LockBit ransomware: its history, its present and why you must be ready for it

According to a joint advisory issued by the US Cybersecurity & Infrastructure Security Agency,  the FBI, the UK National Cyber Security Centre, and other international law enforcement agencies, LockBit was the “most deployed ransomware variant across the world” in 2022. And “continues to be prolific in 2023.”

But what is LockBit, who’s behind it and how does it work?

What is LockBit ransomware?

The first question: what is ransomware anyway? In short, it’s malware that encrypts your data — your personal data or that of an organisation. It’s big business, and LockBit is the megacorp run by an evil villain stroking a furless cat.

LockBit has a sordid history of attacking organisations across industry sectors and geographic locations. But the history isn’t merely sordid; it’s also confusing.

We are now in its third iteration. LockBit attacks started in January 2020, but LockBit 2.0 (also called LockBit Red) emerged in the middle of 2021. Its latest iteration is called LockBit 3.0 or LockBit Black, and came to light in June 2022.

Just as the ransomware itself evolved, so have the groups behind it. This isn’t one person or even one group, but an affiliate of attackers. Effectively, the people behind the ransomware license the software to other criminals.

Who does LockBit ransomware attack?

Since January 2020, LockBit has hit financial services, education, energy, healthcare, emergency services, transportation, manufacturing and government targets.

Let’s take the UK as one example. The ransomware attacks against the Royal Mail and Advanced, a managed services provider with multiple NHS customers, are among those confirmed to have fallen victim to LockBit.

Who doesn’t LockBit ransomware attack?

What is perhaps more interesting — especially as LockBit adopts a vetted affiliate strategy for carrying out the actual attacks — is the prohibited targets.

Threat intelligence experts at Fortinet have found evidence that LockBit affiliates cannot encrypt files from critical national infrastructures such as nuclear plants or gas pipelines, although they can steal data.

Healthcare and pharmaceutical targets are allowed, with data theft on the same basis, but with the added criteria that the attack must not endanger life.

Government agencies can only be targeted if a profit can be made. Although when it comes to law enforcement, affiliates are positively encouraged to target them.

Then there are the geographical prohibitions, which are thought to reveal the location of the LockBit group. That’s because post-Soviet countries cannot be attacked — these include Belarus, Kazakhstan, Latvia, Ukraine and, perhaps most notably, Russia. 

How does LockBit ransomware work?

A successful LockBit attack will, like most ransomware attacks, involve a systems discovery and reconnaissance phase.

LockBit attackers are known to use above-board penetration testing tools such as Metasploit and Cobalt Strike, as well as resources such as PowerShell and batch scripts. By automating the process as much as possible, LockBit can move faster than ransomware attacks relying on lengthy manual interventions for target recon.

To gain access to target systems, LockBit affiliates commonly exploit well-known vulnerabilities. Vulnerabilities that stretch back as far as 2018, but that have yet to be patched by the organisation targeted. These are known to have included:

• CVE-2018-13379: Fortinet FortiOS Secure Sockets Layer VPN Path Traversal
• CVE-2019-0708: Microsoft Remote Desktop Services Remote Code Execution Vulnerability
• CVE-2020-1472: NetLogon Privilege Escalation
• CVE-2021-22986: F5 BIG-IP and BIG-IQ Remote Code Execution
• CVE-2021-44228: Apache Log4j2 Remote Code Execution

Once the initial system exploitation has been completed, LockBit will disable security systems such as Windows Defender before exfiltrating and encrypting data.

As long as LockBit has compromised one machine with high enough system privileges, it can then propagate to others across the network automatically. If the target organisation is a managed service provider, LockBit can even attack customers with a secondary ransomware attack by locking down the services they use.

How much money has LockBit made?

There is always an element of guesswork when trying to figure out how profitable a criminal enterprise is. For starters, most such groups are in the exaggeration game: they want to attract more affiliates which, in turn, boosts the likelihood of more profit.

We know that LockBit operates on a Ransomware-as-a-Service (RaaS) basis, but even this isn’t straightforward. Most RaaS groups charge affiliates a fee for using the ransomware variant and then pay them an agreed share of any ransom collected from a successful attack. LockBit operates differently. It flips this on its head and lets the affiliate collect the ransom payment. The group then send an agreed cut to the LockBit bosses. The amount that the LockBit group itself receives is thought to be, on average, around 25% of the total ransom.

So, is it possible to estimate how much money LockBit has made? According to that joint law enforcement advisory report mentioned at the start of this article, the answer is yes.  Sort of. The FBI says “about 1,700” LockBit attacks have been recorded within the US since 5 January 2020. From these, the total ransoms paid by those US organisations is “approximately $91 million”.

This would equate to the various affiliates earning around $68 million, with the bosses getting $22 million across three-and-a-half years. But remember, this is from US victims only.

What can you do?

We know that LockBit is prolific. We know that it targets (almost) indisciriminately. As such, we know that all organisations need to actively take measures to protect themselves.

As I mentioned, well-known vulnerabilities dating back to 2018 are exploited in the initial stages of a LockBit attack. Proper patch management systems can help mitigate the threat. 

In addition, the principle of least privilege can prevent such ransomware from spreading across a network. As can the implementation of network segmentation controls.

Other measures? Endpoint protection remains a crucial weapon, but you you should also invest in penetration/vulnerability scanning.

In short, you need to ensure that you have policies in place — and that you enforce them.