Feds Release Updated Threat Intelligence on LockBit 3.0 Ransomware
A joint cybersecurity advisory has been issued by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) about LockBit 3.0 ransomware, also known as LockBit Black.
The LockBit ransomware group has been in operation since at least September 2019 and is one of the most prolific ransomware groups. The group conducted more attacks than any other ransomware operation in 2022 and it has been estimated that LockBit ransomware is involved in around 40% of all ransomware attacks worldwide. The group is believed to have conducted more than 1,000 attacks on organizations in the United States and has generated more than $100 million in ransom payments.
LockBit is a ransomware-as-a-service operation that recruits affiliates to conduct attacks in return for a cut of the ransoms they generate. The group engages in double extortion tactics, where files are stolen prior to encryption and threats are issued to publish or sell the stolen data if the ransom is not paid. Victims are usually small- to medium-sized organizations, although attacks on large organizations are not unknown. The ransom demands average at around $85,000 per victim.
The ransomware is actively developed and evolved into LockBit 2.0 in 2021, and LockBit 3.0 in June 2022. LockBoit 3.0 has features similar capabilities to BlackMatter ransomware, and it is possible some of the same code has been used. Initial access to victim networks is gained through a variety of methods, including purchasing access from initial access brokers, insider access, exploiting unpatched and zero-day vulnerabilities, phishing, and Remote Desktop Protocol (RDP) exploitation. Affiliates use a custom data exfiltration tool called Stealbit; the open-source command line cloud storage manage, rclone; and publicly available file sharing services such as MEGA to exfiltrate stolen data.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The group was behind attacks on the NHS vendor, Advanced, which affected 16 customers in the health and social care sector; the German auto parts company, Continental; the IT firm Accenture; the UK’s Royal Mail, and many more. In December 2022, a LockBit affiliate attacked The Hospital for Sick Children (SickKids) in Toronto. The group issued an apology for the attack and provided a free decryptor, and claimed the affiliate was kicked out for violating its terms and conditions which prohibit attacks on “medical institutions” where attacks could result in death, including cardiology centers, neurosurgical departments, and maternity hospitals. The group does, however, permit attacks on pharma firms, dentists, and plastic surgeons. These policies are not always enforced, as LockBit affiliates have conducted attacks on hospitals in the past where free decryptors were not provided, such as the attack on the Center Hospitalier Sud Francilien (CHSF) in France.
The U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center issued a threat brief about LockBit 3.0 in December 2022 in response to known attacks on the Healthcare and Public Healthcare (HPH) sector, and despite the group’s claims, HC3 believes LockBit 3.0 poses a threat to the HPH sector. The Joint Cybersecurity alert from the FBI, CISA, and MS-ISAC provides details of the latest tactics, techniques, and procedures (TTPs) associated with the group, Indicators of Compromise (IoCs) technical information for network defenders, and recommended mitigations for improving cybersecurity posture.
