LockBit Ransomware

Chris Swagler | February 2nd, 2024


According to a cybersecurity company’s report, the LockBit ransomware strain is the biggest digital extortion threat to all areas and practically all global industries. Researchers discovered that LockBit was used in more than a quarter of global ransomware and digital extortion (R&DE) attacks analyzed from January 2022 to September 2023. During the period, it included 30% of all R&DE attacks in Europe and 25% in North America. However, the cybersecurity company stated that the overall proportion of cyberattacks that LockBit accounts for is decreasing. It’s most likely because the R&DE landscape is becoming more diverse, with ransomware-as-a-service (RaaS) offerings decreasing the hurdles to entry for threat actors.

The researchers stated that LockBit has historically been under-deployed in North America in comparison to other regions, including Europe. 40% of LocBit victims on average were from North America, however, there’s an indication that this is on the rise, with 50% projected by the end of 2023. Manufacturing, construction, retail, legal and consulting, and healthcare were the industries most frequently targeted by LockBit in North America between January 2022 and September 2023. LockBit accounted for 43.41% of R&DE attacks in Q1 2022, however, it fell to 28.48% in the final quarter of Q3 2023.

Because of the multiplicity of LockBit operators, various intrusion tactics were used to deploy the payload. The following were the key techniques identified:

  • Internet-Facing Applications Exploited – It largely consisted of remote code execution and privilege escalation vulnerabilities.
  • Phishing Attacks – To get access to victims’ networks, LockBit affiliates used various phishing tactics including attaching malicious documents and sending fake resumes and copyright-related emails.
  • External Remote Services – To access external-facing remote working services, threat actors exploit valid user credentials obtained through credential harvesting.
  • Conducting Drive-By Compromises – Threat operators have been detected entering systems through users visiting websites frequently targeting users’ web browsers.
  • Exploiting Valid Accounts – Credentials are routinely compromised by threat actors to circumvent access control, create persistence, escalate privileges, and avoid detection.

Even though the number of R&DE attacks LockBit accounts for is decreasing, the cybersecurity company believes the strain will continue to be one of the biggest threats against all industries in all locations. Additionally, LockBit affiliates are shifting their focus to companies that are likely to pay ransomware demands, including professional services, education, and financial sector companies.

The LockBit ransomware strain was discovered in September and is distributed as a RaaS service. It’s popular among various threat actors due to the quickness and worm-like features that allow self-propagation throughout compromised networks. Recently, the strain is thought to be responsible for numerous high-profile ransomware attacks, including Royal Mail, Boeing, and the Industrial and Commercial Bank of China (ICBC). According to a June 2023 report, LockBit was the most active ransomware strain when it came to total victims from January to May 2023.

With more ransomware groups becoming global threats to all industries, companies need to remain vigilant of the latest threat landscape and regularly update their networks’ security infrastructure. At SpearTip, our engineers and analysts work continuously monitoring companies’ data networks for potential ransomware threats at our 24/7/365 Security Operations Center and are ready to respond to incidents at a moment’s notice. Our IR planning engages a three-phase approach, which includes pre-incident, active incident, and post-incident planning processes. In the pre-incident aspect, SpearTip identifies key stakeholders and decision-makers, critical data, and potential access points and then engages in a live test, after which we offer remediation guidance. To benefit companies during an incident, we assist in developing a communications plan designed to detect and isolate the precise threat with a customized strategy map. The post-incident planning process development includes root cause and investigative audit, improvement analysis, and backup recovery. Our ShadowSpear Platform, an integrable managed detection and response tool, uses comprehensive insights through unparalleled data normalization and visualization to expose sophisticated unknown and advanced threats.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.


Connect With Us

Featured Articles

DNS Tunneling
DNS Tunneling: New Tactic To Scan Networks and Track Victims
10 June 2024
Mastermind Behind LockBit Ransomware
Mastermind Behind LockBit Ransomware Unveiled and Charged
07 June 2024
Unchecked User Privileges
Unchecked User Privileges: How to Counter
03 June 2024
Cloud Migration
Cloud Migration Impact on Network Security
28 May 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.