CISA Advisory On LockBit: $91 Million Extorted From 1,700 Attacks Since 2020
- by Tech Today News
- Posted on June 16, 2023
A new advisory from a consortium of international organizations, including the Cybersecurity and Infrastructure Security Agency, the FBI and the Multi-State Information Sharing and Analysis Center, details incidents involving LockBit, the most prevalent ransomware since 2022, and recommends mitigations. The growing numbers of hybrid workers are creating even more vulnerabilities, with smaller companies particularly vulnerable. Jump to: LockBit — a ransomware-as-a-service operation that has extorted $91 million from some 1,700 attacks against U.S. organizations since 2020, striking at least 576 organizations in 2022 — gives customers a low-code interface for launching attacks. The cybersecurity advisory noted that LockBit attacks have impacted the financial services, food, education, energy, government and emergency services, healthcare, manufacturing and transportation sectors. The advisory, which uses the MITRE ATT&CK Matrix for Enterprise framework as a basis for understanding LockBit’s kill chain, reports the operation differs from other RaaS players because it: In a May 2023 study on the professionalization of ransomware, cybersecurity firm WithSecure noted the RaaS model LockBit uses is a service-oriented system; just like legitimate software: it creates tools, infrastructure and operating procedures — “playbooks” — and sells access to these tools and services to other groups or individuals. SEE: Tools are improving, but so are cyberattacks, per a Cisco study (TechRepublic) Sean McNee, the vice president of research and data at internet intel firm DomainTools, said the LockBit group continuously updates the software, as a legitimate operation would, even releasing a bug bounty program for the software. “As the ransomware-as-a-service model continues to evolve, we see groups competing for top affiliates to their services,” he said, adding that LockBit has worked to increase the scope and breadth of attacks through professionalization around their affiliate network, including actively advertising in online forums. Operators like LockBit are quickly adapting and pivoting to new business opportunities to leverage the disruption in the ransomware space to their advantage. This is a trend we fear will continue in 2023.” “The RaaS system lowers the barrier to entry, allowing new entrants to the scene to benefit from the expertise of established actors while also allowing established actors to take a cut of the profits of all of the customers who are using their service,” said the authors of the WithSecure paper, including the firm’s threat intelligence analyst Stephen Robinson. “As is the case with legitimate service providers, the possible profits are much higher — individuals’ time can only be sold once, whereas expertise is packaged as a service, it can be sold repeatedly without particularly increasing costs,” wrote the WithSecure paper authors. While WithSecure’s report noted, as did the advisory, that LockBit affiliates pay a fee for access to the source group and the source group takes a percentage of any ransom paid, the operators’ attacks, modus operandi and targets vary greatly. In the U.S. last year, LockBit constituted 16% of state and local government ransomware incidents reported to the MS-ISAC, including ransomware attacks on local governments, public higher education and K-12 schools and emergency services. SEE: Ransomware attacks skyrocket (TechRepublic) The cybersecurity advisory noted that, starting last April through the first quarter of this year, LockBit made up 18% of total reported Australian ransomware incidents, and that it was 22% of attributed ransomware incidents in Canada last year. WithSecure’s May 2023 ransomware study noted that LockBit’s major victims in Europe included the German auto-parts manufacturer Continental, the U.S. security software company Entrust and the French technology company Thales. Since LockBit engages in double extortion-style attacks, in which attackers using the ransomware both lock databases and exfiltrate personally identifiable information with threats to publish unless paid, data leak sites are a prominent element in the threat group’s RaaS exploits. The advisory reported 1,653 alleged victims on LockBit leak sites through the first quarter of 2023. In addition, the advisory noted that, because leak sites only show the portion of LockBit victims subjected to extortion who refuse to pay the primary ransom to decrypt their data, the sites reveal only a slice of the total number of LockBit victims. “For these reasons, the leak sites are not a reliable indicator of when LockBit ransomware attacks occurred,” said the advisory’s authors, noting the data dump onto leak sites may happen months after the ransomware attacks that generated the information. WithSecure noted that LockBit, in June 2020, began the “Ransom Cartel Collaboration” with fellow groups Maze and Egregor, which included the sharing of leak sites. The advisory’s authors suggested organizations take actions that align with a set of goals developed by CISA and the National Institute of Standards and Technology, constituting minimum practices and protections. In the advisory, the suggestions are listed by kill chain tactic as delineated by MITRE ATT&CK, with the earliest point in the kill chain appearing first. The advisory pointed to three main kill chain events: To address mitigating initial access, the advisory suggested organizations use sandboxed browsers to protect systems from malware originating from web browsing, noting that sandboxed browsers isolate the host machine from malicious code. The authors also recommended requiring all accounts with password logins to comply with NIST standards for developing and managing password policies. Among the other initial access mitigations recommended by the authors:What is LockBit?
How does LockBit’s kill chain differ from other RaaS players?
Saul Goodman of the dark web: LockBit’s act is faux legit
Pay-to-play model lowers the barrier to entry
LockBit’s global reach
Information dumped on data leak sites is not the whole picture
How to defend against LockBit
Mitigations for other events in the LockBit kill chain
Execution
Privilege escalation
Defense evasion
Credential access
Discovery
Lateral movement
Command and control
Exfiltration
Impact
Image: darkfoxelixir/Adobe Stock A new advisory from a consortium of international organizations, including the Cybersecurity and Infrastructure Security Agency, the FBI and the Multi-State Information Sharing and Analysis Center, details incidents involving LockBit, the most prevalent ransomware since 2022, and recommends mitigations. The growing numbers of hybrid workers are creating even more vulnerabilities, with smaller…