LOCKBIT 20
LockBit 20 primarily targets large enterprises and critical infrastructure sectors such as healthcare, manufacturing, and financial services, leveraging their extensive operational capabilities to maximize disruption and ransom demands. The group's initial access vector is often through phishing campaigns or exploiting unpatched vulnerabilities, though specific details on the exact methods remain elusive. Once inside a network, LockBit 20 employs double extortion tactics by exfiltrating sensitive data before encryption, threatening public release unless ransoms are paid. This approach distinguishes them from other ransomware actors, as they prioritize comprehensive network infiltration and data theft to exert pressure on victims.
Analyzing the technical footprint of LockBit 20 reveals a preference for critical vulnerabilities, with six CRITICAL severity CVEs in their arsenal. However, without confirmed exploitation details, it is challenging to pinpoint specific vulnerability categories like RCE or authentication bypass that they exploit. The absence of tools and malware identification limits insights into their operational sophistication but suggests a reliance on established ransomware frameworks rather than bespoke software development. Defenders should prioritize timely patching of known vulnerabilities and robust network segmentation to mitigate the risk of lateral movement within compromised networks, thereby reducing the group's ability to achieve comprehensive data exfiltration and encryption objectives.
Predicted CVEs (15) CORRELATION
How does prediction work?
Predicted CVEs are identified through automated correlation using multiple sources: vendor/product profiles historically targeted by the group (MITRE ATT&CK), attack chain patterns (KEV + TTPs), threat intelligence (MISP, STIX), and AI analysis. These CVEs have not been confirmed as exploited by this specific group, but have a high probability of being targets based on the actor's operational profile.