What we know about Lockbit ransomware

• Boeing might be the latest victim of LockBit ransomware. 
• LockBit was the most deployed ransomware in 2022 in the UK. 
• The ransomware group is known for its ransomware-as-a-service. 

The LockBit ransomware group stands out as one of the most sophisticated cybercrime entities globally. Linked to pro-Russian cybercrime networks, its adept infiltration tactics and methodical approach has made it a formidable force.

Compared to other cybercriminal groups, the Lockbit ransomware group is also one of the few with an actual administrative network. According to reports, the ransomware group has administrative staff that manage its accounts, including how it contacts victims as well as how it manages the payment of ransoms.

Operating with a ransomware-as-a-service model, interested parties put a deposit down for the use of custom for-hire attacks, and profit under an affiliate framework. Kaspersky reports that the ransom payments are then divided between the LockBit developer team and the attacking affiliates, who receive up to ¾ of the ransom funds.

Another cybersecurity vendor, BlackBerry, says that the LockBit ransomware has been implicated in more cyberattacks in 2023 than any other ransomware, making it the most active ransomware in the world. With an average ransomware payment of nearly US$1 million per incident, LockBit also targets small-to-medium-sized organizations.

The FBI has recorded around 1,700 LockBit incidents in the US. Victims in the US have paid approximately US$91 million since LockBit activity was first observed on January 5, 2020.

In the UK, the National Cyber Security Center says that LockBit was almost certainly the most deployed ransomware strain in the UK in 2022, and that it continues to present the highest ransomware threat to UK organizations.

Recent victims of the LockBit ransomware group

In 2023, LockBit has already targeted several high-profile organizations around the world. The latest target is aircraft manufacturer Boeing. VX-underground is reporting that LockBit claims to have “a huge amount of sensitive data” from the aircraft manufacturer. Reports also indicate that the ransomware group is prepared to publish the data if Boeing does not contact it by November 2^nd.

Earlier this year, the LockBit ransomware group was also responsible for the Royal Mail cyberattack. The Guardian reported that the Royal Mail rejected the US$80 million ransom demand from the hackers. LockBit published chat transcripts of the negotiations and also claimed that the ransom was “equal to 0.5% of the company’s revenue.”

More recently, the UK was targeted again by a ransomware group using LockBit. This time the apparent victims include Scottish law firm Raeburn, Christie, Clark and Wallace, the fire alarm production company Rex Group Services and trade organization the Food and Drink Federation.

In early September, the hackers also compromised the UK’s Ministry of Defense. Information stolen included British military intelligence sites as well as high-security prisons. The hackers had apparently targeted the database of a firm that makes fences for maximum security sites to get the information.

The evolution of LockBit

Most cybersecurity agencies and vendors believe that LockBit was formerly known as the ABCD ransomware. Since then, it has evolved into a subclass ransomware or crypto-class due to its ransom requests around financial payment in exchange for decryption.

Here’s a look at the different variants of the LockBit Ransomware, as highlighted by the intelligence platform, Flashpoint.

• LockBit – The first variant that succeeded the original .abcd extension used by the ransomware group gained notoriety for its ability to deploy its encryption process in under five minutes.
• LockBit 2.0 – LockBit 2.0 evolved from the original LockBit variant by improving its ability to decode strings and codes faster to avoid detection. Once the variant has established administrative privileges, the encryption process begins.
• LockBit 3.0 – Launched in late June 2022, LockBit 3.0 continues the trend of increasing encryption speed to avoid security detection. The malware uses anti-analysis techniques, password-only execution, and command line augmentation. LockBit 3.0 also introduces the first recorded ransomware bug bounty program, calling for users and security researchers to report any bugs to the ransomware group in exchange for financial reward.
• LockBit Green – The latest variant was revealed by VX-underground and appears to be a standard ransomware variant targeting Windows environments.
• Lockbit for Mac – In May 2023, Flashpoint discovered that LockBit had begun developing a macOS version of LockBit ransomware. However, it could not be easily executed on the devices.

Given the spread of the LockBit ransomware, organizations need to practice good cybersecurity hygiene to prevent ransomware attacks. While regularly updating software and operating systems is essential, companies should also be cautious about their emails and such. Businesses should also look into their software supply chain as the ransomware group could infiltrate systems through loopholes in the system.

If a company is compromised by a ransomware group, it is essential to contact law enforcement agencies to help deal with the investigation and negotiations. Paying the ransom does not guarantee that the business will not be struck again, nor that the cybercriminals do not have copies of the data.

At the end of the day, good cybersecurity hygiene, updated passwords and patches, and a solid backup plan can help detect and block ransomware attacks before they cause significant damage.

Boeing has a lot of defense contract data that could be worth selling on.