LockBit Ransomware: A Quick Glance at Its Comeback

LockBit ransomware is a malicious software designed to block user access to computer systems in exchange for a ransom payment. It is a self-spreading crypto virus that targets enterprises and government organizations globally with threats such as operations disruption, extortion, data theft, and blackmail.

What is LockBit Ransomware?

LockBit, formerly known as “ABCD” ransomware, emerged in September 2019. It was originally known for using the file extension “.abcd virus” when performing encryptions. In January 2020, the ransomware group began operations as a ransomware-as-a-service (RaaS) and adopted the name LockBit. It focuses mostly on enterprises and government organizations rather than individuals.

How Does LockBit Ransomware Work?

LockBit ransomware gains initial access to computer systems using purchased access, unpatched vulnerabilities, insider access, and zero-day exploits. Once it infiltrates a system, it collects network information, steals and encrypts data. The perpetrators then demand a ransom for the victim’s data to be decrypted and made available again, threatening to make the data public otherwise.

Historical Data

LockBit was the world’s most prolific ransomware in 2022. It was estimated in early 2023 to be responsible for 44% of all ransomware incidents globally. In the United States between January 2020 and May 2023, LockBit was used in approximately 1,700 ransomware attacks, with US$ 91 million paid in ransom to hackers.

Incidents Caused by LockBit

LockBit has negatively impacted organizations, both large and small, across the world. In 2022, it was the most active global ransomware group and RaaS provider in terms of the number of victims claimed on their data leak site. It has attacked organizations of varying sizes across an array of critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation.

In the US alone, LockBit ransomware has been deemed responsible for at least 1,700 attacks. Victims of LockBit attacks include Pendragon, a UK car dealership company, which has refused to pay a $60m ransomware demand.

Recent Developments

In February 2024, law enforcement agencies seized control of LockBit dark web sites used for attacks. However, further attacks with LockBit ransomware were later reported. The entire “command and control” apparatus for the ransomware group LockBit is now in possession of law enforcement.

The Comeback

After the international crackdown, the LockBit ransomware group set up a new site on the dark web to advertise a small number of alleged victims and leak stolen data. They released a statement explaining how they had been infiltrated by law enforcement agencies. The group claimed that law enforcement had hacked its former dark web site using a vulnerability in the PHP programming language. However, they stated that all other servers with backup blogs that did not have PHP installed were unaffected and would continue to leak data stolen from attacked companies.

Recent Attacks

Despite the disruption, new attacks associated with LockBit ransomware have been detected. These attacks are exploiting critical vulnerabilities in ScreenConnect, a remote desktop application. The malware being deployed is associated with LockBit, indicating that the group’s reach spans various affiliate groups and offshoots that have not been completely erased even with the major takedown by law enforcement.

Conclusion

Despite the recent disruptions by law enforcement, the return of LockBit underscores the persistent nature of the cyber threat. It is crucial for organizations to remain vigilant, invest in robust cybersecurity measures, and foster a culture of cyber awareness to mitigate the risk of ransomware attacks.

---

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.