LockBit Ransomware Actors Made Over $90 Million Since 2020

LockBit, a notorious ransomware-as-a-service (RaaS) operation, has managed to extort a staggering $91 million from various U.S. organizations through hundreds of attacks since 2020. A joint bulletin published by multiple international authorities, including the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, shed light on the extent of the damage caused by LockBit.

The bulletin reveals that LockBit operates as a RaaS, enticing affiliates to carry out ransomware attacks using their platform. This has led to a network of disparate threat actors executing diverse types of attacks. LockBit, which emerged in late 2019, has maintained its disruptive and prolific nature, with statistics from Malwarebytes indicating that it targeted up to 76 victims in May 2023 alone. The ransomware gang, believed to have links to Russia, has claimed responsibility for over 1,653 ransomware attacks to date.

LockBit has spared no critical infrastructure sector, targeting industries such as finance, agriculture, education, energy, government, healthcare, manufacturing, and transportation. It has undergone significant upgrades, including LockBit Red in June 2021, LockBit Black in March 2022, and LockBit Green in January 2023, the latter of which is based on leaked source code from the dismantled Conti gang. The ransomware has also expanded its reach to target Linux, VMware ESXi, and Apple macOS systems, making it a continuously evolving threat.

LockBit's business model involves leasing their ransomware tools to affiliates who execute the attacks and extortion operations. Unusually, the group allows affiliates to receive ransom payments directly before sharing a portion with the core developers.

LockBit Leverages Various Vulnerabilities

The attacks orchestrated by LockBit have exploited vulnerabilities in various systems, including recently disclosed flaws in Fortra GoAnywhere Managed File Transfer (MFT) and PaperCut MF/NG servers. Additionally, known vulnerabilities in Apache Log4j2, F5 BIG-IP and BIG-IQ, and Fortinet devices have been exploited for initial access.

LockBit affiliates have utilized over three dozen freeware and open-source tools to conduct network reconnaissance, establish remote access, perform credential dumping, and exfiltrate files. Notably, legitimate red team software such as Metasploit and Cobalt Strike has also been abused in these intrusions.

The success of LockBit can be attributed to its constant innovation, particularly its user-friendly administrative panel that simplifies ransomware deployment for individuals with limited technical expertise. The group continuously revises its tactics, techniques, and procedures (TTPs) to stay ahead.

In response to the threat, CISA issued a Binding Operational Directive instructing federal agencies to secure network devices exposed to the public internet and minimize the attack surface. This directive aims to mitigate the risk of threat actors leveraging network devices to gain unrestricted access to organizational networks.

Furthermore, a recent advisory highlighted the potential risks associated with Baseboard Management Controller (BMC) implementations, which could provide threat actors with a foothold and pre-boot execution capabilities.