Names | LockBit Gang (?) |
Country | [Unknown] |
Motivation | Financial gain |
First seen | 2019 |
Description | (Bleeping Computer) LockBit ransomware takes as little as five minutes to deploy the encryption routine on target systems once it lands on the victim network.
Joining the ransomware-as-a-service (RaaS) business in September 2019, LockBit is atypical in that it’s driven by automated processes for quick spreading across the victim network, identifying valuable systems and locking them up.
LockBit attacks leave few traces for forensic analysis as the malware loads into the system memory, with logs and supporting files removed upon execution. |
Observed | Sectors: Aviation, Defense, Energy, Financial, Healthcare, Transportation. Countries: Australia, Brazil, Chile, China, France, Germany, India, Indonesia, Italy, Taiwan, Thailand, UK, Ukraine, USA. |
Tools used | CrackMapExec, EmpireProject, LockBit, Mimikatz, PsExec. |
Operations performed | May 2020 | LockBit ransomware self-spreads to quickly encrypt 225 systems <https://www.bleepingcomputer.com/news/security/lockbit-ransomware-self-spreads-to-quickly-encrypt-225-systems/> |
Aug 2020 | Interpol: Lockbit ransomware attacks affecting American SMBs <https://www.bleepingcomputer.com/news/security/interpol-lockbit-ransomware-attacks-affecting-american-smbs/> |
Sep 2020 | LockBit ransomware launches data leak site to double-extort victims <https://www.bleepingcomputer.com/news/security/lockbit-ransomware-launches-data-leak-site-to-double-extort-victims/> |
Dec 2020 | Ransomware hits helicopter maker Kopter <https://www.zdnet.com/article/ransomware-hits-helicopter-maker-kopter/> |
Apr 2021 | UK rail network Merseyrail likely hit by Lockbit ransomware <https://www.bleepingcomputer.com/news/security/uk-rail-network-merseyrail-likely-hit-by-lockbit-ransomware/> |
Jun 2021 | LockBit Resurfaces With Version 2.0 Ransomware Detections in Chile, Italy, Taiwan, UK <https://www.trendmicro.com/en_us/research/21/h/lockbit-resurfaces-with-version-2-0-ransomware-detections-in-chi.html> |
Aug 2021 | Energy group ERG reports minor disruptions after ransomware attack <https://www.bleepingcomputer.com/news/security/energy-group-erg-reports-minor-disruptions-after-ransomware-attack/> |
Aug 2021 | LockBit ransomware recruiting insiders to breach corporate networks <https://www.bleepingcomputer.com/news/security/lockbit-ransomware-recruiting-insiders-to-breach-corporate-networks/> |
Aug 2021 | LockBit 2.0 ransomware incidents in Australia <https://www.cyber.gov.au/acsc/view-all-content/alerts/lockbit-20-ransomware-incidents-australia> |
Aug 2021 | Accenture confirms hack after LockBit ransomware data leak threats <https://www.bleepingcomputer.com/news/security/accenture-confirms-hack-after-lockbit-ransomware-data-leak-threats/> |
Aug 2021 | LockBit Ransomware Wants to Hire Your Employees <https://www.cybereason.com/blog/lockbit-ransomware-wants-to-hire-your-employees> |
Aug 2021 | Bangkok Air confirms passenger PII leak after ransomware attack <https://therecord.media/bangkok-air-confirms-passenger-pii-leak-after-ransomware-attack/> |
Sep 2021 | LockBit 2.0: Ransomware Attacks Surge After Successful Affiliate Recruitment <https://securityintelligence.com/posts/lockbit-ransomware-attacks-surge-affiliate-recruitment/> |
Oct 2021 | LockBit 2.0 ransomware hit Israeli defense firm E.M.I.T. Aviation Consulting <https://securityaffairs.co/wordpress/122892/cyber-crime/e-m-i-t-aviation-consulting-ransomware.html> |
Nov 2021 | BlackMatter ransomware moves victims to LockBit after shutdown <https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/> |
Jan 2022 | Infamous ransomware group claims it hacked France’s Justice Ministry <https://www.politico.eu/article/infamous-ransomware-group-claims-it-hacked-frances-justice-ministry/> |
Jan 2022 | LockBit ransomware gang claims PayBito crypto exchange as new victim <https://www.hackread.com/lockbit-ransomware-paybito-crypto-exchange-hack/> |
Feb 2022 | Bridgestone Americas confirms ransomware attack, LockBit leaks data <https://www.bleepingcomputer.com/news/security/bridgestone-americas-confirms-ransomware-attack-lockbit-leaks-data/> |
Apr 2022 | Rio de Janeiro finance department hit with LockBit ransomware <https://therecord.media/rio-de-janeiro-finance-department-hit-with-lockbit-ransomware/> |
Apr 2022 | Lockbit, Hive, and BlackCat attack automotive supplier in triple ransomware attack <https://news.sophos.com/en-us/2022/08/10/lockbit-hive-and-blackcat-attack-automotive-supplier-in-triple-ransomware-attack/> |
May 2022 | LockBit 2.0 posted a notice to the dark web portal it uses to identify and extort its victims saying it had files from the Bulgarian State Agency for Refugees under the Council of Ministers. <https://www.cyberscoop.com/lockbit-ransomware-attack-bulgarian-refugee-agency/> |
May 2022 | Canadian fighter jet training company investigating ransomware attack <https://therecord.media/top-aces-ransomware-attack-lockbit/> |
May 2022 | Foxconn confirms ransomware attack disrupted production in Mexico <https://www.bleepingcomputer.com/news/security/foxconn-confirms-ransomware-attack-disrupted-production-in-mexico/> |
Jun 2022 | Mandiant: “No evidence” we were hacked by LockBit ransomware <https://www.bleepingcomputer.com/news/security/mandiant-no-evidence-we-were-hacked-by-lockbit-ransomware/> |
Jun 2022 | LockBit Ransomware Disguised as Copyright Claim E-mail Being Distributed <https://asec.ahnlab.com/en/35822/> |
Jun 2022 | LockBit claims ransomware attack on security giant Entrust, leaks data <https://www.bleepingcomputer.com/news/security/lockbit-claims-ransomware-attack-on-security-giant-entrust-leaks-data/> |
Jun 2022 | LockBit 3.0 introduces the first ransomware bug bounty program <https://www.bleepingcomputer.com/news/security/lockbit-30-introduces-the-first-ransomware-bug-bounty-program/> |
Jul 2022 | French telecom company La Poste Mobile struggling to recover from ransomware attack <https://therecord.media/french-telecom-company-la-poste-mobile-struggling-to-recover-from-ransomware-attack/> |
Jul 2022 | Ransomware gang now lets you search their stolen data <https://www.bleepingcomputer.com/news/security/ransomware-gang-now-lets-you-search-their-stolen-data/> |
Jul 2022 | LockBit claims ransomware attack on Italian tax agency <https://www.bleepingcomputer.com/news/security/lockbit-claims-ransomware-attack-on-italian-tax-agency/> |
Jul 2022 | The prolific Lockbit ransomware gang appears to have claimed another two scalps in recent days: the Canadian town of St Marys and the Italian tax agency. <https://www.infosecurity-magazine.com/news/lockbit-ramps-up-attacks-on-public/> |
Aug 2022 | LockBit ransomware gang gets aggressive with triple-extortion tactic <https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-gets-aggressive-with-triple-extortion-tactic/> |
Sep 2022 | LockBit updates leak site with post about Sud-Francilien hospital <https://www.databreaches.net/lockbit-updates-leak-site-with-post-about-sud-francilien-hospital/> |
Sep 2022 | Virginia County Confirms Personal Information Stolen in Ransomware Attack <https://www.securityweek.com/virginia-county-confirms-personal-information-stolen-ransomware-attack> |
Oct 2022 | Microsoft Exchange servers hacked to deploy LockBit ransomware <https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-lockbit-ransomware/> |
Oct 2022 | Japanese tech firm Oomiya hit by LockBit 3.0. Multiple supply chains potentially impacted <https://securityaffairs.co/wordpress/137243/cyber-crime/oomiya-lockbit-3-0-ransomware.html> |
Oct 2022 | Pendragon car dealer refuses $60 million LockBit ransomware demand <https://www.bleepingcomputer.com/news/security/pendragon-car-dealer-refuses-60-million-lockbit-ransomware-demand/> |
Nov 2022 | LockBit ransomware claims attack on Continental automotive giant <https://www.bleepingcomputer.com/news/security/lockbit-ransomware-claims-attack-on-continental-automotive-giant/> |
Nov 2022 | LockBit 3.0 gang claims to have stolen data from Kearney & Company <https://securityaffairs.co/wordpress/138136/cyber-crime/lockbit-ransomware-kearney-company.html> |
Nov 2022 | LockBit 3.0 Says It's Holding a Canadian City for Ransom <https://www.bankinfosecurity.com/lockbit-30-says-its-holding-canadian-city-for-ransom-a-20529> |
Dec 2022 | LockBit claims attack on California's Department of Finance <https://www.bleepingcomputer.com/news/security/lockbit-claims-attack-on-californias-department-of-finance/> |
Dec 2022 | LockBit ransomware used in attack on Ohio town’s court, police department and more <https://therecord.media/lockbit-ransomware-group-attacks-ohio-towns-court-police-department-and-more/> |
Dec 2022 | Port of Lisbon website still down as LockBit gang claims cyberattack <https://therecord.media/port-of-lisbon-website-still-down-as-lockbit-gang-claims-cyberattack/> |
Counter operations | Aug 2022 | LockBit ransomware blames Entrust for DDoS attacks on leak sites <https://www.bleepingcomputer.com/news/security/lockbit-ransomware-blames-entrust-for-ddos-attacks-on-leak-sites/> |
Sep 2022 | LockBit ransomware builder leaked online by “angry developer” <https://www.bleepingcomputer.com/news/security/lockbit-ransomware-builder-leaked-online-by-angry-developer-/> |
Nov 2022 | Man Charged for Participation in LockBit Global Ransomware Campaign <https://www.justice.gov/opa/pr/man-charged-participation-lockbit-global-ransomware-campaign> |
Information | <https://www.bleepingcomputer.com/news/security/lockbit-ransomware-moves-quietly-on-the-network-strikes-fast/> |