The cyber threat landscape has undergone many shifts in the past year, from the involvement of ransomware cyber gangs in hacktivist activity during the war between Russia and Ukraine, to the disappearance from the scene of the most prolific ransomware groups. These include DarkSide, the hacker group behind the Colonial Pipeline attack, which decided to cease its operation in May 2021, and REvil, once of the most active ransomware groups which was responsible for the attack on the software company Kaseya. In July 2021, REvil suddenly disappeared from the internet, after receiving significant attention from law enforcement. One of the groups that has been active since 2019, and continues to grow regardless of the shifts in the cyber threat landscape is the LockBit gang.
Who is LockBit?
The LockBit gang, previously known as ABCD, is the operator of the ransomware LockBit, LockBit 2.0, and LockBit 3.0, which was released in June 2022 as part of the group’s new campaign. Their ransomware operation, first launched in 2019, has grown to be one of the most active and impactful operations. LockBit, which works as a Ransomware-as-a-Service (RaaS) model, recruits affiliates in underground forums in order to launch prolific attacks. It appears that the group only accepts to work with experienced and technically proficient affiliates. According to researchers, by May 2022, LockBit 2.0 accounted for 46% of all the ransomware attacks occurred in 2022.
In their attacks, LockBit operators leverage double extortion techniques, threatening victims of leaking the compromised data, to pressure them into paying the ransom. The gang has also been observed performing triple extortion, by launching DDoS attack targeting the victims’ infrastructure to render it unavailable and ensure the victims will pay. LockBit is a financially motivated actor, and it has launched attacks on victims across different sectors, including professional services, construction, retail, manufacturing, and the public sector. While the cybercrime group is responsible for attacks around the world, the majority of its victims are located in the US, Italy and Germany. Similarly, to other ransomware groups, it appears that the LockBit ransomwares avoid targeting systems that are set in Eastern European languages.
LockBit 3.0
Following the release of LockBit 2.0 in March 2022, the LockBit gang unveiled a new variant of the ransomware in June 2022, naming it LockBit 3.0. This coincided with the launch of group’s new data leak site on Tor, and the beginning of the first bug bounty program offered by a cybercrime group. According to cybersecurity experts, the new LockBit 3.0 ransomware displays new capabilities, in particular obfuscation features. These features allow the malware to slow down and even prevent reverse engineering, hence making it more difficult for researchers to be able to analyse the malware. Researchers have noticed that the ransomware’s code share similarities with the BlackMatter ransomware, hence where LockBit 3.0’s nickname, LockBit Black, takes its name from.
As part of its bug bounty program, the LockBit group invites security researchers, in addition to ethical and unethical hackers, to discover bugs and vulnerabilities in their ransomware, and report them to the group. For this, the LockBit gang offers rewards ranging from $1000 to $1 million. The program also encourages hackers and researchers to submit “brilliant ideas” that will improve the ransomware operation, in exchange for a reward. The LockBit gang is also offering a $1 million reward to anyone who will be able to dox the groups’ affiliate program manager.
Recent attacks
In one of its latest attacks, LockBit claims to have compromised Italy’s tax agency, L’Agenzia delle Entrate (AdE). The gang, which had given the AdE until the 1st August to pay the ransom, published 47GB of compromised data on the 3rd August as the ransom was not paid. From a first analysis of the leaked data it does not appear that it belongs to the Italian tax agency, but rather to a third entity. This would be in line with the statement provided by Sogei SPA, the state-funded organisation that manages the IT infrastructure of the AdE, which claims that there is no evidence of unauthorised access to the systems of the Italian tax agency. Similarly, Roberto Baldoni, the director of Italy’s national cybersecurity agency, stated that the attack did not hit the AdE.
The LockBit gang has proven once again its resilience, and its ability to evolve and improve its criminal operation, in a moment when other prolific ransomware groups have disappeared from the underground scene. Cybersecurity researchers warn that the group will continue to launch damaging attacks to companies across the world.
Reference list:
https://cybernews.com/news/lockbit-2-0-listed-a-whopping-203-victims-on-its-data-leak-site/
https://www.darkreading.com/attacks-breaches/lockbit-3.0-improved-malware-gang-top
https://edition.cnn.com/2021/07/13/tech/revil-ransomware-disappears/index.html
https://techmonitor.ai/technology/cybersecurity/italy-ransomware-lockbit-tax-office
https://unit42.paloaltonetworks.com/lockbit-2-ransomware/
https://www.zdnet.com/article/a-deep-dive-into-the-operations-of-the-lockbit-ransomware-group/
News of the latest cyberattack comes from Italy, where on the afternoon of the 20th October it was disclosed that SIAE, the Italian Society of Authors and Publishers, was targeted by a ransomware attack. SIAE, which was founded in 1882, is the Italian copyright collecting agency for artists in different areas of the entertainment industry, including television, music, theatre, visual arts and literature, and aims to guarantee that artists receive the right remuneration for their work.
Read moreThe cyberattack that at the beginning of May targeted and caused the shutdown of the Colonial Pipeline, the largest fuel pipeline in the US, was a powerful example of the threat posed by the rising number of ransomware attacks, and the detrimental effect they can have not only on businesses but on national critical infrastructure.
Read moreEvil Corp, a notorious Russian cybercrime group, has been hit with sanctions by the UK, US, and Australia following their involvement in ransomware attacks. The group is also known for its connections to the Russian Government. Recent international efforts, including Operation Cronos, aim to disrupt their activities and weaken their influence on the global ransomware industry.
Read moreRansomware is continuously developing and becoming more and more sophisticated. It isn’t going anywhere anytime soon, but where did it come from? Where did it go? And how has it evolved?
Read moreThe rise of cybercrime in recent years has been staggering. This article explores the actions and strategies employed by governments to protect citizens and institutions from the ever-evolving digital underworld.
Read moreThe growing number of Internet of Things devices, set to reach 30 billion in 2025, offers many advantages, but also raises concerns over the possibility of cybersecurity risks. Read more about IoT vulnerabilities.
Read moreIn this modern world there is an app for everything. Easy access to a variety of free apps for our smartphones and tablets, with millions available on the Google Play Store*, gives cybercriminals an opportunity to find new ways of infiltrating our devices and getting hold of sensitive data. Since bad actors have established methods to get past the Google Play Store’s security scans put into place to protect its users, deceptively innocent looking applications containing malware known as droppers have entered the scene.
Read moreis perpetrated. In this article, we will take you through some key points which illustrate the direction that cybercrime is taking. This might help to inform users about the types of attacks we can expect throughout the rest of 2023.
Read morePlease fill in the form below (fields with * are mandatory) and we will respond to your request as soon as possible!