US Organizations Shell Out $91 Million to LockBit Ransomware Gang

Ransomware Attacks on US Organizations Result in $91 Million in Payments to LockBit Gang

By | June 15, 2023

The LockBit ransomware gang, operating under the Ransomware-as-a-Service (RaaS) model, has launched approximately 1,700 attacks on organizations in the United States, resulting in ransom payments totaling around $91 million, according to the US government. This group has been active since at least January 2020, targeting various sectors including critical infrastructure, education, energy, government and emergency response, financial services, food and agriculture, healthcare, manufacturing, and transportation.

The joint advisory from Australian, Canadian, French, German, New Zealand, and US government agencies reveals that LockBit accounted for approximately 20% of all observed ransomware attacks in Australia, Canada, New Zealand, and the US during the previous year. The gang has developed several versions of the malware, including LockBit 2.0, LockBit 3.0, LockBit Green, and LockBit Linux-ESXi Locker. LockBit 3.0 is currently the most widely used version.

Tactics and Techniques

LockBit operators have been observed using a variety of tools and techniques in their attacks, including freeware and open-source tools for reconnaissance, tunneling, remote access, credential dumping, and data exfiltration. They also employ commonly used scripts such as PowerShell and batch scripts, as well as penetration-testing tools like Metasploit and Cobalt Strike. Additionally, the attackers exploit multiple vulnerabilities, such as the recent Fortra GoAnywhere remote code execution (RCE) and PaperCut MF/NG improper access control flaws, as well as older bugs in Apache Log4j2, F5 BIG-IP, NetLogon, Microsoft remote desktop services, Fortinet FortiOS, and F5 iControl.

Double Extortion and Leak Sites

In addition to encrypting victim data and demanding ransom, LockBit operators maintain a leak site where they publish the names of victims and the data stolen from them. However, only victims who refuse to pay the initial ransom to decrypt their data are listed on the site. This means that not all victims are named or have their data posted, resulting in the leak site revealing only a portion of the total number of LockBit victims.

Recommendations for Mitigation

The joint advisory provides recommendations for mitigating the various stages of a LockBit attack, including initial access, privilege escalation, persistence, code execution, lateral movement, credential access, and data exfiltration. The recommendations include implementing multi-factor authentication, conducting regular patching and vulnerability management, monitoring network traffic for signs of compromise, and educating employees about phishing and social engineering tactics.

Internet Security and the Growing Threat of Ransomware

The recent wave of ransomware attacks, including the significant financial losses incurred by US organizations due to LockBit, highlights the urgent need for improved internet security practices. Ransomware attacks are not only financially devastating but also have far-reaching consequences for victims, including the potential loss of sensitive data, disruption of critical services, and damage to reputation.

Addressing Vulnerabilities and Strengthening Cyber Defenses

To combat the threat of ransomware, organizations must prioritize cybersecurity measures and implement robust defenses. This includes regularly patching and updating software to address known vulnerabilities, conducting thorough risk assessments to identify and mitigate potential weaknesses, and implementing multi-factor authentication and strong password policies to protect against unauthorized access.

Furthermore, organizations should invest in employee training programs to educate staff about the dangers of phishing emails and other social engineering tactics used by attackers. By raising awareness and promoting a culture of cybersecurity, organizations can empower their employees to help protect against ransomware attacks.

The Role of Government and International Cooperation

Ransomware attacks, such as those perpetrated by the LockBit gang, often cross national borders, making them a global issue that requires international cooperation. Governments and law enforcement agencies must work together to share information and intelligence, coordinate efforts to disrupt and dismantle ransomware operations, and hold criminals accountable.

In addition, governments should allocate resources to support research and development of advanced cybersecurity technologies and establish regulatory frameworks to ensure organizations take proactive measures to protect against ransomware attacks. By creating a secure and resilient digital infrastructure, governments can enhance the overall cybersecurity posture of their nations.

Editorial: The Need for Collective Action

The LockBit ransomware attacks and the significant financial impact on US organizations underscore the urgency of collective action to address the growing threat of ransomware. This is a problem that cannot be solved by individual entities alone. It requires collaboration, information sharing, and a united effort to disrupt and dismantle ransomware operations.

Organizations must recognize the shared responsibility in safeguarding the digital ecosystem and prioritize proactive cybersecurity measures. This includes investing in cutting-edge technologies, fostering a culture of security awareness, and collaborating with government agencies, industry partners, and cybersecurity experts to develop effective strategies for prevention, detection, and response.

Governments play a crucial role in facilitating this collective action by creating an environment that encourages cooperation, setting clear expectations for cybersecurity practices, and providing the necessary resources to combat ransomware effectively. Policymakers should prioritize cybersecurity as a national security issue and work towards international agreements to prevent and respond to cyber threats.

Conclusion

The rise of ransomware attacks, exemplified by the LockBit gang’s activities, poses a significant threat to organizations worldwide. The financial toll and potential consequences make it imperative for organizations to take immediate action to bolster their cybersecurity defenses.

By implementing best practices, critically evaluating existing security measures, and embracing collective action, organizations can enhance their resilience against ransomware attacks. Additionally, governments must prioritize cybersecurity and foster international cooperation to effectively combat this global issue.

is a current affairs commentator specializing in cybersecurity and internet governance. He is a regular contributor to the New York Times, providing analysis and insight into the latest developments in the field.