Why it matters: The LockBit cybergang runs a "ransomware-as-a-service" (RaaS) operation where the malware creators manage the backend, while "affiliated" partners compromise victims' networks. According to a recent advisory, LockBit is also one of the most prominent (and dangerous) ransomware threats out there.
The US Cybersecurity and Infrastructure Security Agency (CISA), FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) partnered with high-profile international organizations to issue a new warning against the LockBit ransomware. The joint cybersecurity advisory explains how LockBit works, how widespread the threat is, and how organizations can protect themselves against infection and encryption-based extortion attempts.
Thanks to its RaaS-based modus operandi, LockBit has long been one of the most prolific cyber-crime operations throughout the world. The joint advisory, which involves security organizations from Australia, Canada, the UK, France, Germany, and New Zealand, states that LockBit was the most deployed ransomware variant in 2022. The malware has been attacking "organizations of varying size" since last year, and continues to be extremely prolific in 2023 as well.
LockBit, which is now available as version 3.0, is known for having close ties with the Kremlin. The ransomware could very much provide a way to avoid sanctions imposed by Western countries after Russia invaded Ukraine, while security professional Tom Kellermann is accusing LockBit and other "nefarious ransomware gangs" of enjoying a genuine "pax mafiosa" with Vladimir Putin's regime.
The LockBit malware is known for attacking critical infrastructure sectors, the advisory says, including financial services, food and agriculture, education, energy, government, healthcare (except children's hospitals), manufacturing, and transportation. Due to the large number of third-party affiliates, the advisory highlights, attacks can vary significantly in "tactics, techniques and procedures" (TTPs).
According to data provided by the FBI, the LockBit gang collected about 1,700 attacks since 2020 in the US alone. Organizations that chose to pay the ransom gave approximately $91 million to the cyber-criminals since January 5, 2020. But the advisory urges victims not to give in to ransom demands, as there is absolutely no guarantee that the cybercriminals will provide the tools needed to recover encrypted files.
Furthermore, the advisory continues, payment may also "embolden adversaries to target additional organizations," encouraging other criminal gangs to create even more ransomware variants and operations. Regardless of whether an organization has decided to pay the ransom, the security coalition also urges LockBit victims to "promptly report" every ransomware incident to their country's respective security authorities.