Threat Intelligence 101

What is LockBit Ransomware?

Posted: 25th November 2024
By: Esteban Borges

LockBit ransomware, the most deployed ransomware variant in the world, is attacking organizations and governments globally. Since 2020 it has been using the Ransomware-as-a-Service model. This article covers its operations, key players, major attacks and how to protect against it.

Quick Facts to Know

  • Law enforcement agencies through Operation Cronos have taken down the LockBit ransomware group, including arrests, freezing of cryptocurrency accounts and seizing of servers and websites associated with the group.
  • LockBit ransomware is using Ransomware-as-a-Service (RaaS) model and targets a wide range of sectors including government organizations, with advanced and self propagating variants like LockBit 3.0 and LockBit Green.
  • Key players in the LockBit group including leader Dmitry Yuryevich Khoroshev and affiliates Mikhail Matveev and Mikhail Vasiliev are facing legal actions, with sanctions to disrupt their financial networks and to deter further ransomware activities.
  • Sanctions on ransomware payments matter. OFAC considers certain actions as mitigating factors in enforcement actions involving ransomware payments with a sanctions nexus. Ransomware victims should report attacks to relevant government agencies and comply with sanctions applicable to virtual currency.

LockBit Ransomware

First appearing on Russian-language cybercrime forums in January 2020, LockBit ransomware is now a major player in the ransomware world. In fact, it was the 3rd most frequent ransomware variant in the United States at the end of 2023.

Using the Ransomware-as-a-Service (RaaS) model, LockBit recruits affiliates to do the attacks, making it a decentralized and highly effective operation. This model has made LockBit the most active ransomware group globally, targeting critical infrastructure sectors and government organizations.

LockBit was behind 9.4% of worldwide ransomware attacks in 2023, and it has only evolved with more advanced ransomware variants being released. LockBit 3.0, also known as LockBit Black, was released in March 2022, with more features and better encryption. Not stopping there, LockBit Green, a ransomware variant that includes Conti ransomware code, was released in January 2023, making LockBit the top threat in the ransomware landscape.

There is no sector limit to LockBit ransomware attacks. Affiliates using LockBit have attacked financial services, healthcare and transportation sectors, causing significant disruption and financial loss. Unlike many other ransomware groups, LockBit targets enterprises and government organizations and not individual users, making their attacks more critical. LockBit is a priority for global law enforcement.

LockBit Group Players

Dmitry Yuryevich Khoroshev also known as ‘LockBitSupp’ is the leader of the LockBit ransomware group. This Russian national is involved in the group’s operations, performing operational and administrative roles, earning from the group’s ransomware attacks, infrastructure upgrades, recruiting new developers and managing affiliates. Khoroshev is the key to LockBit.

Artur Sungatov and Ivan Kondratyev, who deploy LockBit against many victims in the US, support Khoroshev. Their expertise and coordination has made the LockBit group very effective and able to reach and impact more victims. Another notable one is Ruslan Magomedovich Astamirov, a Russian national in custody awaiting trial for LockBit.

Mikhail Matveev and Mikhail Vasiliev are also part of the LockBit crew. Matveev also goes by the aliases ‘Wazawaka’ and ‘m1x’ and is charged with attacking many US victims including the Washington, D.C. Metropolitan Police Department. Vasiliev is a dual Russian-Canadian national charged for his involvement in the LockBit ransomware group and is awaiting extradition to the US. The arrest and prosecution of these individuals is a big win in the fight against ransomware.

Operational TTPs

LockBit uses sneaky and destructive operational TTPs. The initial access is often done through exploiting network weaknesses through phishing or brute force attacks, then getting into the network. Once in, these ransomware actors use post-exploitation tools to escalate privileges and get attack-ready access and control over critical systems.

The ransomware’s ability to self-propagate within the organization without manual intervention is one of its most dangerous features. This LockBit variant spreads using Windows Powershell and Server Message Block (SMB) and can infect multiple systems fast. Recent updates to LockBit have added features to disable administrative permission checkpoints and steal server data, making it more destructive.

Before dropping the encryption payload, LockBit disables security software and other infrastructure that could aid in system recovery. So the victims have no choice but to pay the ransom. LockBit leaves ransom notes in every system folder with instructions and threats to release public data if the ransom is not paid. LockBit also uses stolen data to pressure victims into paying the ransom by threatening to post it on leak sites. These are very meticulous and brutal tactics of LockBit ransomware.

Notable LockBit Ransomware Attacks

Several high-profile and destructive lockbit attacks have made the LockBit ransomware group notorious. In fact, there were 175 LockBit reported ransomware attacks that targeted critical infrastructure in the United States in 2033.

In January 2023, LockBit attacked Royal Mail, crippled international mail delivery and several online services. This attack showed they can cause widespread operational disruption to millions of people.

In November 2023, LockBit exploited the Citrix Bleed vulnerability (CVE-2023-4966)and hit over 10,000 servers worldwide. Among the notable LockBit victims of this attack were Boeing and the Industrial and Commercial Bank of China. The scale and precision of this attack showed LockBit can use vulnerabilities to devastating effect.

Another big attack happened in November 2023 when LockBit attacked DP World Australia. This attack disrupted logistics operations and left about 30,000 containers stranded in Australian ports and caused significant economic losses. And in 2021 and 2022 LockBit was the most active ransomware to target Australia.

These high-profile incidents show the wide reach of LockBit ransomware and we need stronger cybersecurity.

Law Enforcement Against LockBit

International law enforcement agencies and their international partners launched Operation Cronos to take down the LockBit ransomware group, targeting cyber criminals. This operation involved key partners like the National Gendarmerie of France, FBI, Australian Federal Police and other international partners. The collaborative nature of this operation shows the global fight against ransomware.

Operation Cronos has resulted to:

  • Arrest of 2 LockBit actors in Poland and Ukraine
  • Additional arrest warrants and indictments issued by French and US authorities
  • Freeze of over 200 cryptocurrency accounts linked to LockBit, cutting off their funding

This has crippled LockBit in many ways.

Apart from arrests and financial sanctions, Operation Cronos has resulted in the seizure of several public facing websites and takedown of 34 servers of LockBit in several countries including Netherlands, Germany and US. NCA’s infiltration of the group’s network and control of their services including their leak site on the dark web is a big win for law enforcement. This has severely limited LockBit’s capability to attack.

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Dmitry Yuryevich Khoroshev, the leader of LockBit ransomware group. Big blow to the group. These sanctions will freeze all property and interests in property within the US and prohibit US persons from dealing with Khoroshev. This will disrupt the financial networks that support ransomware and deter further criminal activity.

The broader impact of these sanctions goes beyond financial restrictions. This is a warning to other cybercriminals and ransomware groups that they will not be left unpunished. The goal of these sanctions:

  • Change behavior
  • Reduce ransomware attacks
  • Protect critical infrastructure and organizations from future threats.

For Organizations

Here are some steps to mitigate the risk of ransomware. Update operating systems, software applications and firmware regularly to keep systems patched against known vulnerabilities. Segment networks into separate zones with firewalls and access controls to limit the spread of ransomware within the organization.

Implement these to reduce the spread of ransomware through privileged accounts and data theft:

  • Principle of least privilege: Grant users only what they need to do their job.
  • Regular backups of critical data: Backups should be automated, encrypted and tested for integrity to ensure recovery in case of attack.
  • Cybersecurity awareness training: Train employees to recognize phishing and social engineering tactics which is the initial entry point for ransomware.

Having an incident response plan is key for organizations to respond to ransomware attacks. This plan should outline the steps to contain, eradicate and recover from an attack and communication strategy for stakeholders and law enforcement. By doing these, organizations can harden their defenses and minimize the impact of potential ransomware incidents.

How to keep track and mitigate Lockbit Ransomware?

Staying ahead of ransomware groups like LockBit requires comprehensive visibility and actionable intelligence across the entire attack lifecycle. At Recorded Future, we enable this through our end-to-end ransomware defense capabilities that combines real-time risk profiling, supply chain monitoring, and detailed threat actor research.

Our Ransomware Mitigation solution identifies your most vulnerable assets and critical exposure points while continuously monitoring ransomware incidents affecting your industry, geography, and business ecosystem. Through our research division Insikt Group, we provide constantly updated intelligence on ransomware groups' tactics and exploited vulnerabilities. All of this intelligence can be automatically compiled into customized reports tailored for different stakeholders in your organization using Recorded Future AI Reporting.


Ransomware Risk Profile


This comprehensive approach helps security teams identify risks early and implement targeted defenses before ransomware attacks can impact their organization. Ready to take a proactive approach to ransomware defense? Book a demo today.

Reporting and Response Protocols

Reporting ransomware incidents to government agencies is part of the response process. Victims should notify agencies like FBI, CISA and US Secret Service so the incident can be documented and support can be given.

The FBI’s Internet Crime Complaint Center, a part of the federal bureau, is a platform to report suspected cybercrime and gather intelligence and coordinate responses.

An incident response plan should have:

  1. Preparation
  2. Identification
  3. Containment
  4. Recovery

Gal Shpantzer, leading cybersecurity expert says:

“With ransomware, you’re not dealing with threat actors that are slow-moving confidentiality attackers. Rather, they are aiming to fully deny availability, whether it’s for money or just to destroy property and make it difficult to restore.”

Rapid identification and containment of a ransomware attack is key to minimize the impact. Isolate affected systems and disable network shares to prevent the malware from spreading. Coordinate with law enforcement and regulatory bodies to ensure all necessary steps are taken to manage the incident.

Ransomware Threats in the Future

Global attacks increased by 84% in 2023 alone. The number of threat actors and their tools are growing and ransomware is a persistent and evolving threat. Industrials, Consumer Cyclicals and Technology sectors were targeted, North America, Europe and Asia were the most affected regions.

Geopolitical conflicts and hacktivists are threats to national infrastructure and add another layer to the ransomware landscape including ransom payments. Governments worldwide are concerned about these threats including ransom payments and are taking action through initiatives like The Counter Ransomware Initiative to enhance international cooperation and harden defenses against ransomware. One of the tools to mitigate these cyber threats is to use a virtual private network.

As LockBit and other ransomware groups evolve and adapt, organizations and governments must stay ahead and proactive. By knowing their tactics and techniques and having strong cybersecurity we can all minimize the impact of future ransomware incidents.

FAQ

Who is the leader of the LockBit ransomware group?

The leader of the LockBit ransomware group is Dmitry Yuryevich Khoroshev aka LockBitSupp. He has an operational and administrative role in the group.

Notable attacks by LockBit?

LockBit attacked Royal Mail in January 2023, exploited Citrix Bleed vulnerability in November 2023 on Boeing and Industrial and Commercial Bank of China and DP World Australia.

What has been done to LockBit?

Operation Cronos has been launched and resulted in arrests, server takedowns and freezing of over 200 cryptocurrency accounts of LockBit. This has disrupted the group’s operations.

How can organizations protect themselves from ransomware?

Organizations can protect themselves from ransomware by updating systems, segmenting networks, implementing least privilege access, doing cybersecurity awareness training and having an incident response plan. This will minimize the risk of being hit by ransomware.

What’s next?

More global attacks, targeting specific industries and regions and more government actions against ransomware. So be more cybersecurity.

Conclusion

In summary, the LockBit ransomware group is one of the most feared in the cybercrime world, using sophisticated tactics and techniques to cause chaos. But international law enforcement efforts like Operation Cronos has made a big dent in their operations and brought the culprits to justice. Sanctions and legal actions prove the global war against ransomware.

Moving forward, let’s not forget to have strong cybersecurity and incident response plans. Stay informed and stay vigilant and organizations can protect themselves from ransomware. Let’s make justice prevail over cybercrime.

Staying ahead of emerging threats is crucial for safeguarding your organization. Recorded Future offers actionable intelligence to help you stay vigilant and prepared. Book a demo today and fortify your cybersecurity strategy against ransomware.

Esteban Borges
Esteban Borges

Esteban is an IT professional with over 20 years of experience, specializing in hardening systems and networks, leading blue team operations, and conducting thorough attack surface analysis to bolster cybersecurity defenses. He's also a skilled marketing expert, specializing in content strategy, technical SEO, and conversion rate optimization. His career includes roles as Security Researcher and Head of Marketing at SecurityTrails, before joining the team at Recorded Future.

Related