Skip links

Lockbit: The explosive rise of Ransomware as a Service (RaaS) and its global impact

Lockbit: The explosive rise of Ransomware as a Service (RaaS) and its global impact.

September 5th, 2023

LockBit (Ransomware as a Service – RaaS) has been targeting both large and small organizations worldwide since its initial appearance in late 2019. It has consistently gained momentum and, as of 2022, emerged as the most active ransomware group and RaaS provider. This assessment is based on the volume of victims reported on its site.

As of May 2023, LockBit has claimed responsibility for 76 attacks. Overall, the group has acknowledged its involvement in a minimum of  1,653 ransomware incidents.

What has truly propelled LockBit into a popular and dangerous phenomenon?

LockBit has achieved success through its ongoing innovation and continuous development of the group’s administrative panel, as well as RaaS support functions. 

It is important to highlight that the Ransomware as a Service (RaaS) group operates a specific variant of ransomware, providing access to this variant to individuals or groups of operators, often referred to as “affiliates.”

Furthermore, it provides assistance in deploying its product in exchange for an initial payment, subscription fees, a share of the profits, or a combination of these payment models.

LockBit has employed various methods to successfully attract criminals, including but not limited to:

  • Assuring payment by allowing affiliates to receive ransom payments before sending a cut to the core group; this practice stands in stark contrast to other RaaS groups who pay themselves first and then disburse the affiliates’ cut.
  • Disparaging other RaaS groups in online forums.
  • Engaging in publicity-generating activities stunts, such as paying people to get LockBit tattoos and putting a $1 million bounty on information related to the real-world identity of LockBit’s lead who goes by the persona “LockBitSupp.”
  • Developing and maintaining a simplified, point-and-click interface for its ransomware, making it accessible to those with a lower degree of technical skills.

The lifecycle of a ransomware incident typically involves several stages:

When it comes to preventing ransomware attacks, especially those perpetrated by groups like LockBit, the following considerations are essential:

According to the Cybersecurity and Infrastructure Security Agency (CISA).

  • Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with NIST standards for developing and managing password policies.
  • Enforce use of longer passwords consisting of at least 15 characters in length. 
  • Securely store passwords by employing industry-recognized password hashing algorithms in a salted and hashed format.
  • Prevent use of commonly used or known-compromised passwords.
  • Implement multiple failed login attempt account lockouts.
  • Disable password “hints.”
  • Refrain from requiring password changes more frequently than once per year.
  • Enforce Multi-Factor Authentication (MFA) on all accounts, especially those with administrator privileges, as a minimum security measure.
  • Implement filters at the email gateway to screen out emails containing known malicious indicators, including malicious subject lines. Additionally, block suspicious IP addresses at the firewall for an added layer of security.
  • Require administrator credentials to install software.
  • Install a web application firewall and configure it with the necessary rules to protect enterprise assets effectively.
  • Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement. Isolate web-facing applications to further minimize the spread of ransomware across a network.
  • Adhere to the least-privilege best practice by requiring administrators to utilize dedicated  administrative accounts for system management,  while employing standard user accounts for non-administrative tasks.
  • Enforce the management of and audit user accounts with administrative privileges. Configure access controls according to the principle of least privilege. 
  • Implement time-based access for accounts set at the admin level and higher. 
  • Keep all operating systems, software, and firmware up to date. 
  • Restrict service accounts from remotely accessing other systems.
  • Consolidate, monitor, and defend internet gateways.
  • Install, regularly update, and enable real-time detection for antivirus software on all hosts.
  • Raise awareness for phishing threats in your organization.
  • Review internet-facing services and disable any services that are no longer a business requirement to be exposed or restrict access to only those users with an explicit requirement to access services, such as SSL, VPN, or RDP. If internet-facing services are necessary, regulate access by only allowing entry solely from an admin IP range.
  • Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
  • Develop and regularly update comprehensive network diagram(s) that describes systems and data flows within your organization’s network(s).
  • Enable enhanced PowerShell logging.
  • Configure the Windows Registry to require UAC approval for any PsExec operations requiring administrator privileges to reduce the risk of lateral movement by PsExec.
  • Disable command-line and scripting activities and permissions.
  • Enable Credential Guard to protect your Windows system credentials.
  • Restrict NTLM uses with security policies and firewalling.
  • Disable unused ports.
  • VPN access should not be considered as a trusted network zone. Organizations should instead consider moving to zero trust architectures.
  • Use web filtering or a Cloud Access Security Broker (CASB) to restrict or monitor access to public-file sharing services that may be used to exfiltrate data from a network.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, the cloud).
  • Maintain offline backups of data, and regularly maintain backup and restoration (daily or weekly at the minimum).
  • Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.