LOCKBIT

RANSOMWARE

LockBit is a sophisticated ransomware group that primarily targets large enterprises and critical infrastructure organizations, leveraging high-severity vulnerabilities to gain initial access. The group has demonstrated an affinity for exploiting critical vulnerabilities in widely used products such as Apache Log4j2, Citrix NetScaler ADC & Gateway, F5 BIG-IP, Fortra GoAnywhere Managed File Transfer, and Windows NetLogon services. LockBit's operational approach involves a double extortion tactic, where the attackers not only encrypt data but also exfiltrate it for additional leverage during negotiations. This group stands out due to its strategic exploitation of zero-day vulnerabilities and rapid deployment of new malware variants in response to defensive measures.

In terms of technical sophistication, LockBit predominantly exploits remote code execution (RCE) vulnerabilities, with a notable focus on those affecting network infrastructure and application servers. The group's use of critical CVEs like CVE-2021-44228 and CVE-2021-22986 highlights their ability to identify and exploit high-risk vulnerabilities early in the disclosure cycle. Defenders should prioritize patch management for known exploited vulnerabilities, particularly those affecting network infrastructure components. Additionally, implementing robust network segmentation and monitoring anomalous outbound data transfers can help mitigate the risk of data exfiltration by LockBit.

CISA Intelligence #StopRansomware

#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability · 2023-11-21

Staying Secure at Eventsno-cost Cyber ServicesSecure by design Secure Your BusinessReport A Cyber Issue

Close Topics Topics Cybersecurity Best Practices Cyber Threats and Response Critical Infrastructure Security and Resilience Election Security Emergency Communications Industrial Control Systems Information and Communications Technology Supply Chain Security Partnerships and Collaboration Physical Security Risk Management How can we help? GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based CommunityExecutivesHigh-Risk Communities Spotlight Resources & Tools Resources & Tools All Resources & Tools Services Programs Resources Training Groups News & Events News & Events Directives News Events Cybersecurity Alerts & Advisories Request a CISA Speaker Congressional Testimony CISA Conferences CISA Live! Careers Careers Benefits & Perks Hiring and Recruitment New Employee Orientation & Onboarding Students & Recent Graduates Veteran and Military Spouses About About Divisions & Offices Regions Leadership Doing Business with CISA Site Links CISA GitHub CISA Central Contact Us Subscribe Transparency and Accountability Policies & Plans Staying Secure at Eventsno-cost Cyber ServicesSecure by design Secure Your BusinessReport A Cyber Issue

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) are releasing this joint Cybersecurity Advisory (CSA) to disseminate IOCs, TTPs, and detection methods associated with LockBit 3.0 ransomware exploiting CVE-2023-4966, labeled Citrix Bleed, affecting Citrix NetScaler web application delivery control (ADC) and NetScaler Gateway appliances.

Understanding Ransomware Threat Actors: LockBit · 2023-06-14

Staying Secure at Eventsno-cost Cyber ServicesSecure by design Secure Your BusinessReport A Cyber Issue

Close Topics Topics Cybersecurity Best Practices Cyber Threats and Response Critical Infrastructure Security and Resilience Election Security Emergency Communications Industrial Control Systems Information and Communications Technology Supply Chain Security Partnerships and Collaboration Physical Security Risk Management How can we help? GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based CommunityExecutivesHigh-Risk Communities Spotlight Resources & Tools Resources & Tools All Resources & Tools Services Programs Resources Training Groups News & Events News & Events Directives News Events Cybersecurity Alerts & Advisories Request a CISA Speaker Congressional Testimony CISA Conferences CISA Live! Careers Careers Benefits & Perks Hiring and Recruitment New Employee Orientation & Onboarding Students & Recent Graduates Veteran and Military Spouses About About Divisions & Offices Regions Leadership Doing Business with CISA Site Links CISA GitHub CISA Central Contact Us Subscribe Transparency and Accountability Policies & Plans Staying Secure at Eventsno-cost Cyber ServicesSecure by design Secure Your BusinessReport A Cyber Issue

In 2022, LockBit was the most deployed ransomware variant across the world and continues to be prolific in 2023. Since January 2020, affiliates using LockBit have attacked organizations of varying sizes across an array of critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. LockBit ransomware operation functions as a Ransomware-as-a-Service (RaaS) model where affiliates are recruited to conduct ransomware attacks using LockBit ransomware tools and infrastructure. Due to the large number of unconnected affiliates in the operation, LockBit ransomware attacks vary significantly in observed tactics, techniques, and procedures (TTPs). This variance in observed ransomware TTPs presents a notable challenge for organizations working to maintain network security and protect against a ransomware threat.

#StopRansomware: LockBit 3.0 · 2023-03-16

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate known LockBit 3.0 ransomware IOCs and TTPs identified through FBI investigations as recently as March 2023.

The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model and is a continuation of previous versions of the ransomware, LockBit 2.0, and LockBit. Since January 2020, LockBit has functioned as an affiliate-based ransomware variant; affiliates deploying the LockBit RaaS use many varying TTPs and attack a wide range of businesses and critical infrastructure organizations, which can make effective computer network defense and mitigation challenging.

The FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.

Download the PDF version of this report:

Confirmed CVEs (5)

Exploited by this group as confirmed by threat intelligence sources.

CVE-2021-44228 CRITICAL Apache Software Foundation Apache Log4j2 10.0 CVE-2021-22986 CRITICAL F5 BIG-IP and BIG-IQ Centralized Management 9.8 CVE-2023-4966 HIGH Citrix NetScaler ADC 7.5 CVE-2023-0669 HIGH Fortra Goanywhere MFT 7.2 CVE-2020-1472 MEDIUM Microsoft Windows Server version 2004 5.5

Predicted CVEs (15) CORRELATION

How does prediction work?

Predicted CVEs are identified through automated correlation using multiple sources: vendor/product profiles historically targeted by the group (MITRE ATT&CK), attack chain patterns (KEV + TTPs), threat intelligence (MISP, STIX), and AI analysis. These CVEs have not been confirmed as exploited by this specific group, but have a high probability of being targets based on the actor's operational profile.

CVE-2021-44228 CRITICAL Apache Software Foundation Apache Log4j2 predicted 10.0 CVE-2021-44228 CRITICAL Apache Software Foundation Apache Log4j2 high 10.0 CVE-2023-27350 CRITICAL PaperCut NG predicted 9.8 CVE-2021-22986 CRITICAL F5 BIG-IP and BIG-IQ Centralized Management high 9.8 CVE-2025-10035 CRITICAL Fortra GoAnywhere MFT predicted 9.8 CVE-2021-22986 CRITICAL F5 BIG-IP and BIG-IQ Centralized Management predicted 9.8 CVE-2023-3519 CRITICAL Citrix NetScaler ADC predicted 9.8 CVE-2023-27350 CRITICAL PaperCut NG high 9.8 CVE-2021-45046 CRITICAL Apache Software Foundation Apache Log4j predicted 9.0 CVE-2023-4966 HIGH Citrix NetScaler ADC predicted 7.5 CVE-2023-4966 HIGH Citrix NetScaler ADC high 7.5 CVE-2023-0669 HIGH Fortra Goanywhere MFT high 7.2 CVE-2023-0669 HIGH Fortra Goanywhere MFT predicted 7.2 CVE-2020-1472 MEDIUM Microsoft Windows Server version 2004 high 5.5 CVE-2020-1472 MEDIUM Microsoft Windows Server version 2004 predicted 5.5

ATT&CK Techniques (25)

T1078 Valid Accounts Initial Access T1190 Exploit Public-Facing Application Initial Access T1566 Phishing Initial Access T1047 Windows Management Instrumentation Execution T1053.005 Scheduled Task/Job: Scheduled Task Execution T1059.001 Command and Scripting Interpreter: PowerShell Execution T1547.001 Boot or Logon Autostart Execution: Registry Run Keys Persistence T1027 Obfuscated Files or Information Defense Evasion T1070.001 Indicator Removal: Clear Windows Event Logs Defense Evasion T1562.001 Disable or Modify Tools Defense Evasion T1003.001 OS Credential Dumping: LSASS Memory Credential Access T1110 Brute Force Credential Access T1046 Network Service Discovery Discovery T1482 Domain Trust Discovery Discovery T1021.001 Remote Services: Remote Desktop Protocol Lateral Movement T1021.002 Remote Services: SMB/Windows Admin Shares Lateral Movement T1210 Exploitation of Remote Services Lateral Movement T1560.001 Archive Collected Data: Archive via Utility Collection T1048 Exfiltration Over Alternative Protocol Exfiltration T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage Exfiltration T1090.003 Proxy: Multi-hop Proxy Command and Control T1219 Remote Access Software Command and Control T1486 Data Encrypted for Impact Impact T1489 Service Stop Impact T1490 Inhibit System Recovery Impact