LockBit, a notorious ransomware, has emerged as one of the most prevalent threats in 2022, causing havoc for organizations of all sizes and industries. This ransomware is deployed by a Ransomware-as-a-Service (RaaS) group, with affiliates operating anonymously across the globe.
The LockBit gang has been actively recruiting affiliates to carry out ransomware attacks in various sectors, including government, agriculture, and education. To attract more participants, the group has even conducted attention-grabbing stunts. Their widespread activities have resulted in enormous profits, with recent reports from the Cybersecurity and Infrastructure Security Agency (CISA) estimating their revenue from ransom payments to be around $91 million in the United States alone. This makes LockBit one of the highest-earning malware groups in history.
The attack timeline of LockBit reveals its evolution over the years. It was initially discovered as part of the ABCD ransomware activity in 2019. In 2020, the first version of LockBit ransomware appeared, primarily targeting Russian users. The ransomware then progressed to version 2 in June 2021 and version 3 in March 2022.
LockBit has caused significant disruption worldwide, with 18% of reported ransomware incidents in the United States involving this malicious software between April 2022 and March 2023. In Canada, LockBit accounted for 22% of all ransomware reports in 2022. The Federal Bureau of Investigation (FBI) also revealed that the United States experienced 1700 successful LockBit ransomware attacks.
The LockBit gang’s affiliates are known to exploit a range of vulnerabilities, both old and new, to gain unauthorized access. Some of the common vulnerabilities targeted by these affiliates include:
– CVE-2023-0669: Fortra GoAnywhere Managed File Transfer (MFT) Remote Code Execution Vulnerability.
– CVE-2023-27350: PaperCut MF/NG Improper Access Control Vulnerability.
– CVE-2021-44228: Apache Log4j2 Remote Code Execution Vulnerability.
– CVE-2021-22986: F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability.
– CVE-2020-1472: NetLogon Privilege Escalation Vulnerability.
– CVE-2019-0708: Microsoft Remote Desktop Services Remote Code Execution Vulnerability.
– CVE-2018-13379: Fortinet FortiOS Secure Sockets Layer (SSL) Virtual Private Network (VPN) Path Traversal Vulnerability.
To mitigate the risks associated with LockBit and similar ransomware attacks, organizations are advised to implement the following measures:
1. Keep all operating systems, hardware, firmware, and software up to date. Regularly install patches and security updates to address vulnerabilities.
2. Control and restrict network connections to prevent unauthorized access.
3. Apply local execution policies for applications to limit their capabilities and prevent the execution of malicious code.
4. Disable unused ports to reduce potential attack vectors.
5. Monitor and investigate any abnormal activity or suspicious behavior on the network.
6. Utilize web filtering solutions to block access to malicious websites and prevent phishing attempts.
7. Maintain offline backups of critical data and ensure they are encrypted to prevent unauthorized access.
8. Develop and regularly update a comprehensive recovery plan to ensure a swift response and restoration in the event of an attack.
By implementing these mitigations, organizations can significantly reduce their exposure to LockBit and other ransomware threats. It is crucial to remain vigilant, stay informed about the latest cyber threats, and proactively protect against them to safeguard sensitive information and maintain business continuity.