The FBI, U.S. CISA, and MS-ISAC—along with the cybersecurity authorities in six countries—have published a joint Cybersecurity Advisory entitled, "Understanding Ransomware Threat Actors: LockBit." It is a comprehensive resource with common tools, exploitations, and tactics, techniques, and procedures (TTPs) used by LockBit affiliates, along with recommended mitigations for organizations to reduce the likelihood and impact of future ransomware incidents.
LockBit, the most globally used and prolific Ransomware-as-a-Service in 2022 and 2023, has been and is being used by threat actors to attack organizations of various sizes across a wide array of critical infrastructure sectors.
According to the advisory summary:
"In 2022, LockBit was the most deployed ransomware variant across the world and continues to be prolific in 2023. Since January 2020, affiliates using LockBit have attacked organizations of varying sizes across an array of critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation.
LockBit ransomware operation functions as a Ransomware-as-a-Service (RaaS) model where affiliates are recruited to conduct ransomware attacks using LockBit ransomware tools and infrastructure. Due to the large number of unconnected affiliates in the operation, LockBit ransomware attacks vary significantly in observed tactics, techniques, and procedures (TTPs). This variance in observed ransomware TTPs presents a notable challenge for organizations working to maintain network security and protect against a ransomware threat."
Along with the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC), the following authoring organizations encourage the implementation of the recommendations found in the advisory to reduce the likelihood and impact of future ransomware incidents:
- Australian Cyber Security Centre (ACSC)
- Canadian Centre for Cyber Security (CCCS)
- United Kingdom's National Cyber Security Centre (NCSC-UK)
- National Cybersecurity Agency of France (ANSSI)
- Germany's Federal Office for Information Security (BSI)
- New Zealand's Computer Emergency Response Team (CERT NZ) and National Cyber Security Centre (NCSC NZ)
In a news release, a representative from each organization provided input on the new advisory:
Eric Goldstein, CISA Executive Assistant Director for Cybersecurity:
"Working with our U.S. and international partners, CISA is focused on reducing the prevalence of ransomware intrusions and their impacts, which include applying lessons learned from prior ransomware incidents that have affected far too many organizations. This joint advisory on LockBit is another example of effective collaboration with our partners to provide timely and actionable resources to help all organizations understand and defend against this ransomware activity. As we look to the future, we must all work together to evolve to a model where ransomware actors are unable to use common tactics and techniques to compromise victims and work to ensure ransomware intrusions are detected and remediated before harm can occur."
Bryan Vorndran, Assistant Director of the FBI's Cyber Division:
"The FBI relentlessly pursues ransomware actors who continue to exploit vulnerable cyber ecosystems. We are better positioned to combat this type of malicious activity through coordination and collaboration with our federal and international partners, which are key to better mitigating and preventing harm against the American public and our allies. The FBI encourages all organizations to review this CSA and implement the recommended mitigation measures to better defend against threat actors using LockBit. If you believe you are the victim of a cyber crime, please contact your local FBI field office."
Abigail Bradshaw, Head of the Australian Cyber Security Centre (ACSC):
"LockBit is one of the most prolific and disruptive ransomware variants, having been used by cybercriminals against multiple sectors and organisations worldwide, including in Australia. With ransomware variants constantly evolving, this advice can help organisations strengthen and defend their networks."
Sami Khoury, Head of the Canadian Centre for Cyber Security:
"The Canadian Centre for Cyber Security (part of the Communications Security Establishment) joins its international partners in sharing this important resource to shed some light on LockBit, one of the most deployed ransomware variants across the world, that has been used to target our critical infrastructure. Arming organizations with this knowledge will enable them to better understand, recognize and face this threat, making the cyber ecosystem safer for everyone."
Paul Chichester, Director of Operations for the United Kingdom's National Cyber Security Centre (NCSC):
"Ransomware remains a major threat to businesses worldwide, including in the UK, and the LockBit operation has been the most active, with widespread consequences. It is essential for organisations to understand the serious consequences that ransomware attacks can have on their operations, finances and reputation. This advisory, issued with our international partners, emphasises the importance of network defenders taking the recommended actions to establish effective protections against such attacks."
Dr. Gerhard Schabhueser, Acting President for Germany's Federal Office for Information Security (BSI):
"Ransomware is one of the most severe cyber threats for government, businesses and society. Amongst those actors guided by financial motivations, the Ransomware-as-a-Service LockBit is currently the most menacing in Germany as well as globally. We reiterate our call to all organizations to take appropriate action and increase their resilience."
Vincent Strubel, Director General of National Cybersecurity Agency of France (ANSSI):
"We all face the same devastating cybercriminal threat posed by ransomwares. Therefore, we need to raise the level of cyber security of hospitals, public authorities, local administrations, companies, and help them protect themselves. The publication of this advisory contributes to this goal. It foremost demonstrates our shared desire to strengthen our relation with our close international partners to address this common challenge of massification and industrialization of this threat."
Lisa Fong, Deputy Director General of New Zealand's National Cyber Security Centre (NCSC):
"The National Cyber Security Centre (NCSC), part of New Zealand's Government Communications Security Bureau, shares international partners focus on addressing ransomware. The NCSC welcomes this advisory which reflects the experience of our partners and the NCSC’s learnings from helping organisations address LockBit's impact in New Zealand. These combined learnings will help ensure organisations have the best information to increase their resilience to the threat of from ransomware. Helping build cyber security resilience through sharing of cyber threat information is a key part of the NCSC's focus and we encourage all readers apply the mitigations set in this advisory."
Rob Pope of New Zealand's Computer Emergency Response Team (CERT-NZ) said that businesses in New Zealand need to be aware of this and take action:
"Ransomware is one the most devastating things that can happen to an organisation and we need to ensure that our countries are resilient to these attacks."
All organizations are urged to promptly report cyber incidents, including ransomware, to their country's respective authorities. In the U.S., report incidents and anomalous activity to a local FBI Field Office or to CISA's 24/7 Operations Center at Report@cisa.dhs.gov, cisa.gov/report, 888-282-0870.
