top of page

LockBit Ransomware Nets $91 Million in Extortion from 1,700 U.S. Attacks

U.S. and international cybersecurity agencies have released a joint advisory revealing that the LockBit ransomware gang successfully extorted approximately $91 million through 1,700 attacks against U.S. organizations since 2020.

The Ransomware-as-a-Service (RaaS) operation has emerged as a global threat, boasting the highest number of victims on their data leak site. LockBit attacks have affected various sectors, including financial services, healthcare, government, education, and more.

The advisory includes a list of tools, a detailed MITRE ATT&CK mapping of tactics employed, and information on vulnerabilities exploited by LockBit. Mitigation measures are also provided to assist defenders in safeguarding against LockBit attacks. Bryan Vorndran, Assistant Director of the FBI's Cyber Division, urges organizations to review the advisory and implement recommended measures for defense. LockBit ransomware first emerged in 2019 and resurfaced as LockBit 2.0 in 2021, following a ban on ransomware groups on cybercrime forums.

With subsequent versions, LockBit has continued to evolve with innovative extortion tactics, cryptocurrency payment options, and even a ransomware bug bounty program. Notable victims of LockBit attacks include Continental, the Italian Internal Revenue Service, the UK Royal Mail, and the City of Oakland. Erich Kron, Security Awareness Advocate at KnowBe4, shared his insights on LockBit ransomware and how organizations should take steps to protect themselves from ransomware threats:

"LockBit is certainly one of the biggest ransomware threats currently in circulation, and the Ransomware-as-a-Service model it uses has allowed it to scale to such a point that its growth will only continue unless the core developers are shut down. By employing affiliates to carry out the attacks for a majority share of the earnings, the developers can now focus on improving the ransomware itself and avoid law enforcement actions. Because LockBit uses affiliates, the attack vectors will vary, although many of them are still going to begin with simple email phishing attacks even if the types of phishing they use vary slightly. Organizations should reference the CISA advisory and consider the defensive tactics laid out there. Regardless of the particular strain of ransomware, educating employees on how to spot and report phishing emails by stepping them through new school security awareness programs is a very cost-effective way to avoid the most common initial attack vectors."


bottom of page