CISA Alert AA23-165A – Understanding Ransomware Threat Actors: LockBit.

This is a CISA Cybersecurity Alert.

ID number Alpha Alpha Two Three tack One Six Five Alpha.

Original release date: June 14th, 2023.

CISA, FBI, the Multi-State Information Sharing and Analysis Center, and international partners are releasing this Cybersecurity Advisory to detail LockBit ransomware incidents and provide recommended mitigations to enable network defenders to proactively improve their organization’s defenses against this ransomware operation.

In 2022, LockBit was the most deployed ransomware variant across the world and continues to be prolific in 2023. Since January 2020, affiliates using LockBit have attacked organizations of varying sizes across an array of critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation.

LockBit ransomware functions as a Ransomware-as-a-Service model where affiliates are recruited to conduct ransomware attacks using LockBit ransomware tools and infrastructure. Due to the large number of unconnected affiliates in the operation, LockBit ransomware attacks vary significantly in observed tactics, techniques, and procedures. This variance presents a notable challenge for organizations working to maintain network security and protect against this ransomware threat.

The authors encourage organizations to implement the recommendations in the Mitigations section of this alert to reduce the likelihood and impact of similar incidents. The alert documentation linked in the show notes includes additional technical details, IOCs, mitigations, a comprehensive list of resources, and response and reporting recommendations.

To report incidents and anomalous activity or to request incident response resources or technical assistance, contact CISA at report@cisa.gov, call (888) 282-0870, or report incidents to your local FBI field office.

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by N2K Networks as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations.

A link to this report can be found in the show notes.

This has been a CISA Cybersecurity Alert.