Understanding ransomware threat actors - LockBit

Threat actors using LockBit, the most globally used and prolific ransomware-as-a-service (RaaS) in 2022 and 2023, have attacked organisations of all sizes across a wide range of critical infrastructure sectors.  

To support organisations in understanding and defending against this global threat and its large number of unconnected LockBit affiliates, this advisory includes:

• a list of approximately 30 freeware and open-source tools used by LockBit actors,
• more than 40 TTPs mapped to the MITRE ATT&CK framework,
• common vulnerabilities and exposures (CVEs) exploited by LockBit actors,
• an overview of LockBit evolution, global trends, and statistics, and
• mitigation advice and support resources from authoring agencies. 

Lisa Fong, Deputy Director-General, NCSC-NZ said, “The National Cyber Security Centre, part of New Zealand’s Government Communications Security Bureau, shares international partners' focus on addressing ransomware.  

“The NCSC welcomes this advisory, which reflects the experience of our partners and the NCSC’s learnings from helping organisations address LockBit’s impact in New Zealand. These combined learnings will help ensure organisations have the best information to increase their resilience to the threat from ransomware.  

“Helping build cyber security resilience through the sharing of cyber threat information is a key part of the NCSC’s focus, and we encourage all readers to apply the mitigations set in this advisory.”

Organisations should review the advisory’s tools, TTPs, and CVEs to assess potential exposure to LockBit ransomware activity.

CERT NZ Director Rob Pope said, “Businesses in New Zealand need to be aware of this and take action. Ransomware is one of the most devastating things that can happen to an organisation and we need to ensure that our countries are resilient to these attacks.”