young man looking mildly surprised at several computer screens

LockBit ransomware advisory from CISA provides interesting insights

The US Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and the cybersecurity authorities of AustraliaCanadaUnited KingdomGermanyFrance, and New Zealand (CERT NZNCSC-NZ) have all published a joint Cybersecurity Advisory about LockBit.

To help organizations understand and defend against this global threat and its large number of unconnected LockBit affiliates, the advisory titled Understanding Ransomware Threat Actors: LockBit includes:

  • A list of approximately 30 freeware and open-source tools used by LockBit actors
  • Over 40 of their TTPs mapped to MITRE ATT&CK
  • Observed common vulnerabilities and exposures (CVEs) used for exploitation
  • An evolution of LockBit RaaS (Ransomware as a Service) along with worldwide trends and statistics
  • Resources and services available from authoring agencies and recommended mitigations to help protect against the worldwide LockBit activity

The advisory points out that in 2022, LockBit was the most active global ransomware group and RaaS provider in terms of the number of victims claimed on its data leak site.

This confirms Malwarebytes findings that LockBit is the most active Ransomware-as-a-Service operator. In our monthly Ransomware Reviews, LockBit often ranks top for victim count, although Cl0p is a close rival. Cl0p has switched to a different modus operandi, where the gang acquires a vulnerability in popular business tools, develops an exploitation method, and then uses it on every vulnerable instance it can find. Because of this, the attacks come in waves, while LockBit is more constant.

One of the advantages of being a RaaS operator is the diversity of attack vectors that the initial access brokers (IABs) bring to the table. Some specialize in malspam, while other use known vulnerabilities against organizations that are behind on patches, or try to brute force Internet-facing systems like VPNs, RDP, or SSH. So when one affiliate has a bad month, another is likely to compensate.

This variety has another downside for the defenders. The advisory states:

“Due to the large number of unconnected affiliates in the operation, LockBit ransomware attacks vary significantly in observed tactics, techniques, and procedures (TTPs). This variance in observed ransomware TTPs presents a notable challenge for organizations working to maintain network security and protect against a ransomware threat.”

A disadvantage for operators of an RaaS model is the mutual trust that is needed. When you’re among anonymous criminals that must prove to be an exceptional challenge, which is very likely the reason why many other RaaS operators like DarkSide and Avaddon shut down.

The geographical distribution of the IABs is also grounds for some remarkable differences. Some of the participating countries provided their own statistics for LockBit’s share in ransomware attacks, with Australia noting that in the last year the gang made up 18% of total reported ransomware incidents. In Canada (22%) and New Zealand (23%), LockBit was responsible for over one in every five attacks in 2022.

France said 11% of the attacks it has seen since 2020 involved LockBit. In the US, however, the main target of almost every commercial ransomware group, LockBit is responsible for 16% of attacks on public entities, which include municipal and county governments, public higher education and K-12 schools, as well as vital services like law enforcement agencies.

The advisory also provides long lists of the legitimate tools, vulnerabilities, tactics, and techniques deployed by the LockBit affiliates. As we said, due to the number (over 100) and diversity of the affiliates these lists are long and subject to change. 

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.



Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.