Alert - Understanding ransomware threat actors: LockBit - joint cybersecurity advisory

Audience

This Alert is intended for IT professionals and managers of notified organizations.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Details

On June 14, 2023, the Canadian Centre for Cyber Security joined cyber security partners from the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC),the Australian Cyber Security Centre (ACSC), New Zealand’s Computer Emergency Response Team (CERT-NZ) and National Cyber Security Centre (NCSC-NZ), the National Cyber Security Agency of France (ANSSI), Germany’s Federal Office for Information Security (BSI) and the United Kingdom’s National Cyber Security Centre (NCSC-UK) to publish a joint Cybersecurity Advisory (CSA) detailing LockBit, the world’s most deployed Ransomware-as-a-Service (RaaS) variant.^{Footnote 1}

The first noted infection of Lockbit within Canada was recorded in March 2020, and by 2022, Lockbit was responsible for 22% of all attributed ransomware incidents. The LockBit data leak site lists themselves as the most active global ransomware group and RaaS provider in terms of the number of victims. LockBit affiliates have targeted a broad range of critical infrastructure sectors worldwide including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing and transportation.

This joint advisory is being published to provide awareness on observed activity from LockBit ransomware incidents and to provide recommended mitigations to proactively improve an organization’s defenses against this ransomware operation. It contains technical descriptions of the ransomware, indicators of compromise (IoCs), commonly exploited CVEs, as well as tactics, techniques, and procedures (TTPs) used by the threat actors. Additional guidance is also available in the Cyber Centre’s Ransomware playbook (ITSM.00.099) ^{Footnote 2} and in the Cyber Centre’s Top 10 IT security actions based on analysis of cyber threat trends to help minimize intrusions or the impacts of a successful cyber intrusion. ^{Footnote 3}

The authoring organizations encourage the implementation of the recommendations found in the referenced CSA to reduce the likelihood and impact of future ransomware incidents.

Should activity matching the content of this alert be discovered, recipients are encouraged to report via the My Cyber Portal, or email contact@cyber.gc.ca.