LOCKBIT
LockBit is a sophisticated ransomware group that primarily targets large enterprises and critical infrastructure organizations, leveraging high-severity vulnerabilities to gain initial access. The group has demonstrated an affinity for exploiting critical vulnerabilities in widely used products such as Apache Log4j2, Citrix NetScaler ADC & Gateway, F5 BIG-IP, Fortra GoAnywhere Managed File Transfer, and Windows NetLogon services. LockBit's operational approach involves a double extortion tactic, where the attackers not only encrypt data but also exfiltrate it for additional leverage during negotiations. This group stands out due to its strategic exploitation of zero-day vulnerabilities and rapid deployment of new malware variants in response to defensive measures.
In terms of technical sophistication, LockBit predominantly exploits remote code execution (RCE) vulnerabilities, with a notable focus on those affecting network infrastructure and application servers. The group's use of critical CVEs like CVE-2021-44228 and CVE-2021-22986 highlights their ability to identify and exploit high-risk vulnerabilities early in the disclosure cycle. Defenders should prioritize patch management for known exploited vulnerabilities, particularly those affecting network infrastructure components. Additionally, implementing robust network segmentation and monitoring anomalous outbound data transfers can help mitigate the risk of data exfiltration by LockBit.
CISA Intelligence #StopRansomware
#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability · 2023-11-21
Staying Secure at Eventsno-cost Cyber ServicesSecure by design Secure Your BusinessReport A Cyber Issue
Close Topics Topics Cybersecurity Best Practices Cyber Threats and Response Critical Infrastructure Security and Resilience Election Security Emergency Communications Industrial Control Systems Information and Communications Technology Supply Chain Security Partnerships and Collaboration Physical Security Risk Management How can we help? GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based CommunityExecutivesHigh-Risk Communities Spotlight Resources & Tools Resources & Tools All Resources & Tools Services Programs Resources Training Groups News & Events News & Events Directives News Events Cybersecurity Alerts & Advisories Request a CISA Speaker Congressional Testimony CISA Conferences CISA Live! Careers Careers Benefits & Perks Hiring and Recruitment New Employee Orientation & Onboarding Students & Recent Graduates Veteran and Military Spouses About About Divisions & Offices Regions Leadership Doing Business with CISA Site Links CISA GitHub CISA Central Contact Us Subscribe Transparency and Accountability Policies & Plans Staying Secure at Eventsno-cost Cyber ServicesSecure by design Secure Your BusinessReport A Cyber Issue
The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) are releasing this joint Cybersecurity Advisory (CSA) to disseminate IOCs, TTPs, and detection methods associated with LockBit 3.0 ransomware exploiting CVE-2023-4966, labeled Citrix Bleed, affecting Citrix NetScaler web application delivery control (ADC) and NetScaler Gateway appliances.
Understanding Ransomware Threat Actors: LockBit · 2023-06-14
Staying Secure at Eventsno-cost Cyber ServicesSecure by design Secure Your BusinessReport A Cyber Issue
Close Topics Topics Cybersecurity Best Practices Cyber Threats and Response Critical Infrastructure Security and Resilience Election Security Emergency Communications Industrial Control Systems Information and Communications Technology Supply Chain Security Partnerships and Collaboration Physical Security Risk Management How can we help? GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based CommunityExecutivesHigh-Risk Communities Spotlight Resources & Tools Resources & Tools All Resources & Tools Services Programs Resources Training Groups News & Events News & Events Directives News Events Cybersecurity Alerts & Advisories Request a CISA Speaker Congressional Testimony CISA Conferences CISA Live! Careers Careers Benefits & Perks Hiring and Recruitment New Employee Orientation & Onboarding Students & Recent Graduates Veteran and Military Spouses About About Divisions & Offices Regions Leadership Doing Business with CISA Site Links CISA GitHub CISA Central Contact Us Subscribe Transparency and Accountability Policies & Plans Staying Secure at Eventsno-cost Cyber ServicesSecure by design Secure Your BusinessReport A Cyber Issue
In 2022, LockBit was the most deployed ransomware variant across the world and continues to be prolific in 2023. Since January 2020, affiliates using LockBit have attacked organizations of varying sizes across an array of critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. LockBit ransomware operation functions as a Ransomware-as-a-Service (RaaS) model where affiliates are recruited to conduct ransomware attacks using LockBit ransomware tools and infrastructure. Due to the large number of unconnected affiliates in the operation, LockBit ransomware attacks vary significantly in observed tactics, techniques, and procedures (TTPs). This variance in observed ransomware TTPs presents a notable challenge for organizations working to maintain network security and protect against a ransomware threat.
#StopRansomware: LockBit 3.0 · 2023-03-16
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate known LockBit 3.0 ransomware IOCs and TTPs identified through FBI investigations as recently as March 2023.
The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model and is a continuation of previous versions of the ransomware, LockBit 2.0, and LockBit. Since January 2020, LockBit has functioned as an affiliate-based ransomware variant; affiliates deploying the LockBit RaaS use many varying TTPs and attack a wide range of businesses and critical infrastructure organizations, which can make effective computer network defense and mitigation challenging.
The FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.
Download the PDF version of this report:
Confirmed CVEs (5)
Exploited by this group as confirmed by threat intelligence sources.
Predicted CVEs (15) CORRELATION
How does prediction work?
Predicted CVEs are identified through automated correlation using multiple sources: vendor/product profiles historically targeted by the group (MITRE ATT&CK), attack chain patterns (KEV + TTPs), threat intelligence (MISP, STIX), and AI analysis. These CVEs have not been confirmed as exploited by this specific group, but have a high probability of being targets based on the actor's operational profile.