LockBit Ransomware Scheme Continues to Evolve and Extort Millions from US Organizations

LockBit is a ransomware-as-a-service (RaaS) scheme that has been wreaking havoc in the U.S. since 2020. The threat actors behind this scheme are known for targeting critical infrastructure sectors and extorting large sums of money from their victims. To date, LockBit has claimed responsibility for at least 1,653 ransomware attacks and has extorted $91 million from various U.S. organizations. This article will provide an in-depth overview of the LockBit ransomware scheme, including its evolving threat landscape, attack chains, and vulnerabilities exploited. We will also discuss its unique business model, upgrades and innovations, and the recent CISA Binding Operational Directive 23-02, as well as threats to baseboard management controller implementations.

Overview of LockBit Ransomware Scheme

The LockBit ransomware scheme is a RaaS that rents out the core developers’ software to affiliates who carry out ransomware deployment and extortion. The affiliates are allowed to receive ransom payments and then send a cut to the main crew, making it a deviation from the typical ransomware business model. This business model has enabled LockBit to extort $91 million from various U.S. organizations since 2020. The threat actors behind LockBit have claimed responsibility for at least 1,653 ransomware attacks to date and have targeted various critical infrastructure sectors.

Evolving threat landscape

LockBit’s ability to adapt to new systems and environments has made it an ever-evolving threat. The ransomware strain has been adapted to target Linux, VMware ESXi, and Apple macOS systems. LockBit has been successful through its innovation and continual development of the group’s administrative panel, affiliate supporting functions, and constant revision of tactics, techniques, and procedures (TTPs).

Attack Chains and Vulnerabilities Exploited

LockBit’s attack chains have leveraged recently disclosed flaws in Fortra GoAnywhere Managed File Transfer (MFT) and PaperCut MF/NG servers, as well as other known bugs in Apache Log4j2, F5 BIG-IP and BIG-IQ, and Fortinet devices, to obtain initial access. The threat actors behind LockBit have exploited these vulnerabilities to gain access to their targets’ networks and deploy ransomware.

Unique business model

LockBit’s unique business model, which involves renting out the core developers’ malware to affiliates who carry out ransomware attacks and extortion, has enabled the operation to extort large sums of money from various U.S. organizations. This business model has also made it difficult for law enforcement to identify and prosecute the main perpetrators behind LockBit.

Upgrades and Innovations

The LockBit ransomware strain has undergone three substantial upgrades so far: LockBit Red (June 2021), LockBit Black (March 2022), and LockBit Green (January 2023). These upgrades have enabled LockBit to stay ahead of security measures and continue to evolve its attack capabilities. LockBit’s continual development of the group’s administrative panel, affiliate supporting functions, and constant revision of TTPs have also made it a formidable threat.

CISA Binding Operational Directive 23-02

The Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 23-02, instructing federal agencies to secure network devices exposed to the public internet within 14 days of discovery and take steps to minimize the attack surface. This directive aims at mitigating the risks posed by ransomware attacks, such as LockBit, and reducing their impact on critical infrastructure.

Threats to Baseboard Management Controller Implementations

CISA and the US National Security Agency (NSA) have highlighted threats to baseboard management controller (BMC) implementations, leading to vulnerabilities if credentials, firmware updates, and network segmentation options are overlooked. BMC is a critical component in many computing systems, and attackers can exploit vulnerabilities in these systems to gain unauthorized access, escalate privileges, and ultimately deploy ransomware.

The LockBit ransomware scheme is a growing threat to US organizations that operate critical infrastructure systems. LockBit’s ability to adapt to new environments and systems, exploit known vulnerabilities, and use a unique business model has made it a formidable adversary. Organizations must take steps to secure their networks and minimize their attack surface to mitigate the risks posed by ransomware attacks like LockBit. The recent CISA Binding Operational Directive 23-02 and threats to BMC implementations highlight the importance of implementing robust security measures to prevent ransomware attacks.

Explore more

Companies Can Prevent Bad AI Hires by Measuring True Fluency

Organizations across the global marketplace are currently grappling with an unprecedented urgency to demonstrate sophisticated artificial intelligence capabilities to their demanding boards and expectant investors. This intense pressure has transformed AI fluency from a specialized technical niche into a mandatory prerequisite for nearly ninety-five percent of organizations operating today. However, the rush to secure talent has led to a paradoxical

Can RPA Balance Healthcare Efficiency With Patient Care?

The modern medical landscape is currently defined by a paradoxical struggle where advanced clinical innovations are often overshadowed by the sheer volume of clerical work required to sustain them. Doctors today spend a staggering amount of their shifts staring at glowing screens rather than engaging with the human beings sitting in the examination rooms. When a physician spends more time

How Is BlackRock Dominating the Tokenized Asset Market?

BlackRock’s strategic deployment of the USD Institutional Digital Liquidity Fund has fundamentally reshaped the landscape of global finance by successfully bridging the gap between traditional banking and decentralized ledgers. This initiative, widely recognized as BUIDL, represents a pivot from the speculative nature of early cryptocurrency markets toward the practical utility of high-grade financial instruments. By 2026, the institutional narrative has

How Can Lagos State Combat Workplace Harassment?

The rapidly evolving commercial landscape of Lagos State, often characterized by its relentless pace and high-stakes corporate environment, currently faces a critical reckoning as reports of workplace harassment continue to surface across various sectors. This phenomenon is not merely a social grievance but a significant barrier to economic productivity and employee retention in Africa’s largest subnational economy. As the city

Microsoft Refines Windows 11 Design With K2 Initiative

The traditional desktop environment is undergoing a fundamental transformation as Microsoft addresses long-standing visual inconsistencies through its ambitious internal project known as the K2 Initiative. This effort represents a significant shift from the piecemeal updates seen in previous years toward a holistic overhaul of the operating system’s aesthetic and functional layers. By prioritizing a more cohesive user experience, developers worked