The infamous LockBit ransomware variant has made extortionists close to $100m from US victims alone since January 2020, allied security agencies revealed in a new advisory yesterday.
The US Cybersecurity and Infrastructure Security Agency (CISA), UK National Cyber Security Centre (NCSC) and their Australian, New Zealand, Canadian, French and German equivalents penned the document after warning of the continued threat posed by the collective.
In fact, they claimed LockBit was the most deployed ransomware of 2022 and continues to be prolific to this day. It has accounted for around 1700 attacks in the US alone since 2020, the document noted.
Read more on LockBit: LockBit Dominates Ransomware Campaigns in 2022: Deep Instinct.
Since January 2020, affiliates of the ransomware-as-a-service outfit have targeted organizations of varying sizes and in multiple critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing and transportation, the agencies said.
The advisory offered technical details on how the ransomware and its leak site have evolved over time, including the freeware and open-source tools typically used in post-intrusion activity, CVEs exploited and how secondary ransomware attacks work when upstream supply chain victims are targeted.
There is also a handy list of MITRE ATT&CK tactics and techniques, mitigations and resources for further reading.
Paul Chichester, NCSC director of operations, warned that LockBit activity has had widespread consequences.
“It is essential for organizations to understand the serious consequences that ransomware attacks can have on their operations, finances and reputation,” he added.
“This advisory, issued with our international partners, emphasises the importance of network defenders taking the recommended actions to establish effective protections against such attacks.”
The news comes as the deadline imposed by the Clop gang on victims of its MOVEit data theft extortion campaign passed yesterday.
According to ReliaQuest, the group named its first batch of 12 victims yesterday, although the threat intelligence firm claimed no stolen data had been published on the leak site at the time of writing.