LockBit Ransomware Extorts $91 Million from a US Company

The threat actors behind the LockBit ransomware-as-a-service (RaaS) scheme have extorted $91 million following hundreds of attacks against US organizations since 2020.

That’s according to a joint newsletter published by the US Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and other partner authorities from Australia, Canada, France, Germany, New Zealand, and England

“LockBit ransomware-as-a-service (RaaS) entice affiliates to use LockBit to carry out ransomware attacks, resulting in a large network of unconnected threat actors carrying out highly varied attacks,” the agency said. said.

LockBit, which first appeared in late 2019, continues to be disruptive and prolific, targeting as many as 76 victims in May 2023 alone, according to statistics shared by Malwarebytes last week. A Russian-linked cartel has claimed responsibility for at least 1,653 ransomware attacks to date.

Cybercrime operations have attacked a wide range of critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing and transportation.

LockBit has received three substantial upgrades so far: LockBit Red (June 2021), LockBit Black (March 2022), and LockBit Green (January 2023), final from Which is based on leaked source code from the now disbanded Conti gang.

The ransomware strain has since adapted to the target Linux, VMware ESXi, and Apple’s macOS system, turning them into a growing threat. The RaaS operation is also notable for paying people to get tattoos of its crest and for instituting the first bug bounty program.

The business model involves core developers leasing their warez to affiliates who do the actual ransomware deployment and extortion. Alternately however, the groups allow affiliates to receive ransom payments before sending pieces to the main crew.

The attack chain involving LockBit has exploited recently disclosed vulnerabilities in Fortra GoAnywhere Managed File Transfer (MFT) and PaperCut MF/NG servers as well as other known bugs in Apache Log4j2, F5 BIG-IP and BIG-IQ devices, and Fortinet to get early access.

Also used by affiliates are more than three dozen freeware and open source tools that enable network snooping, remote access and tunneling, credential dumping, and file exfiltration. The glitch has been found to further abuse legitimate red team software such as Metasploit and Cobalt Strike.

“LockBit has succeeded through constant innovation and development of the group’s administrative panel (i.e., a simplified point-and-click interface makes ransomware deployment accessible to those with low-level technical skills), affiliate support functions, and constant revisions from TTP,” the agency said.

This development occurred when CISA issued a Engagement Operational Instructions 23-02instructed federal agencies to secure network devices such as firewalls, routers, and switches exposed to the public internet within 14 days of discovery and take steps to minimize the attack surface.

“Too often, threat actors can use network devices to gain unrestricted access to an organization’s network, which in turn leads to a full-scale compromise,” CISA Director, Jen Easterly, said. “Requiring appropriate controls and mitigation (…) is an important step in mitigating risks to federal civil companies.”

Advisors also follow new advisors highlighting threats to a Baseboard Management Controller (BMC) implementation that could potentially allow threat actors to establish “a beachhead with potential pre-boot execution”.

“Thoughened credentials, firmware updates, and network segmentation options are often overlooked, leaving BMC vulnerable,” CISA and the US National Security Agency (NSA) said. noted in common vigilance.

“In addition, malicious actors can disable security solutions such as trusted platform modules (TPM) or UEFI secure boot, manipulate data on attached storage media, or spread interfering implants or instructions across network infrastructure.”