Joint cybersecurity advisory warns of LockBit ransomware threat
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the Multi-State Information Sharing and Analysis Center (MS-ISAC), and cybersecurity authorities from Australia, Canada, the United Kingdom, Germany, France, and New Zealand have issued a cybersecurity advisory regarding the LockBit ransomware.
The joint advisory, titled “Understanding Ransomware Threat Actors: LockBit,” includes a list of about 30 freeware and open-source technologies frequently used by LockBit actors. It also describes over 40 tactics, methods, and procedures (TTPs) used by LockBit actors, mapping them to the well recognized MITRE ATT&CK methodology, as well as commonly exploited vulnerabilities and exposures (CVEs).
The warning contains information on the progress of LockBit RaaS (Ransomware as a Service) as well as worldwide trends and data. It provides a variety of tools and services accessible from the authoring agencies, as well as mitigations advised to enhance defenses against LockBit’s global operations. It goes on to confirm Malwarebytes’ findings, identifying LockBit as the most active Ransomware-as-a-Service operator. Regular Malwarebytes Ransomware Reviews evaluations generally rate LockBit as the top threat in terms of victim numbers, however Cl0p appears as a close challenger.
According to the advisory, LockBit has been one of the most active ransomware groups in recent months. In 2022, it was responsible for more than 18% of total reported ransomware incidents in Australia, 22% in Canada, and 23% in New Zealand. In the United States, LockBit was involved in 16% of attacks on critical services, including municipal and county governments, public higher education, K-12 schools, and law enforcement agencies.
Hence, there are significant variations tactics, methods, and procedures (TTPs) used by LockBit affiliates as a result of their decentralized and disconnected nature. This heterogeneity is a significant challenge for companies attempting to maintain effective network security and protect against the multidimensional ransomware threat posed by LockBit. The advisory also dives into the complex mechanics of trust inside the RaaS paradigm as well. Working with anonymous criminals needs a high level of mutual trust, which may explain why other RaaS operators, such as DarkSide and Avaddon, have shut down.
The sources for this piece include an article in Malwarebytes.