It has been revealed that the LockBit ransomware-as-a-service (RaaS) group has extorted an incredible $91 million from numerous U.S. organisations since 2020 in a joint bulletin released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Centre (MS-ISAC), and other partner authorities from around the world. LockBit has become one of the most successful and cutting-edge ransomware operations to date as a result of this criminal spree, which significantly disrupted crucial infrastructure sectors.
The bulletin provided insight into the inner workings of the LockBit cartel and was produced in partnership with agencies from Australia, Canada, France, Germany, New Zealand, the United Kingdom, and the United States. It demonstrated how the LockBit strain of ransomware is used by affiliates to perform attacks utilising the RaaS model, creating a complicated web of unrelated threat actors who undertake a variety of attacks. LockBit, which first appeared in late 2019, has continued to develop, evolving to target other platforms and dramatically increasing its reach.
Malwarebytes records show that LockBit targeted 76 victims in May 2023 alone, bringing the total number of ransomware attacks the group has claimed to at least 1,653. Financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation are just a few of the many industries that the cartel has harmed. This lengthy list demonstrates the LockBit ransomware operations' enormous effects on both public and private organisations.
LockBit has received numerous substantial updates over the years, including LockBit Red in June 2021, LockBit Black in March 2022, and LockBit Green in January 2023. The most recent upgrade stood out in particular because it included stolen source code from the now-disbanded Conti gang. These improvements have made LockBit a highly adaptive and constantly changing threat that can now attack Linux, VMware ESXi, and Apple macOS systems.
The LockBit group has added unusual components to its operations in addition to its technical abilities. Notably, the cartel was responsible for starting the world's first bug bounty programme and even paid people to get tattoos of its logo. These strategies show how determined the group is to make a name for itself in the world of cybercrime.
According to a business model used by the LockBit ransomware operation, core developers rent out their virus to affiliates who carry out the actual deployment and extortion. An original strategy employed by the gang is to allow affiliates to directly accept ransom payments before sending a share of the money to the main crew. This strategy has aided in the quick expansion and network of criminals using the LockBit strain.
LockBit's attack chains usually take advantage of freshly discovered flaws in a variety of systems to obtain initial access. The ransomware organisation has taken use of vulnerabilities in Fortra GoAnywhere Managed File Transfer (MFT), PaperCut MF/NG servers, Apache Log4j2, F5 BIG-IP and BIG-IQ, and Fortinet devices. Additionally, the affiliates have used over 30 freeware and open-source tools, such as file exfiltration, remote access and tunnelling, credential dumping, and network reconnaissance tools. Unsettlingly, legitimate red team tools like Cobalt Strike and Metasploit have also been misused during intrusions, significantly complicating attempts at detection and prevention.
The administration panel offered by LockBit, which features a streamlined, point-and-click interface and makes ransomware deployment accessible even to people with little technical knowledge, can be credited with the success of the organisation. This trait has allowed the cartel to draw in a wider variety of criminals and dramatically grow its activities. The group's resilience and effectiveness have also been boosted by its ongoing review of tactics, methods, and procedures (TTPs).
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in recognition of the gravity and scope of the threat posed by the LockBit ransomware organisation, recently released a Binding Operational Directive 23-02. Federal agencies are required by this regulation to secure any network equipment that is accessible to the general internet within 14 days of its discovery, including firewalls, routers, and switches. Agencies hope to minimise the attack surface and lower the risk to the federal civilian enterprise by implementing these actions. Jen Easterly, director of CISA, emphasised the significance of using the right controls and mitigations to lessen the risk of a complete breach.
In addition to highlighting vulnerabilities in Baseboard Management Controller (BMC) installations, CISA and the U.S. National Security Agency (NSA) jointly released an advisory in conjunction with the LockBit ransomware threat. According to this advice, threat actors may be able to create a "beachhead with pre-boot execution potential" by taking advantage of holes in BMC security. To reduce the possibility of a vulnerable BMC being exploited, the advice emphasises the necessity for hardened credentials, firmware updates, and network segmentation options.
International cooperation and coordinated efforts are still essential as the global cybersecurity community battles the growing danger posed by LockBit and other ransomware organisations. Governments and security agencies can cooperate to lessen the impact of these cybercriminals and safeguard vital infrastructure from their disruptive actions by exchanging intelligence and planning responses.
Comments
Post a Comment