CISA: LockBit behind 1 in 6 ransomware attacks on US gov't in 2022

About one in every six ransomware attacks targeting U.S. government offices in 2022 can be traced back to a single group: LockBit.

Cybersecurity agencies around the world said Wednesday that the LockBit gang, which has links to Russia, is one of the biggest cybersecurity threats that governments and other organizations face.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), FBI and Multi-State Information Sharing and Analysis Center (MS-ISAC) joined the cybersecurity authorities of Australia, Canada, United Kingdom, Germany, France, and New Zealand in publishing a lengthy examination of the group behind the “most deployed ransomware variant across the world” in 2022.

The agencies said LockBit has claimed responsibility for at least 1,653 ransomware attacks, based on victims posted to its leak site.

The gang has brought in about $91 million in ransoms from U.S. victims since its first reported attack in the country in January 2020.

Each country provided its own statistics illustrating LockBit’s unparalleled attack frequency, with Australia noting that in the last year the gang made up 18% of total reported ransomware incidents. In Canada and New Zealand, meanwhile, LockBit was responsible for just over 1 in every 5 attacks last year.

France said 11% of the attacks it has seen since 2020 involved LockBit but noted that in a portion of the cases it was not able to confirm nor deny the breach of victim networks, basing it solely on the gang’s leak site posting.

In the U.S., the group accounted for 16% of attacks on public entities, which include municipal and county governments, public higher education and K-12 schools, as well as on emergency services like law enforcement agencies.

“Ransomware is one of the most severe cyber threats for government, businesses and society,” said Gerhard Schabhueser, acting president for Germany’s Federal Office for Information Security (BSI).

“Amongst those actors guided by financial motivations, the Ransomware-as-a-Service LockBit is currently the most menacing in Germany as well as globally. We reiterate our call to all organizations to take appropriate action and increase their resilience.”

The LockBit takeover

The advisory lays out several tactics and vulnerabilities typically exploited by the group during attacks and notes that part of the gang’s success is in its use of affiliates, which find diverse ways to breach organizations.

According to the agencies, the group allows affiliates to receive ransom payments and then send the developers their cut, a practice that “stands in stark contrast to other RaaS groups who pay themselves first and then disburse the affiliates’ cut.”

LockBit has participated in several publicity-generating stunts like paying people to get tattoos of their insignia and running bug bounty programs for their ransomware.

The group has also created a simplified interface that allows less technically-skilled hackers to simply “point-and-click” during attacks. LockBit has evolved significantly over time, releasing 2.0 and 3.0 versions since 2021.

LockBit 3.0 — known as LockBit Black — incorporates tooling from BlackMatter and Alphv ransomware strains while the LockBit Green strain released in January 2023 incorporates source code from the now-defunct Conti ransomware.

According to the agencies, the introduction of LockBit 2.0 in mid-2021 had an “immediate impact on the cybercriminal market” as it coincided with the demise of multiple RaaS operations, like DarkSide and Avaddon.

“LockBit competed with other RaaS operations, like Hive RaaS, to fill the gap in the cybercriminal market leading to an influx of LockBit affiliates,” they said.

The report mentioned several vulnerabilities that LockBit has exploited — including recent bugs like CVE-2023-0669, affecting Fortra’s GoAnywhere Managed File Transfer product — and CVE-2023-27350, affecting a popular printer software named PaperCut.

Several affiliates have also used more popular vulnerabilities like Log4j during attacks. The advisory includes a list of about 30 tools used by the hackers and more information on the gang’s modus operandi.

“LockBit is one of the most prolific and disruptive ransomware variants, having been used by cybercriminals against multiple sectors and organizations worldwide, including in Australia,” said Abigail Bradshaw, head of the Australian Cyber Security Centre. “With ransomware variants constantly evolving, this advice can help organizations strengthen and defend their networks.”

An evolving model

Several cybersecurity experts said LockBit has stood out from its competitors in recent years by constantly improving its model.

Sean McNee, vice president of research and data at cybersecurity firm DomainTools, said the group has professionalized its business model and now actively advertises on online forums to beef up its affiliate network.

Others noted that the group’s ability to dumb down the ransomware attack process was LockBit’s most worrying development. The gang has “lowered the barrier for entry significantly, said Dror Liwer, co-founder of the AI-based cybersecurity company Coro.

“Now that the barrier of entry has been lowered, and the attack cost has been commoditized, the ROI of attacks against mid-market and small organizations has improved greatly, leading attackers to target these much more vulnerable organizations, who do not have the same security stack or teams protecting them as the Fortune 500 do,” Liwer said.

Tom Kellermann, a former Obama administration cybersecurity official, added that LockBit has been able to help Russia offset some Western economic sanctions through its increased number of ransomware attacks, affiliating itself “with cybercrime cartels that enjoy a pax mafiosa with the Russian government.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
What is Threat Intelligence
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.