You are here

Joint Cybersecurity Advisory – Understanding Ransomware Threat Actors: LockBit

Joint Cybersecurity Advisory – Understanding Ransomware Threat Actors: LockBit

Created: Thursday, June 15, 2023 - 11:50
Categories:
Cybersecurity, Security Preparedness

WaterISAC regularly provides awareness of recent CISA reporting. While direct relevance to your utility/organization on the details of each report may vary, activity alerts like this are practical for general awareness and greater understanding of active threats and adversary capabilities.

Yesterday, CISA, the FBI, MS-ISAC, and international partners released Understanding Ransomware Threat Actors: LockBit, a joint Cybersecurity Advisory (CSA) to help organizations understand and defend against threat actors using LockBit, the most globally used and prolific Ransomware-as-a-Service (RaaS) in 2022 and 2023. The guide is a comprehensive resource detailing the observed common vulnerabilities and exposures (CVEs) exploited, as well as the tools, and tactics, techniques, and procedures (TTPs) used by LockBit affiliates.

In 2022, LockBit was the most globally deployed ransomware variant and continues to be prolific in 2023. The LockBit Ransomware-as-a-Service (RaaS) model attracts affiliates to use LockBit for conducting ransomware attacks, resulting in a large web of unconnected threat actors conducting wildly varying attacks. Affiliates have attacked organizations across multiple critical infrastructure sectors including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. LockBit has been successful through its continual innovation and evolution, including making its deployment extremely accessible to low-skilled actors.

The reporting agencies encourage network defenders to review the CSA and apply the included mitigations to reduce the likelihood and impact of future ransomware incidents. See StopRansomware.gov for additional guidance on ransomware protection, detection, and response.

To report suspicious or criminal activity related to information found in advisory, contact your local FBI field office, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937, or by e-mail at [email protected]. If you have any further questions, or to request incident response resources or technical assistance related to these threats, contact CISA at [email protected]Access the full advisory at CISA.