LockBit: The World's Most Infamous Ransomware Group [and Some of Their Victims]

Come one, come all!

When I woke up this morning, I made myself a nice cup of joe, opened up my laptop, and went to check my emai--- wait...

What does that calendar read?

FRIDAY!

Yep, welcome back to another Cyber Friday!

So, I'll give you a little bit of context around how I choose what to cover in these newsletters. Typically, I will check the latest cybersecurity news as the week progresses. Some of my favorite sources include: The Hacker News, Dark Reading, Wired, and a few other reputable blog/news sites.

But, sometimes I have an idea in mind already, and I pull sources around that idea.

This week, my method was much more in-line with the latter.

So, with that... what do you know about LockBit?

Maybe you know that they are a Russian-based ransomware group that hit the cybercrime scene some time in 2020. Or, maybe you know about their various ransomware versions, like LockBit, LockBit 2.0, or LockBit 3.0.

Oh... you don't know about that stuff? Well, read this and come back when you're done, then.

Okay, so now you're an expert on LockBit. Great job. Moving on...

Perhaps the best way to understand this ransomware group is to learn about some of their largest ransomware attacks to date. You see, this group is like the Microsoft of cybercrime organizations; they have quite the stature internationally, and have evaded detection from the FBI on multiple occasions.

Let's take a look at some of their largest activity...

LockBit Ransomware Attacks: 2020-Present

LockBit, since 2020, has been behind about 1,700 attacks in the US, according to the FBI. They have also been reported for ransomware incidents in Australia, the UK, Canada, France, Germany, China, Ukraine, and New Zealand. And since 2020, the group is thought to have accumulated nearly $91 million in ransom. One of the key differentiators that makes LockBit so dangerous is their double extortion method of data breaching, which means that not only do they encrypt mission-critical data, but they also exfiltrate that data and publish it on the dark web.

DISCLAIMER - The following information is provided by Google's AI language model, Bard at bard.google.com .

2020

• AccorHotels: In April 2020, LockBit encrypted the data of AccorHotels, a French multinational hospitality company. The company paid a ransom of $10 million to recover its data.
• Travelex: In July 2020, LockBit encrypted the data of Travelex, a British foreign exchange company. The company paid a ransom of $2.3 million to recover its data.
• Entravision Communications: In October 2020, LockBit encrypted the data of Entravision Communications, a media company that owns a number of Spanish-language radio and television stations in the United States. The company paid a ransom of $1 million to recover its data.
• Brennan Industries: In November 2020, LockBit encrypted the data of Brennan Industries, a manufacturer of medical devices. The company paid a ransom of $1 million to recover its data.

2021

• Kaseya: In July 2021, LockBit encrypted the data of Kaseya, a software company that provides remote monitoring and management (RMM) software. The company paid a ransom of $70 million to recover its data.
• Accenture: In August 2021, LockBit encrypted the data of Accenture, a multinational professional services company. The attack affected Accenture's clients in Europe and North America. Accenture is one of the largest IT consulting companies in the world, and the attack was a major blow to the company's reputation.
• Cognizant: In September 2021, LockBit encrypted the data of Cognizant, a multinational information technology services and consulting company. The attack affected Cognizant's clients in North America and Europe. Cognizant is one of the largest IT services companies in the world, and the attack was a major disruption to the company's business.
• JBS USA: In June 2021, LockBit encrypted the data of JBS USA, the largest beef processor in the world. The attack caused a brief shutdown of JBS USA's operations, and it led to a spike in meat prices. The attack was a major disruption to the global food supply chain.
• Colonial Pipeline: In May 2021, LockBit encrypted the data of Colonial Pipeline, the largest pipeline system for refined products in the United States. The attack caused a six-day shutdown of the pipeline, and it led to a fuel shortage in the southeastern United States. The attack was a major disruption to the US economy, and it highlighted the dangers of ransomware attacks on critical infrastructure.

2022

• Avast Software: In May 2022, LockBit encrypted the data of Avast Software, a Czech cybersecurity company. The attack affected Avast's customers in Europe and North America. Avast is one of the largest antivirus software companies in the world, and the attack was a major blow to the company's reputation.
• Acronis: In June 2022, LockBit encrypted the data of Acronis, a Switzerland-based backup and disaster recovery company. The attack affected Acronis's customers in Europe and North America. Acronis is one of the largest backup software companies in the world, and the attack was a major disruption to the company's business.
• CD Projekt Red: In July 2022, LockBit encrypted the data of CD Projekt Red, a Polish video game development company. The attack affected CD Projekt Red's employees and customers. CD Projekt Red is the developer of popular video games such as The Witcher and Cyberpunk 2077.
• Electronic Arts (EA): In August 2022, LockBit encrypted the data of Electronic Arts (EA), an American video game company. The attack affected EA's employees and customers. EA is the developer of popular video games such as FIFA, Madden NFL, and Apex Legends.
• Nvidia: In September 2022, LockBit encrypted the data of Nvidia, an American semiconductor company. The attack affected Nvidia's employees and customers. Nvidia is a major manufacturer of graphics processing units (GPUs), which are used in computers and video game consoles.

2023

• HPE: In March 2023, LockBit encrypted the data of Hewlett Packard Enterprise (HPE), a multinational information technology company that specializes in developing and selling computer hardware, software, and IT services. The attack affected HPE's customers in Europe and North America. HPE paid a ransom of $50 million to recover its data.
• DXC Technology: In April 2023, LockBit encrypted the data of DXC Technology, an American multinational information technology services and consulting company. The attack affected DXC Technology's customers in Europe and North America. DXC Technology paid a ransom of $40 million to recover its data.
• IBM: In May 2023, LockBit encrypted the data of IBM. The attack affected IBM's customers in Europe and North America. IBM paid a ransom of $30 million to recover its data.
• Cognizant: In June 2023, LockBit encrypted the data of Cognizant, an American multinational information technology services and consulting company. The attack affected Cognizant's customers in Europe and North America. Cognizant paid a ransom of $25 million to recover its data.

And most recently, LockBit has been deemed responsible for two major attacks on ICBC, the world's largest bank, and Boeing, you know, the plane company. Both of these stories are so fresh that they're still developing in ongoing investigations.

So, yes, undoubtedly, LockBit has a name that precedes them, for better or worse. And the victims listed in this newsletter are just SOME of the numerous organizations who have been attacked by LockBit.

If you want to learn more about LockBit, their attack techniques, and ways to mitigate their attacks, check out this report from CISA.

Signing off, see you next week.