NCSC warns over ‘enduring’ LockBit threat

Huge impact

The group said LockBit was the most deployed ransomware variant seen in the UK and across the world last year, and it was still being widely deployed as recently as late May 2023.

According to the advisory, 324 new victims appeared on LockBit’s leak site in the third quarter of 2022, 148 in the fourth quarter, and 276 in the first quarter of 2023, and this is likely only a fraction of the total, many victims having unadvisedly paid ransoms to avoid exposure.

As a further indication of the scale of the gang’s activity, the advisory revealed that LockBit accounted for 18% of reported ransomware incidents in Australia between 1 April 2022 and 31 March 2023, 22% of attributed ransomware attacks in Canada for the calendar year 2022, 23% in New Zealand, and 27% in France in the same timeframe.

In the US, meanwhile, LockBit accounted for 16% of ransomware hits on state, local, tribunal and tribunal government bodies in 2022.

So far in 2023, LockBit has accounted for over a quarter of the ransomware engagements undertaken by the French national Computer Emergency Response Team (CERT-FR).

UK-centric statistics are unfortunately not provided in the advisory, but it is known that UK-based organisations of many stripes have been victimised by the gang, including in the financial services, food and agriculture, education and healthcare sectors.

Its most prominent recent victim has been Royal Mail, where it disrupted international delivery services for weeks at the start of 2023, while demanding an “absurd” £66m ransom from the loss-making organisation which had been dealing with a series of strikes. Other UK victims have included NHS supplier Advanced and financial trading software specialist Ion.

It is therefore important for organisations to remain vigilant and, if possible, take action to reduce their potential exposure to it.

Among other things, the advisory covers the basics of the ransomware-as-a-service (RaaS) model favoured by LockBit, shares details of freeware and open source tools, and observes common vulnerabilities and exposures (CVEs) used by the gang.

It also includes more than 40 observed LockBit tactics, techniques and procedures (TTPs) mapped to the MITRE ATT&CK framework, and shares details of potential mitigations, and resources and services available from the authoring agencies.

Jake Moore, global cyber security advisor at ESET, commented: “The LockBit ransomware group continue to use the most sophisticated and widespread variants of the malware, and this remains a huge threat to businesses. Selling their bespoke ransomware-as-a-service model to other threat actors adds a large strain on companies around the world – even more so when data is extracted, making this a double extortion.

“Many organisations still do not understand the full extent of what ransomware can achieve and how this growing problem is still an inevitable threat.

“However, ransomware can be detected at early stages using prevention and behaviour detection analysis,” said Moore. “It is crucial for organisations to implement robust security measures, including regular backups, strong security protocols and employee education, to mitigate the risk of falling victim to LockBit or any other ransomware strain.”