LOCKBIT 30

RANSOMWARE

LockBit 30 primarily targets organizations that possess valuable intellectual property and sensitive data, often within sectors like finance, healthcare, and technology. The group typically initiates attacks through phishing emails or exploiting publicly accessible services to gain initial access to the network. Once inside, LockBit 30 employs a double extortion tactic, encrypting files and threatening public disclosure of stolen data unless a ransom is paid. This approach distinguishes them from other ransomware actors by leveraging social engineering and exploiting vulnerabilities to maximize their impact.

Based on available data, LockBit 30 has shown an inclination towards critical vulnerabilities rated as CRITICAL severity, with six out of nine CVEs linked indicating potential high-risk exploitation vectors. While specific tools or malware used are unknown, the group's focus on critical vulnerabilities suggests a sophisticated operational capability. Defenders should prioritize patch management and network segmentation to mitigate the risk of initial access via unsecured services. Additionally, implementing robust phishing detection mechanisms can further protect against LockBit 30’s preferred attack vector.

CISA Intelligence #StopRansomware

#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability · 2023-11-21

Staying Secure at Eventsno-cost Cyber ServicesSecure by design Secure Your BusinessReport A Cyber Issue

Close Topics Topics Cybersecurity Best Practices Cyber Threats and Response Critical Infrastructure Security and Resilience Election Security Emergency Communications Industrial Control Systems Information and Communications Technology Supply Chain Security Partnerships and Collaboration Physical Security Risk Management How can we help? GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based CommunityExecutivesHigh-Risk Communities Spotlight Resources & Tools Resources & Tools All Resources & Tools Services Programs Resources Training Groups News & Events News & Events Directives News Events Cybersecurity Alerts & Advisories Request a CISA Speaker Congressional Testimony CISA Conferences CISA Live! Careers Careers Benefits & Perks Hiring and Recruitment New Employee Orientation & Onboarding Students & Recent Graduates Veteran and Military Spouses About About Divisions & Offices Regions Leadership Doing Business with CISA Site Links CISA GitHub CISA Central Contact Us Subscribe Transparency and Accountability Policies & Plans Staying Secure at Eventsno-cost Cyber ServicesSecure by design Secure Your BusinessReport A Cyber Issue

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) are releasing this joint Cybersecurity Advisory (CSA) to disseminate IOCs, TTPs, and detection methods associated with LockBit 3.0 ransomware exploiting CVE-2023-4966, labeled Citrix Bleed, affecting Citrix NetScaler web application delivery control (ADC) and NetScaler Gateway appliances.

Understanding Ransomware Threat Actors: LockBit · 2023-06-14

Staying Secure at Eventsno-cost Cyber ServicesSecure by design Secure Your BusinessReport A Cyber Issue

Close Topics Topics Cybersecurity Best Practices Cyber Threats and Response Critical Infrastructure Security and Resilience Election Security Emergency Communications Industrial Control Systems Information and Communications Technology Supply Chain Security Partnerships and Collaboration Physical Security Risk Management How can we help? GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based CommunityExecutivesHigh-Risk Communities Spotlight Resources & Tools Resources & Tools All Resources & Tools Services Programs Resources Training Groups News & Events News & Events Directives News Events Cybersecurity Alerts & Advisories Request a CISA Speaker Congressional Testimony CISA Conferences CISA Live! Careers Careers Benefits & Perks Hiring and Recruitment New Employee Orientation & Onboarding Students & Recent Graduates Veteran and Military Spouses About About Divisions & Offices Regions Leadership Doing Business with CISA Site Links CISA GitHub CISA Central Contact Us Subscribe Transparency and Accountability Policies & Plans Staying Secure at Eventsno-cost Cyber ServicesSecure by design Secure Your BusinessReport A Cyber Issue

In 2022, LockBit was the most deployed ransomware variant across the world and continues to be prolific in 2023. Since January 2020, affiliates using LockBit have attacked organizations of varying sizes across an array of critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. LockBit ransomware operation functions as a Ransomware-as-a-Service (RaaS) model where affiliates are recruited to conduct ransomware attacks using LockBit ransomware tools and infrastructure. Due to the large number of unconnected affiliates in the operation, LockBit ransomware attacks vary significantly in observed tactics, techniques, and procedures (TTPs). This variance in observed ransomware TTPs presents a notable challenge for organizations working to maintain network security and protect against a ransomware threat.

#StopRansomware: LockBit 3.0 · 2023-03-16

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate known LockBit 3.0 ransomware IOCs and TTPs identified through FBI investigations as recently as March 2023.

The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model and is a continuation of previous versions of the ransomware, LockBit 2.0, and LockBit. Since January 2020, LockBit has functioned as an affiliate-based ransomware variant; affiliates deploying the LockBit RaaS use many varying TTPs and attack a wide range of businesses and critical infrastructure organizations, which can make effective computer network defense and mitigation challenging.

The FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.

Download the PDF version of this report:

Predicted CVEs (15) CORRELATION

How does prediction work?

Predicted CVEs are identified through automated correlation using multiple sources: vendor/product profiles historically targeted by the group (MITRE ATT&CK), attack chain patterns (KEV + TTPs), threat intelligence (MISP, STIX), and AI analysis. These CVEs have not been confirmed as exploited by this specific group, but have a high probability of being targets based on the actor's operational profile.

CVE-2021-44228 CRITICAL Apache Software Foundation Apache Log4j2 high 10.0 CVE-2021-44228 CRITICAL Apache Software Foundation Apache Log4j2 predicted 10.0 CVE-2021-22986 CRITICAL F5 BIG-IP and BIG-IQ Centralized Management high 9.8 CVE-2023-27350 CRITICAL PaperCut NG predicted 9.8 CVE-2023-27350 CRITICAL PaperCut NG high 9.8 CVE-2025-10035 CRITICAL Fortra GoAnywhere MFT predicted 9.8 CVE-2021-22986 CRITICAL F5 BIG-IP and BIG-IQ Centralized Management predicted 9.8 CVE-2023-3519 CRITICAL Citrix NetScaler ADC predicted 9.8 CVE-2021-45046 CRITICAL Apache Software Foundation Apache Log4j predicted 9.0 CVE-2023-4966 HIGH Citrix NetScaler ADC predicted 7.5 CVE-2023-4966 HIGH Citrix NetScaler ADC high 7.5 CVE-2023-0669 HIGH Fortra Goanywhere MFT predicted 7.2 CVE-2023-0669 HIGH Fortra Goanywhere MFT high 7.2 CVE-2020-1472 MEDIUM Microsoft Windows Server version 2004 predicted 5.5 CVE-2020-1472 MEDIUM Microsoft Windows Server version 2004 high 5.5