^ "INFO FRANCEINFO. Un groupe de hackers revendique une cyberattaque contre Thales". Franceinfo (in French). 2022-10-31. Archived from the original on 2023-04-13. Retrieved 2023-07-21.
  22. ^ "Cybersécurité : des données volées à Thales publiées sur le darkweb". Le Figaro (in French). 2022-11-11. Archived from the original on 2023-07-21. Retrieved 2023-07-21.
  23. ^ "Thales : Lockbit diffuse des données volées, l'entreprise dément toute intrusion dans son système". Le Monde (in French). 2022-11-11. Archived from the original on 2023-07-21. Retrieved 2023-07-21.
  24. ^ "Cyberattaque : L'OEHC refuse de négocier, et promet un retour à la normale le plus rapidement possible". France 3 Corse ViaStella (in French). 2022-11-16. Archived from the original on 2022-12-03. Retrieved 2023-07-21.
  25. ^ Ilascu, Ionut (13 December 2022). "LockBit claims attack on California's Department of Finance". BleepingComputer. Archived from the original on 2023-01-11. Retrieved 2023-07-21.
  26. ^ "LockBit ransomware claims attack on Port of Lisbon in Portugal". BleepingComputer. Archived from the original on 2023-03-28. Retrieved 2023-07-21.
  27. ^ "Ransomware : après l'attaque d'un hôpital pour enfants, comment ce gang de pirates s'est excusé". Clubic (in French). 2023-01-02. Archived from the original on 2023-08-30. Retrieved 2023-07-21.
  28. ^ "Continental victime d'une cyberattaque à 50 millions de dollars". Les Echos (in French). 2022-11-15. Archived from the original on 2023-06-29. Retrieved 2023-07-21.
  29. ^ "Russian-Canadian arrested over global LockBit ransomware campaign". BBC News. 2022-11-10. Archived from the original on 2023-07-20. Retrieved 2023-07-20.
  30. ^ Thierry, Gabriel (2023-01-13). "Le gang LockBit tente de faire chanter l'entreprise Nuxe". ZDNet France (in French). Archived from the original on 2023-01-16. Retrieved 2023-07-21.
  31. ^ Thierry, Gabriel (2023-01-26). "Le leader français de la santé privée visé par LockBit". ZDNet France (in French). Archived from the original on 2023-03-26. Retrieved 2023-07-21.
  32. ^ "Royal Mail faces threat from ransomware group LockBit". Reuters. 2023-02-08. Archived from the original on 2023-07-20. Retrieved 2023-07-20.
  33. ^ "Royal Mail cyberattack linked to LockBit ransomware operation". BleepingComputer. Archived from the original on 2023-06-28. Retrieved 2023-07-21.
  34. ^ "Qu'est-ce que LockBit, le rançongiciel utilisé contre les librairies Indigo?". Les affaires (in French). Archived from the original on 2023-04-01. Retrieved 2023-07-21.
  35. ^ Thierry, Gabriel (2023-04-18). "LockBit étoffe encore son tableau de chasse hexagonal". ZDNet France (in French). Archived from the original on 2023-07-19. Retrieved 2023-07-21.
  36. ^ Bodnar, Bogdan (2023-05-16). "Cyberattaque contre un grand média chinois, pourquoi est-ce inédit ?". Numerama (in French). Archived from the original on 2023-07-21. Retrieved 2023-07-21.
  37. ^ Thierry, Gabriel (2023-06-01). "Le piratage de Voyageurs du monde se solde par la fuite de plusieurs milliers de copies de passeports". ZDNet France (in French). Archived from the original on 2023-07-21. Retrieved 2023-07-21.
  38. ^ "Office of Public Affairs | Russian National Arrested and Charged with Conspiring to Commit LockBit Ransomware Attacks Against U.S. and Foreign Businesses | United States Department of Justice". www.justice.gov. 2023-06-15. Archived from the original on 2023-07-20. Retrieved 2023-07-20.
  39. ^ "TSMC denies LockBit hack as ransomware gang demands $70 million". BleepingComputer. Archived from the original on 2023-07-27. Retrieved 2023-07-21.
  40. ^ Robinson, Teri (2023-07-14). "Lockbit 3.0 Claims Credit for Ransomware Attack on Japanese Port". Security Boulevard. Archived from the original on 2023-07-21. Retrieved 2023-07-21.
  41. ^ Vigliarolo, Brandon (2023-10-30). "LockBit alleges it boarded Boeing, stole 'sensitive data'". The Register. Archived from the original on 2023-11-19. Retrieved 2023-11-19.
  42. ^ Dobberstein, Laura (2023-11-02). "Boeing acknowledges cyberattack on parts and distribution biz". The Register. Archived from the original on 2023-11-19. Retrieved 2023-11-19.
  43. ^ "World's Biggest Bank Forced to Trade Via USB Stick After Hack". Bloomberg. 2023-11-10. Archived from the original on 2023-11-10. Retrieved 2023-11-10.
  44. ^ Doherty, Katherine; McCormick, Liz Capo (9 November 2023). "World's Largest Bank Hit By Ransomware Gang Linked to Boeing, Ion Attacks". Bloomberg. Archived from the original on 2023-11-10. Retrieved 2023-12-06.
  45. ^ "Boeing data published by Lockbit hacking gang". Reuters. November 10, 2023. Archived from the original on 2023-11-10. Retrieved 2023-11-10.
  46. ^ Gallagher, Ryan; Doherty, Katherine; Almeida, Isis (17 November 2023). "Lockbit Gang Hacks Into Another US Financial Firm, Threatens to Dump Data". Bloomberg. Archived from the original on 2023-11-17. Retrieved 2023-12-06.
  47. ^ Jones, Connor (17 November 2023). "LockBit revamps ransomware negotiations as payments dwindle". The Register. Archived from the original on 7 December 2023. Retrieved 6 December 2023.
  48. ^ a b Chidi, George (2024-02-12). "Fulton county's systems were hacked. Already weary officials are tight-lipped". The Guardian. Archived from the original on 2024-02-21. Retrieved 2024-02-21.
  49. ^ a b Lyngaas, Sean; Spells, Alta. "Fulton County faces ransomware attack by 'financially motivated actors,' but county elections still on track". CNN. Archived from the original on 2024-02-21. Retrieved 2024-02-21.
  50. ^ Toulas, Bill (22 February 2024). "LockBit ransomware secretly building next-gen encryptor before takedown". Bleeping Computer. Archived from the original on 23 February 2024. Retrieved 23 February 2024.
  51. ^ Technical Appendix: LockBit-NG-Dev Detailed Analysis (PDF) (Report). Trend Research. 22 February 2024. Archived (PDF) from the original on 23 February 2024. Retrieved 23 February 2024.
  52. ^ Gatlan, Sergiu (2024-02-19). "LockBit ransomware disrupted by global police operation". BleepingComputer. Archived from the original on 2024-02-19. Retrieved 2024-02-19.
  53. ^ Vicens, A. J. (2024-02-19). "FBI, British authorities seize infrastructure of LockBit ransomware group". CyberScoop. Archived from the original on 2024-02-19. Retrieved 2024-02-19.
  54. ^ Fingert, Tyler (2024-02-19). "Site run by cyber criminals behind Fulton County ransomware attack taken over". Fox 5 Atlanta. Archived from the original on 2024-02-19. Retrieved 2024-02-19.
  55. ^ "Police arrest LockBit ransomware members, release decryptor in global crackdown". BleepingComputer. Archived from the original on 2024-02-24. Retrieved 2024-02-24.
  56. ^ "LockBit ransomware gang has over $110 million in unspent bitcoin". BleepingComputer. Archived from the original on 2024-02-24. Retrieved 2024-02-24.
  57. ^ Goodin, Dan (2024-02-22). "Ransomware associated with LockBit still spreading 2 days after server takedown". Ars Technica. Archived from the original on 2024-02-22. Retrieved 2024-02-22.
  58. ^ a b c d e Lyons, Jessica (2024-02-26). "Back from the dead: LockBit taunts cops, threatens to leak Trump docs". The Register. Archived from the original on 2024-02-26. Retrieved 2024-02-26.

See also

Retrieved from "https://en.wikipedia.org/w/index.php?title=Lockbit&oldid=1220185736"