LockBit Ransomware Group
| Actor Type | Criminal Group |
|---|
The LockBit Ransomware Group operate a 'Ransomware-as-a-Service' offering which first emerged around 2019. According to reports the first version of LockBit ransomware was released in 2019 and originally known as 'ABCD', subsequent versions include LockBit 2.0, LockBit 3.0 and LockBit Green. In 2022 the LockBit builder was leaked which spawned multiple other ransomware strains including 'Bl00dy', 'Darkrace' and 'Brain Spider'.
In February 2024, the group's operations were targeted in a disruption campaign named 'Operation Cronos' by the UK's National Cyber Security Agency, the FBI and international law enforcement partners.
The group has targeted thousands of victims and caused losses amounting to billions of dollars. Victims have been observed across multiple sectors including healthcare, education, government and manufacturing.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
LockBit Ransomware Group Threat Reports
#StopRansomware: LockBit 3.0
This #StopRansomware Cybersecurity Advisory from CISA and partners describes the operations associated with LockBit 3.0 which operates as a ...
References
blog.talosintelligence.com
https://blog.talosintelligence.com/ransomware-affiliate-model/www.cisa.gov
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165anews.sky.com
https://news.sky.com/story/lockbit-ransomware-gangs-origins-tactics-and-past-targets-and-what-next-after-policing-breakthrough-13075988www.cisa.gov
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075anationalcrimeagency.gov.uk
https://nationalcrimeagency.gov.uk/news/nca-leads-international-investigation-targeting-worlds-most-harmful-ransomware-groupunit42.paloaltonetworks.com
https://unit42.paloaltonetworks.com/lockbit-2-ransomware/MITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by this intrusion set.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1021.001 | Remote Desktop Protocol | Lateral Movement |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1003.001 | LSASS Memory | Credential Access |
| T1486 | Data Encrypted for Impact | Impact |
| T1070.004 | File Deletion | Defense Evasion |
| T1490 | Inhibit System Recovery | Impact |
| T1567.002 | Exfiltration to Cloud Storage | Exfiltration |
| T1489 | Service Stop | Impact |
| T1567 | Exfiltration Over Web Service | Exfiltration |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1614.001 | System Language Discovery | Discovery |
| T1491.001 | Internal Defacement | Impact |
| T1133 | External Remote Services | Initial Access, Persistence |
| T1566 | Phishing | Initial Access |
| T1072 | Software Deployment Tools | Execution, Lateral Movement |
| T1547 | Boot or Logon Autostart Execution | Persistence, Privilege Escalation |
| T1046 | Network Service Discovery | Discovery |
| T1480.001 | Environmental Keying | Defense Evasion |
| T1572 | Protocol Tunneling | Command and Control |
| T1071.002 | File Transfer Protocols | Command and Control |
| T1189 | Drive-by Compromise | Initial Access |
| T1082 | System Information Discovery | Discovery |
| T1485 | Data Destruction | Impact |