LockBit ransomware operates 1,700 times in the U.S., extorting $91 million

In the LockBit Ransomware Joint Advisory Report, U.S. and international cybersecurity agencies said the group has launched approximately 1,700 attacks against U.S. entities since 2020, successfully extorting approximately $91 million.

More recently, U.S. authorities and their international partners in Australia, Canada, the United Kingdom, Germany, France and New Zealand said the LockBit ransomware-as-a-service (RaaS) operation is the "leading" global ransomware threat in 2022, with the highest number of targets.

According to reports received by MS-ISAC throughout last year, LockBit was responsible for approximately 16 percent of ransomware incidents affecting State, Local, Tribal, and Tribunal (SLTT) governments. In these incidents, LockBit groups targeted primarily municipalities, county governments, public higher education institutions, K-12 schools, and emergency service agencies such as law enforcement.

In addition, MS-ISAC indicates that LockBit was the most deployed ransomware variant worldwide in 2022 and continues to be prolific in 2023. Since January 2020, branches using LockBit have launched large-scale attacks on critical infrastructure sectors in industries including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation.

The cybersecurity organization shares commonly exploited vulnerabilities and exposures (CVEs) for LockBit, as well as an in-depth exploration of the evolutionary trajectory of LockBit RaaS operations since it first emerged in September 2019. The joint advisory also provides mitigation measures to help defenders thwart LockBit attack campaigns against their organizations.

Bryan Vorndran, assistant director of the Federal Bureau of Investigation (FBI) Cyber Division, noted that the FBI encourages all organizations to review this CSA and implement mitigation measures to better defend against cyber attacks using LockBit. If you have suffered a cyber attack, please contact your local FBI field office.

LockBit ransomware first emerged as a ransomware-as-a-service (RaaS) business in September 2019, and reemerged in June 2021 with an updated version, LockBit 2.0 RaaS.

In an emergency alert in February 2022, the FBI shared LockBit's compromise indicators and advised victims to report any LockBit attacks as a matter of urgency. A few months later, LockBit 3.0 introduced Zcash cryptocurrency payment options, an innovative ransom strategy, and the first ransomware exploit reward program.

Afterwards, LockBit launched cyber attacks against entities such as the automotive giant, the Italian IRS, the Royal Mail and the City of Auckland, among others.