What is LockBit?
LockBit is a ransomware group that emerged in 2019 and is known for using the ransomware-as-a-service model to extort money from organizations. According to Wikipedia, “LockBit first appeared in September 2019 and is believed to be related to the ransomware family known as Ryuk” (https://en.wikipedia.org/wiki/Lockbit). The cybersecurity firm BlackBerry describes LockBit as considering itself the “Robin Hood” of ransomware groups, often targeting large corporations and government agencies (https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/lockbit).
LockBit operates by gaining access to a victim’s network, encrypting their files and databases, and demanding a ransom payment in cryptocurrency in exchange for decryption. According to Securin, “The group claims that after each successful attack, they publish data stolen from the victim on their leak site” (https://www.securin.io/articles/all-about-lockbit-ransomware/). LockBit has leaked sensitive data from numerous high-profile companies after ransom demands were not met, including technology firms, healthcare organizations, retailers, and more.
How LockBit Operates
LockBit primarily operates through an affiliate model, where they rely on a distributed network of cybercriminals to distribute their ransomware and carry out attacks (1). The threat actors behind LockBit develop the ransomware malware and run the infrastructure, while affiliates are responsible for gaining initial access to victim networks and deploying the ransomware.
Affiliates receive a percentage of any ransom payments, with LockBit typically taking 20-30% as their cut. This model allows LockBit to scale up attacks dramatically compared to a centralized ransomware operation (2). They leverage the skills and resources of their affiliate network to maximize the number of targets.
LockBit heavily focuses on targeting corporations, organizations, and government agencies rather than individual consumers. Their ransom demands are often in the millions of dollars (3). Once LockBit affiliates successfully deploy the ransomware and encrypt files, the victims receive a ransom note threatening to publish the stolen data on LockBit’s leak site if the ransom is not paid.
(1) CISA Advisory on LockBit Ransomware
(2) CyberNews article on sustainability of LockBit model
(3) LinkedIn article on joining LockBit affiliate program
LockBit Leak Sites
LockBit leak sites are where the ransomware operators publish stolen data from victims who refuse to pay the ransom. These sites serve as leverage to pressure organizations into paying the ransom in order to avoid having sensitive data exposed publicly.
The leak sites are hosted on Tor or other dark web infrastructure to make takedowns more difficult. Recently, LockBit used these sites to publish data allegedly stolen from Boeing, including employee names, locations, and some proprietary documents (Cybernews, 2023). Prior to leaking, LockBit posted samples of Boeing data and threatened to release more if the ransom wasn’t paid.
Other major ransomware gangs like Conti and REvil have also utilized leak sites to increase the impact of their extortion tactics. But cybersecurity experts warn that there are no guarantees data won’t still be leaked even after ransom is paid (Gridinsoft, 2023).
Recent LockBit Leaks
LockBit ransomware has been highly active in 2022 and 2023, targeting numerous high-profile organizations and claiming to have stolen terabytes of sensitive data. Some of their most notable recent leaks include:
In September 2022, LockBit leaked data allegedly stolen from the global consulting firm Accenture. They claimed to have over 6 terabytes of data including financial information, client contracts, and other confidential documents. Accenture did not confirm the breach.
In December 2022, LockBit leaked over 200 gigabytes of data stolen from the cybersecurity company Palo Alto Networks. The leaked data contained source code, software builds, admin credentials and more. Palo Alto Networks confirmed the data breach.
In January 2023, LockBit claimed to have stolen over 1 terabyte of data from Okta, an identity management software provider. The leaked data allegedly contained highly sensitive information on thousands of Okta’s customers. Okta denied that any new breach took place.
These major leaks showcase LockBit’s capabilities to infiltrate large organizations and exfiltrate huge troves of proprietary and confidential data. The group continues to ramp up pressure on victims by threatening to leak data if extortion demands are not met.
Impact of Leaks
Ransomware attacks and data leaks from platforms like LockBit can have significant consequences for victim organizations. According to JPMorgan, major impacts can include revenue loss, reputational damage, and loss of trust.
One of the most damaging effects of leaks is significant reputational damage. When a company’s data is leaked publicly, especially sensitive customer or employee data, it undermines trust in that organization’s ability to protect information. This loss of reputation can be difficult to recover from.
Closely tied to reputational damage is the loss of customer and partner trust. According to research from Metacomppliance, 93% of organizations said loss of customer trust was a consequence of a data breach. When data leaks occur, customers often lose faith in the organization to keep their data safe. This makes them less likely to want to do business with that company.
Finally, data leaks like those enabled by LockBit may lead to potential compliance violations. Depending on the type of data exposed, there could be violations of regulations like HIPAA for health data or GDPR for private EU citizen data. These violations can lead to heavy fines and further reputation damage.
Defending Against LockBit
There are several key strategies organizations can employ to defend against LockBit ransomware attacks:
Backup Critical Data – Regularly backing up important files and data is crucial to recover from a ransomware attack. Backups should be stored offline and tested regularly [1].
Use Antivirus and Endpoint Detection – Install and run anti-malware, antivirus and endpoint detection software across all systems. This can identify and block many ransomware variants [2].
Employee Cybersecurity Training – Educate employees on ransomware risks and prevention strategies through cybersecurity awareness training. This helps avoid employees accidentally enabling an attack.
Patch and Update Systems – Keep all software, applications, and operating systems fully updated with the latest patches. Out-of-date systems are vulnerable to exploits [3].
Dealing with a LockBit Attack
When faced with a LockBit ransomware attack, the first step is to immediately isolate infected systems. According to the Ransomware Response Checklist from CISA, affected devices should be disconnected from networks in order to prevent further spread of the malware https://www.cisa.gov/ransomware-response-checklist.
Secondly, contact law enforcement to report the attack and seek assistance. The FBI and Secret Service often provide support and guidance for ransomware response.
Paying the ransom should only be considered as a last resort if backup restoration is not possible. Before agreeing to pay, organizations should carefully evaluate if payment will actually result in decrypted files. There are also ethical considerations around funding criminal operations.
The most effective recovery method is to restore data from clean backups that were created prior to the infection. Regular offline backups are critical to implement both before and after a ransomware event. According to CISA guidance, rebuilding systems from scratch based on prioritization of critical services is recommended over attempting to disinfect after a major attack https://www.cisa.gov/stopransomware/ive-been-hit-ransomware.
LockBit’s Cryptocurrency Wallets
LockBit ransomware demands payment in cryptocurrency, typically Monero (XMR) or Bitcoin (BTC). After encrypting a victim’s files, LockBit provides instructions for paying the ransom in cryptocurrency to decrypt them. The ransom amounts vary but can be millions of dollars for large organizations.
Researchers are able to track cryptocurrency wallets associated with the LockBit group by analyzing ransom payments and transactions. This enables estimates of the total ransom payments received by LockBit. For example, one analysis identified around $100 million in payments to LockBit in 2022 based on observed activity across 125 LockBit-associated wallets.
While Monero offers more anonymity, Bitcoin transactions are public which allows better tracing. LockBit seems to prefer Bitcoin but will offer Monero as an option. The public ledger has provided valuable intelligence into LockBit’s operations and scale.
Future Outlook
LockBit is likely to continue evolving its tactics in order to maximize the impact of its attacks. Some predictions for LockBit’s future activities include:
Continued evolution of tactics – LockBit has already demonstrated its ability to refine its techniques, for example by compromising legitimate tools like FTA and VSA to distribute malware. We will likely see LockBit continue to adapt methods like initial access vectors, anti-detection techniques, and encryption to stay ahead of defenders.
Targeting of critical infrastructure – The targeting of organizations like Costa Rica’s government networks shows a willingness to disrupt critical systems and infrastructure. Healthcare, energy, and other key industries could be future targets.
Increased ransom demands – As LockBit compromises larger and more lucrative targets, their ransom demands are likely to increase. The gang has already demanded some of the largest known ransom amounts, but future attacks may attempt even higher extortion.
To counter these likely developments, organizations should ensure robust security awareness training, maintain updated backups offline, implement defense-in-depth protections, and establish incident response plans. Staying vigilant and continuing to monitor LockBit’s TTPs will also help security teams detect and respond quickly to attacks.
Summary
In summary, LockBit ransomware has emerged as one of the most aggressive and damaging ransomware operations in recent years. Through its ransomware-as-a-service model, LockBit enables cybercriminal affiliates to carry out targeted ransomware attacks on organizations and leak sensitive data if ransom demands are not met.
LockBit leak sites on the dark web publicly post stolen victim data, amplifying the damage of attacks. Major companies around the world across all industries have already fallen victim to LockBit, with the gang raking in millions in cryptocurrency ransom payments.
LockBit is likely to remain a severe cyber threat for years to come given its technical sophistication and profitability for criminals. Organizations must take ransomware resilience seriously and implement comprehensive security strategies to defend against, detect, and respond to LockBit attacks before they cripple operations.
Having an incident response plan in place for a potential LockBit attack, including communication plans and data restoration procedures, is critical. Staying vigilant and keeping security defenses updated will also reduce vulnerability. But if hacked, acting quickly after detection and leveraging specialist support can help mitigate the damage of LockBit’s malicious leaks and extortion.