For years, Avertium has diligently monitored the malicious activities of LockBit as they targeted organizations across various countries, including the U.S., the UK, Germany, China, India, France, Ukraine, and Indonesia. Our most recent LockBit threat intelligence report dates back to 2022. Throughout this period, the threat actors exhibited high levels of activity, launching attacks across multiple sectors and global regions. Although their pace momentarily slowed for a few months, they resumed activity in the fall of 2022, notably making headlines for targeting organizations in the IT services and automotive industries.
The LockBit ransomware group, known as one of the most prolific in the world, victimized over 2,000 entities, accumulating ransom payments exceeding $120 million and issuing demands totaling hundreds of millions more.
While other threat actors faced the repercussions of law enforcement, LockBit persisted in its attacks into 2024—until recently. In February 2024, the UK National Crime Agency's Cyber Division, in collaboration with the Justice Department, FBI, and international partners, disrupted LockBit's operations. This intervention involved seizing numerous public-facing websites and control of servers used by LockBit administrators. As a result, LockBit's ability to attack, encrypt networks, and extort victims through data threats was severely impeded.
Despite this significant disruption, there are concerns that LockBit may have developed a new version of their file-encrypting malware just prior to the takedown. This raises the critical question: Has LockBit truly been eliminated, or should the cybersecurity community brace itself for LockBit 4.0?
As previously stated, LockBit is a ransomware-as-a-service (RaaS) operation that has been active since 2019. Historically, LockBit refrained from targeting systems within Russia or the Commonwealth of Independent States, likely as a precaution against law enforcement action.
Among LockBit's notable earlier exploits was the attack on Accenture, a leading global tech consultancy firm, in August 2021. During this incident, the group exfiltrated 6 TB of data and demanded a $50 million ransom. LockBit is known for thorough reconnaissance of its targets, evidenced by Accenture's substantial revenue of $44.33 billion in 2020.
In January 2021, LockBit underwent its first rebranding, emerging as LockBit 2.0. This iteration relied on tools like Windows PowerShell and Server Message Block (SMB) to infiltrate organizations. Additionally, the group became more public-facing, granting multiple interviews. They even advocated for the use of Bitdefender as a defense against ransomware attacks.
During this time, LockBit figured out how to bypass Bitdefender, such as utilizing the official Bitdefender Uninstall Tool to deactivate defenses.
In March 2022, LockBit underwent its second rebranding, known as LockBit 3.0. They persisted in targeting various sectors, with approximately one-third of their victims originating from the BFSI sector. This rebranding introduced new tactics and techniques. The latest ransomware variant encrypted files on victims' machines and added the extension "HLjkNskOq" to encrypted files.
LockBit 3.0 used sophisticated tactics to encrypt files, including deleting select services and utilizing WMI queries to enumerate Volume Shadow copies before encryption, thus hindering restoration attempts. The ransomware also altered victims' wallpapers to indicate compromise and issued ransom notes instructing payment via Bitcoin, threatening data leaks if demands were not met.
In the new extortion model, LockBit 3.0 enabled the purchase of stolen data through its leak site, facilitating downloads via Torrent or direct links based on data size. Additionally, the group initiated a bug bounty program, redirecting victims to a Tor link in ransom notes to access the program, inviting security researchers and hackers to uncover flaws in LockBit's ransomware.
In September 2022, LockBit 3.0 adopted a unique advertising strategy by offering payment to individuals willing to tattoo the LockBit logo on their bodies, citing high demand for the promotion which was set to end by September 11, 2022. Participants were required to make the tattoo permanent and provide a photo of it alongside their bitcoin wallet, with LockBit ultimately compensating over 10 individuals with $1,000 each for their tattoos. Despite its unconventional nature, this approach to advertising was considered cost-effective by security experts.
Boeing (October 2023)
LockBit claimed responsibility for an attack against Boeing on October 27, 2023, listing the company on its data leak site and setting ransom deadlines of November 2 and 10. Following warnings, LockBit released approximately 4 GB of alleged Boeing data on its leak site, threatening further publication if the company did not cooperate and participate in ransom negotiations.
Later, the entire cache of alleged Boeing data, estimated at around 40 GB, was made public. While Boeing confirmed that they were aware of the incident and engaged in investigations, it assured that the event was no threat to aircraft or flight safety. LockBit was able to breach Boeing by exploited Citrix Bleed (CVE-20233-4966).
Industrial and Commercial Bank of China (November 2023)
China's Industrial and Commercial Bank of China (ICBC), the nation's largest lender, reportedly paid a ransom following a recent ransomware attack on its U.S. arm, according to a representative from the LockBit ransomware gang. The attack, which disrupted trades in the U.S. Treasury market on November 9, left ICBC's U.S. broker-dealer owing BNY Mellon $9 billion temporarily.
The attack resulted in extensive disruptions, including a corporate email blackout, and forced employees to switch to Google mail. While the market has mostly returned to normalcy, the incident highlighted concerns about the resilience of the Treasury market and the regulatory scrutiny it would face. LockBit, a prominent ransomware threat, has targeted numerous organizations globally, with some choosing to pay ransom to avoid reputational damage or restore systems without digital backups.
EquiLend Holdings (February 2024)
EquiLend Holdings, a New York-based securities lending platform, suffered from a ransomware attack in January, leading to the theft of employee data, as confirmed in breach notification letters sent to affected personnel. While the company initially remained discreet about the incident, LockBit claimed responsibility.
EquiLend later acknowledged the ransomware attack on February 2, reassuring that client transaction data remained untouched. However, employee personally identifiable information (PII) was compromised, including names, dates of birth, and Social Security numbers. EquiLend assured employees of proactive measures, offering two years of free identity theft protection services. Established in 2001 by major global banks and broker-dealers, EquiLend now serves over 190 firms worldwide, providing securities finance marketplace services and multi-asset trading platforms, with transactions exceeding $2.4 trillion monthly.
Bluffing – Fulton County Georgia (February 2024)
Fulton County, Georgia, faced a ransomware threat from LockBit, who threatened to release stolen internal documents unless a ransom was paid. However, county officials denied making any payment or engaging in negotiations, with security experts suggesting LockBit's claims were likely a bluff. Following U.S. and U.K. law enforcement seizing LockBit's servers, the group's credibility was questioned. Despite LockBit's claims that Fulton County had paid the ransom and their data had been deleted, county officials remained adamant about not paying, and no evidence of payment was provided. Security analysts speculate that LockBit's recent actions are attempts to maintain credibility within the cybercrime community, but doubt remains about the validity of their claims.
Right before law enforcement dismantled LockBit’s ransomware operation. The developers were on the verge of releasing a new version of their notorious malware, tentatively named LockBit-NG-Dev or LockBit 4.0. Thanks to collaboration with the UK's National Crime Agency, cybersecurity experts from Trend Micro were able to analyze a sample of the latest LockBit development, revealing its capabilities across multiple operating systems.
The new LockBit variant, currently in development, diverges from previous versions by being written in .NET and compiled with CoreRT, utilizing MPRESS for packing. Trend Micro's analysis shows a JSON-format configuration file detailing various operational parameters, including execution settings, ransom note specifics, unique identifiers, and RSA public key details. While lacking some features found in earlier versions, such as network self-propagation and printing ransom notes on printers, this new encryptor seems to be nearing completion.
Image 1: Decrypted Configuration
Source: Trend Micro
This advanced encryptor supports three encryption modes - "fast," "intermittent," and "full" - utilizing AES+RSA encryption. It also offers custom file or directory exclusion and can obfuscate file names to hinder restoration attempts. Additionally, it includes a self-delete feature that replaces LockBit's file contents with null bytes.
Trend Micro's comprehensive analysis sheds light on the intricate workings of LockBit-NG-Dev, providing valuable insight into its configuration parameters and operational mechanisms. Despite this technical advancement, the recent law enforcement action, part of Operation Cronos, deals another significant blow to LockBit operators, making it challenging to revive their illegal business, especially with security researchers now aware of the encrypting malware's source code.
On February 19, 2024, an official law enforcement announcement replaced LockBit’s shame blog, signaling an end to the group's operations, according to Yelisey Bohuslavskiy and Marley Smith from Red Sense. While LockBit relied on talent hired externally, these individuals are likely to continue their activities, with LockBit potentially shifting operations to external collectives like Akira. For potential victims, particularly in the healthcare sector, this means that former LockBit members will use familiar tactics but now operating under Akira's name.
As LockBit’s ransomware ecosystem faces collapse, outsourcing operations to maintain the allure of the ransomware operation’s past glory has become common practice. LockBit's demise is further emphasized by the loss of their blog, which law enforcement has openly mocked, highlighting the group's public image as a factor in its downfall.
Red Sense believes that the chances of rebuilding LockBit's infrastructure are slim due to the technical limitations of its leadership and the departure of key personnel responsible for its development. Additionally, the inclusion of LockBit members on the OFAC list ensures that any attempt to rebrand or revive the group will fail, as seen with Conti and previous sanctions. Also, potential financial backers (IABs) are unlikely to trust their investments in a group post-takedown, as their primary goal is financial gain. While LockBit may resort to dumping old data, a common tactic post-takedown, it is unlikely to yield any substantial results beyond media speculation. What lies ahead for LockBit? Probably, nothing.
Even though law enforcement disrupted LockBit's operations, organizations shouldn't relax their security measures. It is important to remain vigilant and look out for LockBit's tactics, techniques, and procedures (TTPs), as they might incorporate them into Akira's ransomware operations:
It’s important to get ahead of the curve by being proactive with protecting your organization, instead of waiting to put out a massive fire. Avertium can provide the following services to help keep your organization safe from Snatch Ransomware:
Equilend warns employees their data was stolen by ransomware gang (bleepingcomputer.com)
LockBit ransomware gang claims it leaked stolen Boeing data | TechTarget
Gang says ICBC paid ransom over hack that disrupted US Treasury market | Reuters
LockBit Locked Down - Panda Security
Fulton County, Security Experts Call LockBit’s Bluff – Krebs on Security
An Update on LockBit 3.0 (avertium.com)
LockBit Malware Fix, Prevention & Patch | Trend Micro (US)
EquiLend data stolen in cyberattack, company confirms | TechRadar
LockBit's Leak Site Reemerges, a Week After 'Complete Compromise' (darkreading.com)
LockBit Story: A Three-Year Investigative Journey | RedSense Cyber Threat Intelligence
LockBit Attempts to Stay Afloat with a New Version | Trend Micro (US)
LockBit ransomware secretly building next-gen encryptor before takedown (bleepingcomputer.com)
Authorities disrupt LockBit ransomware, indict two RaaS affiliates (chainalysis.com)
LockBit claims ransomware attack on Fulton County, Georgia (bleepingcomputer.com)
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.