| Names | LockBit Gang (?) |
| Country | [Unknown] |
| Motivation | Financial gain |
| First seen | 2019 |
| Description | (Bleeping Computer) LockBit ransomware takes as little as five minutes to deploy the encryption routine on target systems once it lands on the victim network.
Joining the ransomware-as-a-service (RaaS) business in September 2019, LockBit is atypical in that it’s driven by automated processes for quick spreading across the victim network, identifying valuable systems and locking them up.
LockBit attacks leave few traces for forensic analysis as the malware loads into the system memory, with logs and supporting files removed upon execution. |
| Observed | Sectors: Aviation, Defense, Energy, Financial, Healthcare, Transportation.
Countries: Australia, Chile, China, France, Germany, India, Indonesia, Italy, Taiwan, Thailand, UK, Ukraine, USA. |
| Tools used | CrackMapExec, EmpireProject, LockBit. |
| Operations performed | May 2020 | LockBit ransomware self-spreads to quickly encrypt 225 systems
<https://www.bleepingcomputer.com/news/security/lockbit-ransomware-self-spreads-to-quickly-encrypt-225-systems/> |
| Aug 2020 | Interpol: Lockbit ransomware attacks affecting American SMBs
<https://www.bleepingcomputer.com/news/security/interpol-lockbit-ransomware-attacks-affecting-american-smbs/> |
| Sep 2020 | LockBit ransomware launches data leak site to double-extort victims
<https://www.bleepingcomputer.com/news/security/lockbit-ransomware-launches-data-leak-site-to-double-extort-victims/> |
| Dec 2020 | Ransomware hits helicopter maker Kopter
<https://www.zdnet.com/article/ransomware-hits-helicopter-maker-kopter/> |
| Apr 2021 | UK rail network Merseyrail likely hit by Lockbit ransomware
<https://www.bleepingcomputer.com/news/security/uk-rail-network-merseyrail-likely-hit-by-lockbit-ransomware/> |
| Jun 2021 | LockBit Resurfaces With Version 2.0 Ransomware Detections in Chile, Italy, Taiwan, UK
<https://www.trendmicro.com/en_us/research/21/h/lockbit-resurfaces-with-version-2-0-ransomware-detections-in-chi.html> |
| Aug 2021 | Energy group ERG reports minor disruptions after ransomware attack
<https://www.bleepingcomputer.com/news/security/energy-group-erg-reports-minor-disruptions-after-ransomware-attack/> |
| Aug 2021 | LockBit ransomware recruiting insiders to breach corporate networks
<https://www.bleepingcomputer.com/news/security/lockbit-ransomware-recruiting-insiders-to-breach-corporate-networks/> |
| Aug 2021 | LockBit 2.0 ransomware incidents in Australia
<https://www.cyber.gov.au/acsc/view-all-content/alerts/lockbit-20-ransomware-incidents-australia> |
| Aug 2021 | Accenture confirms hack after LockBit ransomware data leak threats
<https://www.bleepingcomputer.com/news/security/accenture-confirms-hack-after-lockbit-ransomware-data-leak-threats/> |
| Aug 2021 | LockBit Ransomware Wants to Hire Your Employees
<https://www.cybereason.com/blog/lockbit-ransomware-wants-to-hire-your-employees> |
| Aug 2021 | Bangkok Air confirms passenger PII leak after ransomware attack
<https://therecord.media/bangkok-air-confirms-passenger-pii-leak-after-ransomware-attack/> |
| Sep 2021 | LockBit 2.0: Ransomware Attacks Surge After Successful Affiliate Recruitment
<https://securityintelligence.com/posts/lockbit-ransomware-attacks-surge-affiliate-recruitment/> |
| Oct 2021 | LockBit 2.0 ransomware hit Israeli defense firm E.M.I.T. Aviation Consulting
<https://securityaffairs.co/wordpress/122892/cyber-crime/e-m-i-t-aviation-consulting-ransomware.html> |
| Nov 2021 | BlackMatter ransomware moves victims to LockBit after shutdown
<https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/> |
| Information | <https://www.bleepingcomputer.com/news/security/lockbit-ransomware-moves-quietly-on-the-network-strikes-fast/> |
APT group: LockBit Gang
