CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
100.0%
In 2022, LockBit was the most deployed ransomware variant across the world and continues to be prolific in 2023. Since January 2020, affiliates using LockBit have attacked organizations of varying sizes across an array of critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. LockBit ransomware operation functions as a Ransomware-as-a-Service (RaaS) model where affiliates are recruited to conduct ransomware attacks using LockBit ransomware tools and infrastructure. Due to the large number of unconnected affiliates in the operation, LockBit ransomware attacks vary significantly in observed tactics, techniques, and procedures (TTPs). This variance in observed ransomware TTPs presents a notable challenge for organizations working to maintain network security and protect against a ransomware threat.
The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the following international partners, hereafter referred to as “authoring organizations,” are releasing this Cybersecurity Advisory (CSA) detailing observed activity in LockBit ransomware incidents and providing recommended mitigations to enable network defenders to proactively improve their organization’s defenses against this ransomware operation.
The authoring organizations encourage the implementation of the recommendations found in this CSA to reduce the likelihood and impact of future ransomware incidents.
Understanding Ransomware Threat Actors: LockBit (PDF, 1.24 MB )
Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 13.1. See the MITRE ATT&CK Tactics and Techniques section for tables of LockBit’s activity mapped to MITRE ATT&CK® tactics and techniques.
The LockBit RaaS and its affiliates have negatively impacted organizations, both large and small, across the world. In 2022, LockBit was the most active global ransomware group and RaaS provider in terms of the number of victims claimed on their data leak site. [1] A RaaS cybercrime group maintains the functionality of a particular ransomware variant, sells access to that ransomware variant to individuals or groups of operators (often referred to as “affiliates”), and supports affiliates’ deployment of their ransomware in exchange for upfront payment, subscription fees, a cut of profits, or a combination of upfront payment, subscription fees, and a cut of profits. Some of the methods LockBit has used to successfully attract affiliates include, but are not limited to:
LockBit has been successful through innovation and ongoing development of the group’s administrative panel and the RaaS supporting functions. In parallel, affiliates that work with LockBit and other notable variants are constantly revising the TTPs used for deploying and executing ransomware.
Table 1 shows LockBit RaaS’s innovation and development.
Table 1: Evolution of LockBit RaaS
Date | Event |
---|---|
September 2019 | First observed activity of ABCD ransomware, the predecessor to LockBit. [4] |
January 2020 | LockBit-named ransomware first seen on Russian-language based cybercrime forums. |
June 2021 | Appearance of LockBit version 2 (LockBit 2.0), also known as LockBit Red including StealBit, a built-in information-stealing tool. |
October 2021 | Introduction of LockBit Linux-ESXi Locker version 1.0 expanding capabilities to target systems to Linux and VMware ESXi. [5] |
March 2022 | Emergence of LockBit 3.0, also known as LockBit Black, that shares similarities with BlackMatter and Alphv (also known as BlackCat) ransomware. |
September 2022 | Non-LockBit affiliates able to use LockBit 3.0 after its builder was leaked. [2, 6] |
January 2023 | Arrival of LockBit Green incorporating source code from Conti ransomware. [7] |
April 2023 | LockBit ransomware encryptors targeting macOS seen on VirusTotal [8, 9] |
LockBit 2.0, LockBit 3.0, LockBit Green, and LockBit Linux-ESXi Locker are still available for affiliates’ use on LockBit’s panel.
Since the first case in July 2020 to present, ANSSI has handled 80 alerts linked to the LockBit ransomware, which accounts for 11% of all ransomware cases handled by ANSSI in that period. In about 13% of those cases, ANSSI was not able to confirm nor deny the breach of its constituents’ networks – as the alerts were related to the threat actor’s online claims. So far, 69 confirmed incidents have been handled by ANSSI. Table 2 shows the LockBit activity observed by ANSSI versus overall ransomware activity tracked by the Computer Emergency Response Team-France (CERT-FR).
Table 2: ANSSI-Observed LockBit vs. Overall Ransomware Activity
Year | Number of Incidents | Percentage of CERT-FR’s Ransomware-Related Activity |
---|---|---|
2020 (from July) | 4 | 2% |
2021 | 20 | 10% |
2022 | 30 | 27% |
2023 | 15 | 27% |
Total (2020-2023) | 69 | 11% |
Table 3 shows the number of instances different LockBit strains were observed by ANSSI from July 2020 to present.
Table 3: ANSSI-Observed LockBit Strain and Number of Instances
Name of the Strain* | Number of Instances |
---|---|
LockBit 2.0 (LockBit Red) | 26 |
LockBit 3.0 (LockBit Black) | 23 |
LockBit | 21 |
LockBit Green | 1 |
LockBit (pre-encryption) | 1 |
Total | 72** |
** Includes incidents with multiple strains
Figure 1: ANSSI-Observed LockBit Strains by Year
From the incidents handled, ANSSI can infer that LockBit 3.0 widely took over from LockBit 2.0 and the original LockBit strain from 2022. In two cases, victims were infected with as many as three different strains of LockBit (LockBit 2.0/Red, LockBit 3.0/Black, and LockBit Green).
The authoring agencies observe data leak sites, where attackers publish the names and captured data of victims if they do not pay ransom or hush money. Additionally, these sites can be used to record alleged victims who have been threatened with a data leak. The term ‘victims’ may include those who have been attacked, or those who have been threatened or blackmailed (with the attack having taken place).
The leak sites only show the portion of LockBit affiliates’ victims subjected to secondary extortion. Since 2021, LockBit affiliates have employed double extortion by first encrypting victim data and then exfiltrating that data while threatening to post that stolen data on leak sites. Because LockBit only reveals the names and leaked data of victims who refuse to pay the primary ransom to decrypt their data, some LockBit victims may never be named or have their exfiltrated data posted on leak sites. As a result, the leak sites reveal a portion of LockBit affiliates’ total victims. For these reasons, the leak sites are not a reliable indicator of when LockBit ransomware attacks occurred. The date of data publication on the leak sites may be months after LockBit affiliates actually executed ransomware attacks.
Up to the Q1 2023, a total of 1,653 alleged victims were observed on LockBit leak sites. With the introduction of LockBit 2.0 and LockBit 3.0, the leak sites have changed, with some sources choosing to differentiate leak sites by LockBit versions and others ignoring any differentiation. Over time, and through different evolutions of LockBit, the address and layout of LockBit leak sites have changed and are aggregated under the common denominator of the LockBit name. The introduction of LockBit 2.0 at the end of the Q2 2021 had an immediate impact on the cybercriminal market due to multiple RaaS operations shutting down in May and June 2021 (e.g., DarkSide and Avaddon). LockBit competed with other RaaS operations, like Hive RaaS, to fill the gap in the cybercriminal market leading to an influx of LockBit affiliates. Figure 2 shows the alleged number of victims worldwide on LockBit leak sites starting in Q3 2020. Figure 2 shows the alleged number of victims worldwide on LockBit leak sites starting in Q3 2020.
Figure 2: Alleged Number of Victims Worldwide on LockBit Leak Sites
During their intrusions, LockBit affiliates have been observed using various freeware and open-source tools that are intended for legal use. When repurposed by LockBit, these tools are then used for a range of malicious cyber activity, such as network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration. Use of PowerShell and batch scripts are observed across most intrusions, which focus on system discovery, reconnaissance, password/credential hunting, and privilege escalation. Artifacts of professional penetration-testing tools such as Metasploit and Cobalt Strike have also been observed.
Table 4 shows a list of legitimate freeware and open-source tools LockBit affiliates have repurposed for ransomware operations. The legitimate freeware and open-source tools mentioned in this product are all publicly available and legal. The use of these tools by a threat actor should not be attributed to the freeware and open-source tools, absent specific articulable facts tending to show they are used at the direction or under the control of a threat actor.
Table 4: Freeware and Open-Source Tools Used by LockBit Affiliates
Tool | Intended Use | Repurposed Use by LockBit Affiliates | MITRE ATT&CK ID |
---|---|---|---|
7-zip | Compresses files into an archive. | Compresses data to avoid detection before exfiltration. |
Impair Defenses
AdFind | Searches Active Directory (AD) and gathers information. | Gathers AD information used to exploit a victim’s network, escalate privileges, and facilitate lateral movement. |
AdFind
Advanced Internet Protocol (IP) Scanner | Performs network scans and shows network devices. | Maps a victim’s network to identify potential access vectors. |
Network Service Discovery
Advanced Port Scanner | Performs network scans. | Finds open Transmission Control Protocol (TCP) and User Data Protocol (UDP) ports for exploitation. |
Network Service Discovery
AdvancedRun | Allows software to be run with different settings. | Enables escalation of privileges by changing settings before running software. |
Privilege Escalation
AnyDesk | Enables remote connections to network devices. | Enables remote control of victim’s network devices. |
Remote Access Software
Atera Remote Monitoring & Management (RMM) | Enables remote connections to network devices. | Enables remote control of victim’s network devices. |
Remote Access Software
Backstab | Terminates antimalware-protected processes. | Terminates endpoint detection and response (EDR)- protected processes. |
Impair Defenses: Disable or Modify Tools
Bat Armor | Generates .bat files using PowerShell scripts. | Bypasses PowerShell execution policy. |
Impair Defenses: Disable or Modify Tools
Bloodhound | Performs reconnaissance of AD for attack path management. | Enables identification of AD relationships that can be exploited to gain access onto a victim’s network. |
Domain Trust Discovery
Chocolatey | Handles command-line package management on Microsoft Windows. | Facilitates installation of LockBit affiliate actors’ tools. |
Software Deployment Tools
Defender Control | Disables Microsoft Defender. | Enables LockBit affiliate actors to bypass Microsoft Defender. |
Impair Defenses: Disable or Modify Tools
ExtPassword | Recovers passwords from Windows systems. | Obtains credentials for network access and exploitation. |
Operating System (OS) Credential Dumping
FileZilla | Performs cross-platform File Transfer Protocol (FTP) to a site, server, or host. | Enables data exfiltration over FTP to the LockBit affiliate actors’ site, server, or host. |
Application Layer Protocol: File Transfer Protocols
FreeFileSync | Facilitates cloud-based file synchronization. | Facilitates cloud-based file synchronization for data exfiltration. |
Exfiltration Over Web Service: Exfiltration to Cloud Storage
GMER | Removes rootkits. | Terminates and removes EDR software. |
Impair Defenses: Disable or Modify Tools
Impacket | Collection of Python classes for working with network protocols. | Enables lateral movement on a victim’s network. |
Impacket
LaZagne | Recovers system passwords across multiple platforms. | Collect credentials for accessing a victim’s systems and network. |
LaZagne
Ligolo | Establishes SOCKS5 or TCP tunnels from a reverse connection for pen testing. | Enables connections to systems within the victim’s network via reverse tunneling. |
Non-Application Layer Protocol
LostMyPassword | Recovers passwords from Windows systems. | Obtains credentials for network access and exploitation. |
OS Credential Dumping
MEGA Ltd MegaSync | Facilitates cloud-based file synchronization. | Facilitates cloud-based file synchronization for data exfiltration. |
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Microsoft Sysinternals ProcDump | Monitors applications for central processing unit (CPU) spikes and generates crash dumps during a spike. | Obtains credentials by dumping the contents of Local Security Authority Subsystem Service (LSASS). |
OS Credential Dumping: LSASS Memory
Microsoft Sysinternals PsExec | Executes a command-line process on a remote machine. | Enables LockBit affiliate actors to control victim’s systems. |
PsExec
Mimikatz | Extracts credentials from a system. | Extracts credentials from a system for gaining network access and exploiting systems. |
Mimikatz
Ngrok | Enables remote access to a local web server by tunnelling over the internet. | Enables victim network protections to be bypassed by tunnelling to a system over the internet. |
Ngrok
PasswordFox | Recovers passwords from Firefox Browser. | Obtains credentials for network access and exploitation. |
Credentials from Web Browsers
PCHunter | Enables advanced task management including system processes and kernels. | Terminates and circumvents EDR processes and services. |
Impair Defenses: Disable or Modify Tools
PowerTool | Removes rootkits, as well as detecting, analyzing, and fixing kernel structure modifications. | Terminates and removes EDR software. |
Impair Defenses: Disable or Modify Tools
Process Hacker | Removes rootkits. | Terminates and removes EDR software. |
Impair Defenses: Disable or Modify Tools
PuTTY Link (Plink) | Automates Secure Shell (SSH) actions on Windows. | Enables LockBit affiliate actors to avoid detection. |
Protocol Tunneling
Rclone | Manages cloud storage files using a command-line program. | Facilitates data exfiltration over cloud storage. |
Rclone
Seatbelt |
Performs numerous security-oriented checks.
| Performs numerous security-oriented checks to enumerate system information. |
System Information Discovery
ScreenConnect (also known as ConnectWise) | Enables remote connections to network devices for management. | Enables LockBit affiliate actors to remotely connect to a victim’s systems. |
Remote Access Software
SoftPerfect Network Scanner | Performs network scans for systems management. | Enables LockBit affiliate actors to obtain information about a victim’s systems and network. |
Network Service Discovery
Splashtop | Enables remote connections to network devices for management. | Enables LockBit affiliate actors to remotely connect to systems over Remote Desktop Protocol (RDP). |
Remote Services: Remote Desktop Protocol
TDSSKiller | Removes rootkits. | Terminates and removes EDR software. |
Impair Defenses: Disable or Modify Tools
TeamViewer | Enables remote connections to network devices for management. | Enables LockBit affiliate actors to remotely connect to a victim’s systems. |
Remote Access Software
ThunderShell | Facilitates remote access via Hypertext Transfer Protocol (HTTP) requests. | Enables LockBit affiliate actors to remotely access systems while encrypting network traffic. |
Application Layer Protocol: Web Protocols
WinSCP | Facilitates file transfer using SSH File Transfer Protocol for Microsoft Windows. | Enables data exfiltration via the SSH File Transfer Protocol. |
Exfiltration Over Alternative Protocol
Based on secondary sources, it was noted that affiliates exploit older vulnerabilities like CVE-2021-22986, F5 iControl REST unauthenticated Remote Code Execution Vulnerability, as well as newer vulnerabilities such as:
LockBit affiliates have been documented exploiting numerous CVEs, including:
For further information on these CVEs, see CISA’s Known Exploited Vulnerabilities (KEV) Catalog.
When LockBit affiliates target an organization responsible for managing other organizations’ networks, CERT NZ has observed LockBit affiliates attempt secondary ransomware extortion after detonation of the LockBit variant on the primary target. Once the primary target is hit, LockBit affiliates then attempt to extort the companies that are customers of the primary target. This extortion is in the form of secondary ransomware that locks down services those customers consume. Additionally, the primary target’s customers may be extorted by LockBit affiliates threatening to release those customers’ sensitive information.
Tables 5-16 show the LockBit affiliate tactics and techniques referenced in this advisory.
Table 5: LockBit Affiliates’ ATT&CK Techniques for Enterprise – Initial Access
Technique Title | ID | Use |
---|---|---|
Drive-by Compromise | T1189 | LockBit affiliates gain access to a system through a user visiting a website over the normal course of browsing. |
Exploit Public-Facing Application | T1190 | LockBit affiliates may exploit vulnerabilities (e.g., Log4Shell) in internet-facing systems to gain access to victims’ systems. |
External Remote Services | T1133 | LockBit affiliates exploit RDP to gain access to victims’ networks. |
Phishing | T1566 | LockBit affiliates use phishing and spearphishing to gain access to victims’ networks. |
Valid Accounts | T1078 | LockBit affiliates obtain and abuse credentials of existing accounts as a means of gaining initial access. |
Table 6: LockBit Affiliates’ ATT&CK Techniques for Enterprise – Execution
Technique Title | ID | Use |
---|---|---|
Execution | TA0002 | LockBit 3.0 launches commands during its execution. |
Command and Scripting Interpreter: Windows Command Shell | T1059.003 | LockBit affiliates use batch scripts to execute malicious commands. |
Software Deployment Tools | T1072 | LockBit affiliates may use Chocolatey, a command-line package manager for Windows. |
Technique Title | ID | Use |
---|---|---|
System Services: Service Execution | T1569.002 | LockBit 3.0 uses PsExec to execute commands or payloads. |
Table 7: LockBit Affiliates’ ATT&CK Techniques for Enterprise – Persistence
Technique Title | ID | Use |
---|---|---|
Boot or Logon Autostart Execution | T1547 | LockBit affiliates enables automatic logon for persistence. |
Valid Accounts | T1078 | LockBit affiliates may use a compromised user account to maintain persistence on the target network. |
Table 8: LockBit Affiliates’ ATT&CK Techniques for Enterprise – Privilege Escalation
Technique Title | ID | Use |
---|---|---|
Privilege Escalation | TA0004 | LockBit affiliates will attempt to escalate to the required privileges if current account privileges are insufficient. |
Abuse Elevation Control Mechanism | T1548 | LockBit affiliates may use ucmDccwCOM Method in UACMe, a GitHub collection of User Account Control (UAC) bypass techniques. |
Boot or Logon Autostart Execution | T1547 | LockBit affiliates enable automatic logon for privilege escalation. |
Domain Policy Modification: Group Policy Modification | T1484.001 | LockBit affiliates may create Group Policy for lateral movement and can force group policy updates. |
Valid Accounts | T1078 | LockBit affiliates may use a compromised user account to escalate privileges on a victim’s network. |
Table 9: LockBit Affiliates’ ATT&CK Techniques for Enterprise – Defense Evasion
Technique Title | ID | Use |
---|---|---|
Execution Guardrails: Environmental Keying | T1480.001 | LockBit 3.0 will only decrypt the main component or continue to decrypt and/or decompress data if the correct password is entered. |
Impair Defenses: Disable or Modify Tools | T1562.001 |
LockBit 3.0 affiliates use Backstab, Defender Control, GMER, PCHunter, PowerTool, Process Hacker or TDSSKiller to disable EDR processes and services.
LockBit 3.0 affiliates use Bat Armor to bypass the PowerShell execution Policy.
LockBit affiliates may deploy a batch script, 123.bat, to disable and uninstall antivirus software.
Lockbit 3.0 may modify and/or disable security tools including EDR and antivirus to avoid possible detection of malware, tools, and activities.
Indicator Removal: Clear Windows Event Logs |
| LockBit executable clears the Windows Event Logs files.
Indicator Removal: File Deletion | T1070.004 | LockBit 3.0 will delete itself from the disk.
Obfuscated Files or Information | T1027 | LockBit 3.0 will send encrypted host and bot information to its command and control (C2) servers.
Obfuscated Files or Information: Software Packing | T1027.002 | LockBit affiliates may perform software packing or virtual machine software protection to conceal their code. Blister Loader has been used for such purpose.
Table 10: LockBit Affiliates’ ATT&CK Techniques for Enterprise – Credential Access
Technique Title | ID | Use |
---|---|---|
Brute Force | T1110 | LockBit affiliates may leverage VPN or RDP brute force credentials as an initial access. |
Credentials from Password Stores: Credentials from Web Browsers | T1555.003 | LockBit 3.0 actors use PasswordFox to recover passwords from Firefox Browser. |
OS Credential Dumping | T1003 | LockBit 3.0 actors use ExtPassword or LostMyPassword to recover passwords from Windows systems. |
OS Credential Dumping: LSASS Memory | T1003.001 |
LockBit affiliates may use Microsoft Sysinternals ProDump to dump the contents of lsass.exe.
LockBit affiliates have used Mimikatz to dump credentials.
Table 11: LockBit Affiliates’ ATT&CK Techniques for Enterprise – Discovery
Technique Title | ID | Use |
---|---|---|
Network Service Discovery | T1046 |
LockBit affiliates use SoftPerfect Network Scanner, Advanced IP Scanner, or Advanced Port Scanner to scan target networks.
LockBit affiliates may use SoftPerfect Network Scanner, Advanced Port Scanner, and AdFind to enumerate connected machines in the network.
System Information Discovery | T1082 | LockBit affiliates will enumerate system information to include hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices.
System Location Discovery: System Language Discovery | T1614.001 | LockBit 3.0 will not infect machines with language settings that match a defined exclusion list.
Table 12: LockBit Affiliates’ ATT&CK Techniques for Enterprise – Lateral Movement
Technique Title | ID | Use |
---|---|---|
Lateral Movement | TA0008 | LockBit affiliates will laterally move across networks and access domain controllers. |
Remote Services: Remote Desktop Protocol | T1021.001 | LockBit affiliates use Splashtop remote-desktop software to facilitate lateral movement. |
Remote Services: Server Message Block (SMB)/Admin Windows Shares | T1021.002 | LockBit affiliates may use Cobalt Strike and target SMB shares for lateral movement. |
Table 13: LockBit Affiliates’ ATT&CK Techniques for Enterprise – Collection
Technique Title | ID | Use |
---|---|---|
Archive Collected Data: Archive via Utility | T1560.001 | LockBit affiliates may use 7-zip to compress and/or encrypt collected data prior to exfiltration. |
Table 14: LockBit Affiliates’ ATT&CK Techniques for Enterprise – Command and Control
Technique Title | ID | Use |
---|---|---|
Application Layer Protocol: File Transfer Protocols | T1071.002 | LockBit affiliates may use FileZilla for C2. |
Application Layer Protocol: Web Protocols | T1071.001 | LockBit affiliates use ThunderShell as a remote access tool that communicates via HTTP requests. |
Non-Application Layer Protocol | T1095 | LockBit affiliates use Ligolo to establish SOCKS5 or TCP tunnels from a reverse connection. |
Protocol Tunneling | T1572 | LockBit affiliates use Plink to automate SSH actions on Windows. |
Remote Access Software | T1219 | LockBit 3.0 actors use AnyDesk, Atera RMM, ScreenConnect or TeamViewer for C2. |
Table 15: LockBit Affiliates’ ATT&CK Techniques for Enterprise – Exfiltration
Technique Title | ID | Use |
---|---|---|
Exfiltration | TA0010 | LockBit affiliates use StealBit, a custom exfiltration tool first used with LockBit 2.0, to steal data from a target network. |
Exfiltration Over Web Service | T1567 | LockBit affiliates use publicly available file sharing services to exfiltrate a target’s data. |
Exfiltration Over Web Service: Exfiltration to Cloud Storage | T1567.002 | LockBit affiliates use (1) Rclone, an open-source command line cloud storage manager or FreeFileSync to exfiltrate and (2) MEGA, a publicly available file sharing service for data exfiltration. |
Table 16: LockBit Affiliates’ ATT&CK Techniques for Enterprise – Impact
Technique Title | ID | Use |
---|---|---|
Data Destruction | T1485 | LockBit 3.0 deletes log files and empties the recycle bin. |
Data Encrypted for Impact | T1486 |
LockBit 3.0 encrypts data on target systems to interrupt availability to system and network resources.
LockBit affiliates can encrypt Windows and Linux devices, as well as VMware instances.
Defacement: Internal Defacement | T1491.001 | LockBit 3.0 changes the host system’s wallpaper and icons to the LockBit 3.0 wallpaper and icons, respectively.
Inhibit System Recovery | T1490 | LockBit 3.0 deletes volume shadow copies residing on disk.
Service Stop | T1489 | LockBit 3.0 terminates processes and services.
The authoring organizations recommend implementing the mitigations listed below to improve their cybersecurity posture to better defend against LockBit’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
The listed mitigations are ordered by MITRE ATT&CK tactic. Mitigations that apply to multiple MITRE ATT&CK tactics are listed under the tactic that occurs earliest in an incident’s lifecycle. For example, account use polices are mitigations for initial access, persistence, privilege escalation, and credential access but would be listed under initial access mitigations.
Implementing multiple mitigations within a defense-in-depth approach can help protect against ransomware, such as LockBit. CERT NZ explains How ransomware happens and how to stop it by applying mitigations, or critical controls, to provide a stronger defense to detect, prevent, and respond to ransomware before an organization’s data is encrypted. By understanding the most common attack vectors, organizations can identify gaps in network defenses and implement the mitigations noted in this advisory to harden organizations against ransomware attacks. In Figure 3, a ransomware attack is broken into three phases:
Figure 3 shows the mitigations/critical controls, as various colored hexagons, working together to stop a ransomware attacker from accessing a network to steal and encrypt data. In the Initial Access phase, mitigations working together to deny an attacker network access include securing internet-exposed services, patching devices, implementing MFA, disabling macros, employing application allowlisting, and using logging and alerting. In the Consolidation and Preparation phase, mitigations working together to keep an attacker from accessing network devices are patching devices, using network segmentation, enforcing the principle of least privilege, implementing MFA, and using logging and alerting. Finally, in the Impact on Target phase, mitigations working together to deny or degrade an attacker’s ability to steal and/or encrypt data includes using logging and alerting, using and maintaining backups, and employing application allowlisting.
Critical Controls Key
Figure 3: Stopping Ransomware Using Layered Mitigations
In addition to applying mitigations, the authoring organizations recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring organizations recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
The authoring organizations recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
The authoring organizations do not encourage paying ransom, as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the authoring organizations urge you to promptly report ransomware incidents to your country’s respective authorities.
The information in this report is being provided “as is” for informational purposes only. The authoring organizations do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the authoring organizations.
[1] LockBit, BlackCat, and Royal Dominate the Ransomware Scene
[2] Ransomware Diaries: Volume 1
[3] What is LockBit ransomware and how does it operate?
[4] Ransomware Spotlight: LockBit
[5] Analysis and Impact of LockBit Ransomware’s First Linux and VMware ESXi Variant
[6] A first look at the builder for LockBit 3.0 Black
[7] LockBit ransomware gang releases LockBit Green version
[8] LockBit Ransomware Now Targeting Apple macOS Devices
[9] Apple’s Macs Have Long Escaped Ransomware. That May be Changing
[10] Intelligence agency says ransomware group with Russian ties poses ‘an enduring threat’ to Canada
analyst1.com/ransomware-diaries-volume-1/
analyst1.com/ransomware-diaries-volume-1/
analyst1.com/ransomware-diaries-volume-1/
attack.mitre.org/versions/v13/matrices/enterprise/
attack.mitre.org/versions/v13/software/S0002/
attack.mitre.org/versions/v13/software/S0029/
attack.mitre.org/versions/v13/software/S0349/
attack.mitre.org/versions/v13/software/S0357/
attack.mitre.org/versions/v13/software/S0508/
attack.mitre.org/versions/v13/software/S0552/
attack.mitre.org/versions/v13/software/S1040/
attack.mitre.org/versions/v13/tactics/TA0002/
attack.mitre.org/versions/v13/tactics/TA0004/
attack.mitre.org/versions/v13/tactics/TA0004/
attack.mitre.org/versions/v13/tactics/TA0008/
attack.mitre.org/versions/v13/tactics/TA0010/
attack.mitre.org/versions/v13/techniques/T1003/
attack.mitre.org/versions/v13/techniques/T1003/
attack.mitre.org/versions/v13/techniques/T1003/001/
attack.mitre.org/versions/v13/techniques/T1003/001/
attack.mitre.org/versions/v13/techniques/T1003/001/
attack.mitre.org/versions/v13/techniques/T1021/001/
attack.mitre.org/versions/v13/techniques/T1021/001/
attack.mitre.org/versions/v13/techniques/T1021/002/
attack.mitre.org/versions/v13/techniques/T1027/
attack.mitre.org/versions/v13/techniques/T1027/002/
attack.mitre.org/versions/v13/techniques/T1046/
attack.mitre.org/versions/v13/techniques/T1046/
attack.mitre.org/versions/v13/techniques/T1046/
attack.mitre.org/versions/v13/techniques/T1046/
attack.mitre.org/versions/v13/techniques/T1048/
attack.mitre.org/versions/v13/techniques/T1059/003/
attack.mitre.org/versions/v13/techniques/T1070/001/
attack.mitre.org/versions/v13/techniques/T1070/004/
attack.mitre.org/versions/v13/techniques/T1071/001/
attack.mitre.org/versions/v13/techniques/T1071/001/
attack.mitre.org/versions/v13/techniques/T1071/002/
attack.mitre.org/versions/v13/techniques/T1071/002/
attack.mitre.org/versions/v13/techniques/T1072/
attack.mitre.org/versions/v13/techniques/T1072/
attack.mitre.org/versions/v13/techniques/T1078/
attack.mitre.org/versions/v13/techniques/T1078/
attack.mitre.org/versions/v13/techniques/T1078/
attack.mitre.org/versions/v13/techniques/T1082/
attack.mitre.org/versions/v13/techniques/T1082/
attack.mitre.org/versions/v13/techniques/T1095/
attack.mitre.org/versions/v13/techniques/T1095/
attack.mitre.org/versions/v13/techniques/T1110/
attack.mitre.org/versions/v13/techniques/T1133/
attack.mitre.org/versions/v13/techniques/T1189/
attack.mitre.org/versions/v13/techniques/T1190/
attack.mitre.org/versions/v13/techniques/T1219/
attack.mitre.org/versions/v13/techniques/T1219/
attack.mitre.org/versions/v13/techniques/T1219/
attack.mitre.org/versions/v13/techniques/T1219/
attack.mitre.org/versions/v13/techniques/T1219/
attack.mitre.org/versions/v13/techniques/T1480/001/
attack.mitre.org/versions/v13/techniques/T1482/
attack.mitre.org/versions/v13/techniques/T1484/001/
attack.mitre.org/versions/v13/techniques/T1485/
attack.mitre.org/versions/v13/techniques/T1486/
attack.mitre.org/versions/v13/techniques/T1489/
attack.mitre.org/versions/v13/techniques/T1490/
attack.mitre.org/versions/v13/techniques/T1491/001/
attack.mitre.org/versions/v13/techniques/T1547/
attack.mitre.org/versions/v13/techniques/T1547/
attack.mitre.org/versions/v13/techniques/T1548/
attack.mitre.org/versions/v13/techniques/T1555/003/
attack.mitre.org/versions/v13/techniques/T1555/003/
attack.mitre.org/versions/v13/techniques/T1560/001/
attack.mitre.org/versions/v13/techniques/T1562/001/
attack.mitre.org/versions/v13/techniques/T1562/001/
attack.mitre.org/versions/v13/techniques/T1562/001/
attack.mitre.org/versions/v13/techniques/T1562/001/
attack.mitre.org/versions/v13/techniques/T1562/001/
attack.mitre.org/versions/v13/techniques/T1562/001/
attack.mitre.org/versions/v13/techniques/T1562/001/
attack.mitre.org/versions/v13/techniques/T1562/001/
attack.mitre.org/versions/v13/techniques/T1562/001/
attack.mitre.org/versions/v13/techniques/T1562/001/
attack.mitre.org/versions/v13/techniques/T1566/
attack.mitre.org/versions/v13/techniques/T1567/
attack.mitre.org/versions/v13/techniques/T1567/002/
attack.mitre.org/versions/v13/techniques/T1567/002/
attack.mitre.org/versions/v13/techniques/T1567/002/
attack.mitre.org/versions/v13/techniques/T1569/002/
attack.mitre.org/versions/v13/techniques/T1572/
attack.mitre.org/versions/v13/techniques/T1572/
attack.mitre.org/versions/v13/techniques/T1614/001/
cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a
cybernews.com/security/lockbit-ransomware-gang-releases-lockbit-green-version/
cybernews.com/security/lockbit-ransomware-gang-releases-lockbit-green-version/
documents.trendmicro.com/images/TEx/articles/LockBit-Infographic-ZgjRJ0Y.jpg
documents.trendmicro.com/images/TEx/articles/LockBit-Infographic-ZgjRJ0Y.jpg
github.com/cisagov/cset/releases/tag/v10.3.0.0
mip2.bsi.bund.de/meldungen/meldung-ohne-registrierung-erstellen/
nvd.nist.gov/vuln/detail/CVE-2018-13379
nvd.nist.gov/vuln/detail/CVE-2019-0708
nvd.nist.gov/vuln/detail/CVE-2020-1472
nvd.nist.gov/vuln/detail/CVE-2021-22986
nvd.nist.gov/vuln/detail/CVE-2021-22986
nvd.nist.gov/vuln/detail/CVE-2021-44228
nvd.nist.gov/vuln/detail/CVE-2023-0669
nvd.nist.gov/vuln/detail/CVE-2023-27350
pages.nist.gov/800-63-3/
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
securityandtechnology.org/wp-content/uploads/2022/08/IST-Blueprint-for-Ransomware-Defense.pdf
thehackernews.com/2023/04/lockbit-ransomware-now-targeting-apple.html
thehackernews.com/2023/04/lockbit-ransomware-now-targeting-apple.html
twitter.com/CISAgov
twitter.com/intent/tweet?text=Understanding%20Ransomware%20Threat%20Actors%3A%20LockBit+https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a
www.antifraudcentre-centreantifraude.ca/report-signalez-eng.htm#a1a
www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Ransomware-Angriffe/ransomware-angriffe_node.html
www.cbc.ca/news/politics/cse-lockbit-threat-1.6734996
www.cbc.ca/news/politics/cse-lockbit-threat-1.6734996
www.cert.govt.nz/business/guides/incident-response-plan/
www.cert.govt.nz/it-specialists/critical-controls/security-awareness-building/
www.cert.govt.nz/it-specialists/critical-controls/security-awareness-building/creating-an-effective-security-awareness-program/
www.cert.govt.nz/it-specialists/guides/how-ransomware-happens-and-how-to-stop-it/
www.cert.govt/nz/it-specialists/report-an-incident/
www.cisa.gov/cross-sector-cybersecurity-performance-goals
www.cisa.gov/cyber-hygiene-services
www.cisa.gov/known-exploited-vulnerabilities-catalog
www.cisa.gov/known-exploited-vulnerabilities-catalog
www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
www.cisa.gov/report
www.cisa.gov/resources-tools/resources/cpg-report
www.cisa.gov/resources-tools/resources/cpg-report
www.cisa.gov/resources-tools/resources/cpg-report
www.cisa.gov/resources-tools/resources/cpg-report
www.cisa.gov/resources-tools/resources/cpg-report
www.cisa.gov/resources-tools/resources/cpg-report
www.cisa.gov/resources-tools/resources/cpg-report
www.cisa.gov/resources-tools/resources/cpg-report
www.cisa.gov/resources-tools/resources/cpg-report
www.cisa.gov/resources-tools/resources/cpg-report
www.cisa.gov/resources-tools/resources/cpg-report
www.cisa.gov/resources-tools/resources/cpg-report
www.cisa.gov/resources-tools/resources/cpg-report
www.cisa.gov/resources-tools/resources/cpg-report
www.cisa.gov/resources-tools/resources/cpg-report
www.cisa.gov/resources-tools/resources/cpg-report
www.cisa.gov/resources-tools/resources/cpg-report
www.cisa.gov/resources-tools/resources/stopransomware-guide
www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf
www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf
www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf
www.cisa.gov/sites/default/files/2023-03/CISA_CPG_REPORT_v1.0.1_FINAL.pdf
www.cisecurity.org/controls
www.cisecurity.org/controls
www.cisecurity.org/insights/white-papers/cis-community-defense-model-2-0
www.cisecurity.org/insights/white-papers/cis-community-defense-model-2-0
www.cisecurity.org/insights/white-papers/cis-community-defense-model-2-0
www.cyber.gc.ca/en/guidance/ransomware-playbook-itsm00099
www.cyber.gc.ca/en/guidance/top-10-it-security-actions
www.cyber.gc.ca/en/incident-management
www.cyber.gov.au/about-us/advisories/2023-03-acsc-ransomware-profile-lockbit-3.0
www.cyber.gov.au/report-and-recover/report
www.cybermalveillance.gouv.fr/
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a&title=Understanding%20Ransomware%20Threat%20Actors%3A%20LockBit
www.fbi.gov/contact-us/field-offices
www.gov.uk/guidance/where-to-report-a-cyber-incident
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a
www.malwarebytes.com/blog/news/2022/09/lockbit-builder-leaked-by-disgruntled-developer
www.malwarebytes.com/blog/news/2022/09/lockbit-builder-leaked-by-disgruntled-developer
www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks
www.ncsc.govt.nz/news/ransomware-advice/
www.oig.dhs.gov/
www.polizei.de/Polizei/DE/Einrichtungen/ZAC/zac_node.html
www.stopransomware.gov/
www.theguardian.com/business/2023/jan/13/what-is-lockbit-ransomware-and-how-does-it-operate-malware-royal-mail
www.theguardian.com/business/2023/jan/13/what-is-lockbit-ransomware-and-how-does-it-operate-malware-royal-mail
www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html
www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html
www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-blackcat-and-royal-dominate-the-ransomware-scene-ransomware-in-q4-2022
www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-blackcat-and-royal-dominate-the-ransomware-scene-ransomware-in-q4-2022
www.usa.gov/
www.whitehouse.gov/
www.wired.com/story/apple-mac-lockbit-ransomware-samples/
www.wired.com/story/apple-mac-lockbit-ransomware-samples/
www.youtube.com/@cisagov
mailto:?subject=Understanding%20Ransomware%20Threat%20Actors%3A%20LockBit&body=www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
100.0%