The UK’s National Cyber Security Centre (NCSC) has once again teamed up with its foreign counterparts, issuing a new joint advisory warning of the “enduring threat” posed by the LockBit ransomware gang, which, while its activity levels seem to have tapered off in the past few weeks, remains one of the most prolific threat actors in the world.
This is the latest in a series of multilateral advisories to be issued by the national cyber agencies of the so-called Five Eyes intelligence alliance – comprising the UK, Australia, Canada, New Zealand and the US – but this time, the National Cybersecurity Agency of France (ANSSI) and Germany’s Federal Office for Information Security (BSI) have also chimed in.
“Ransomware remains a major threat to businesses worldwide, including in the UK, and the Lockbit operation has been the most active, with widespread consequences,” said NCSC operations director Paul Chichester.
“It is essential for organisations to understand the serious consequences that ransomware attacks can have on their operations, finances and reputation. This advisory, issued with our international partners, emphasises the importance of network defenders taking the recommended actions to establish effective protections against such attacks.”
Eric Goldstein, executive assistant director for cyber security at the US Cybersecurity and Infrastructure Security Agency (CISA), added: “Working with our US and international partners, CISA is focused on reducing the prevalence of ransomware intrusions and their impacts, which include applying lessons learned from prior ransomware incidents that have affected far too many organisations.
“This joint advisory on LockBit is another example of effective collaboration with our partners to provide timely and actionable resources to help all organisations understand and defend against this ransomware activity. As we look to the future, we must all work together to evolve to a model where ransomware actors are unable to use common tactics and techniques to compromise victims and work to ensure ransomware intrusions are detected and remediated before harm can occur.”
The group said LockBit was the most deployed ransomware variant seen in the UK and across the world last year, and it was still being widely deployed as recently as late May 2023.
According to the advisory, 324 new victims appeared on LockBit’s leak site in the third quarter of 2022, 148 in the fourth quarter, and 276 in the first quarter of 2023, and this is likely only a fraction of the total, many victims having unadvisedly paid ransoms to avoid exposure.
As a further indication of the scale of the gang’s activity, the advisory revealed that LockBit accounted for 18% of reported ransomware incidents in Australia between 1 April 2022 and 31 March 2023, 22% of attributed ransomware attacks in Canada for the calendar year 2022, 23% in New Zealand, and 27% in France in the same timeframe.
In the US, meanwhile, LockBit accounted for 16% of ransomware hits on state, local, tribunal and tribunal government bodies in 2022.
So far in 2023, LockBit has accounted for over a quarter of the ransomware engagements undertaken by the French national Computer Emergency Response Team (CERT-FR).
UK-centric statistics are unfortunately not provided in the advisory, but it is known that UK-based organisations of many stripes have been victimised by the gang, including in the financial services, food and agriculture, education and healthcare sectors.
Its most prominent recent victim has been Royal Mail, where it disrupted international delivery services for weeks at the start of 2023, while demanding an “absurd” £66m ransom from the loss-making organisation which had been dealing with a series of strikes. Other UK victims have included NHS supplier Advanced and financial trading software specialist Ion.
It is therefore important for organisations to remain vigilant and, if possible, take action to reduce their potential exposure to it.
Among other things, the advisory covers the basics of the ransomware-as-a-service (RaaS) model favoured by LockBit, shares details of freeware and open source tools, and observes common vulnerabilities and exposures (CVEs) used by the gang.
It also includes more than 40 observed LockBit tactics, techniques and procedures (TTPs) mapped to the MITRE ATT&CK framework, and shares details of potential mitigations, and resources and services available from the authoring agencies.
Jake Moore, global cyber security advisor at ESET, commented: “The LockBit ransomware group continue to use the most sophisticated and widespread variants of the malware, and this remains a huge threat to businesses. Selling their bespoke ransomware-as-a-service model to other threat actors adds a large strain on companies around the world – even more so when data is extracted, making this a double extortion.
“Many organisations still do not understand the full extent of what ransomware can achieve and how this growing problem is still an inevitable threat.
“However, ransomware can be detected at early stages using prevention and behaviour detection analysis,” said Moore. “It is crucial for organisations to implement robust security measures, including regular backups, strong security protocols and employee education, to mitigate the risk of falling victim to LockBit or any other ransomware strain.”