CISA, Partners Release LockBit Ransomware Cybersecurity Advisory

June 14, 2023 - The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), along with international partners, released a comprehensive document entitled “ Understanding Ransomware Threat Actors: LockBit.”

The document dives into the tactics and tools of LockBit, one of the most prolific ransomware variants across the world in 2022 and 2023. As previously reported, LockBit has been observed leveraging known vulnerabilities and deploying ransomware at alarming rates.

“The LockBit Ransomware-as-a-Service (RaaS) attracts affiliates to use LockBit for conducting ransomware attacks, resulting in a large web of unconnected threat actors conducting wildly varying attacks,” CISA stated.

“Affiliates have attacked organizations of various sizes across an array of critical infrastructure sectors including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. LockBit has been successful through its innovation and continual development of the group’s administrative panel (i.e., a simplified, point-and-click interface making ransomware deployment accessible to those with lower degrees of technical skill), affiliate supporting functions, and constant revision of TTPs.”

In releasing this detailed cybersecurity advisory, the authoring entities aim to spread the word about LockBit mitigation tactics and encourage defenders to remain on high alert.

How LockBit Reaches Victims

LockBit’s RaaS model enables it to reach victims across the world. In 2022, LockBit was the most active global ransomware group and RaaS provider by number of victims claimed on their data leak site.

“A RaaS cybercrime group maintains the functionality of a particular ransomware variant, sells access to that ransomware variant to individuals or groups of operators (often referred to as “affiliates”), and supports affiliates’ deployment of their ransomware in exchange for upfront payment, subscription fees, a cut of profits, or a combination of upfront payment, subscription fees, and a cut of profits,” the document stated.

LockBit has been known to attract affiliates by discouraging other RaaS groups in online forums, handing out ransom payments to affiliates before sending a cut to the core group, rather than paying themselves first. The group has even engaged in publicity stunts, such as paying people to get LockBit tattoos.

“LockBit has been successful through innovation and ongoing development of the group’s administrative panel and the RaaS supporting functions,” the authoring entities continued. “In parallel, affiliates that work with LockBit and other notable variants are constantly revising the TTPs used for deploying and executing ransomware.”

This model has worked for them so far, as the group has continued to launch attacks against organizations across the world, from Australia to the United States. In 2022, 16 percent of the State, Local, Tribal, and Tribunal (SLTT) government ransomware incidents reported to the MS-ISAC were attributed to LockBit. What’s more, US entities have paid out approximately $91 million in ransoms to LockBit since it was first observed in 2020.

The document contains a detailed overview of the techniques used by LockBit actors, from privilege escalation to drive-by compromises.

Recommended Mitigations

CISA and the other authoring entities offered a variety of recommendations that organizations can leverage to put themselves in a better position to defend against LockBit. All of the suggestions align with CISA’s Cross-Sector Cybersecurity Performance Goals.

To prevent initial access, the authoring entities recommended implementing sandboxed browsers, segmenting networks, and implementing multi-factor authentication. In addition, organizations may want to consider raising awareness for phishing threats, installing and regularly updating antivirus software, and adding an external warning banner for emails sent to or received from contacts outside their organization.

The guidance provided other detailed mitigations ordered by MITRE ATT&CK tactic, from initial access to execution and privilege escalation. Lastly, the authors stressed the importance of implementing multiple mitigations under a defense-in-depth approach, which allows organizations to identify gaps in network defenses and strengthen their security postures.