Professional Documents
Culture Documents
New finds
this week
What Is
LockBit
Ransomwa
re?
__
Cybervie
Explore
cybersecuri
ty careers,
training for
smooth
transition,
and
competitive
salaries
LockBit ransomware operates as a RaaS model with affiliates using purchased access,
unpatched weaknesses, or potentially insider info to breach systems. The attack unfolds in
two stages: initial compromise and gathering intel, followed by encryption with a strong
cipher. LockBit utilizes double extortion, stealing data alongside encryption and threatening
to leak it if the ransom isn't paid. This can lead to complete data loss, operational disruption,
and reputational damage. Defense involves strong endpoint security, prompt patching,
multi-factor authentication, following the 3-2-1 backup rule, and an incident response plan
with segmentation to limit spread. Cybersecurity professionals must stay updated on
LockBit's tactics and the evolving threat landscape.
LockBit ransomware has been implicated in more cyberattacks this year than any other
ransomware, making it the most active ransomware in the world. And while the average
ransomware payment is nearly $1 million per incident, LockBit victims pay an average ransom
of approximately $85,000—indicating that LockBit targets small-to-medium-sized
organizations. LockBit was first observed in September 2019. Since then, it has evolved:
LockBit 2.0 appeared in 2021; LockBit 3.0, the current version, was discovered in June 2022.
LockBit seeks initial access to target networks primarily through purchased access,
unpatched vulnerabilities, insider access, and zero-day exploits. “Second-stage” LockBit
establishes control of a victim's system, collects network information, and achieves primary
goals such as stealing and encrypting data. LockBit attacks typically employ a double
extortion tactic to encourage victims to pay, first, to regain access to their encrypted files and
then to pay again to prevent their stolen data from being posted publicly. When used as a
Ransomware-as-a-Service (RaaS), an Initial Access Broker (IAB) deploys first-stage malware
or otherwise gains access within a target organization’s infrastructure. They then sell that
access to the primary LockBit operator for second-stage exploitation.
LockBit 2.0
Targets LockBit 2.0 primarily targets Windows systems, although some newer variations have
been modified to attack Linux-based data center virtualization environments, including
VMWare ESXi virtual machines. The malware is designed to attack victims in the United
States, Canada, Europe, Asia, and Latin America. LockBit 2.0 ignores systems in the
Commonwealth of Independent States and most Eastern Europe nations, with the notable
exception of Ukraine. LockBit typically targets mid-sized organizations. This may be due to
LockBit’s unique RaaS model, which makes it easy for a disgruntled insider to act as an IAB,
set their price, and collect ransom directly.