LockBit

Last updated
Lockbit
Formation2019
TypeCybercrime

LockBit is a cybercriminal group proposing ransomware as a service (RaaS). Software developed by the group (also called ransomware) enables malicious actors who are willing to pay for using it to carry out attacks in two tactics where they not only encrypt the victim's data and demand payment of a ransom, but also threaten to leak it publicly if their demands are not met. [1]

Contents

According to a joint statement by various government agencies, LockBit was the world's most prolific ransomware in 2022. [2] It was estimated in early 2023 to be responsible for 44% of all ransomware incidents globally. [3]

In the United States between January 2020 and May 2023, LockBit was used in approximately 1,700 ransomware attacks, with US$91 million paid in ransom to hackers. [4]

Government agencies did not formally attribute the group to any nation-state. [5] Software with the name "LockBit" appeared on a Russian-language based cybercrime forum in January 2020. [4] The group is financially motivated. [3]

In February 2024 law enforcement agencies seized control of LockBit dark web sites used for attacks. [6] [7] However, further attacks with LockBit ransomware were later reported, with the group attempting to perform a comeback. [8] [9]

Description

LockBit software, written in the C and C++ programming languages until .NET was used for the LockBit-NG-Dev under development at takedown in 2024, [8] gains initial access to computer systems using purchased access, unpatched vulnerabilities, insider access, and zero-day exploits, in the same way as other malware. LockBit then takes control of the infected system, collects network information, and steals and encrypts data. Demands are then made for the victim to pay a ransom for their data to be decrypted so that it is again available, and for the perpetrators to delete their copy, with the threat of otherwise making the data public. [10] (While the data are not published if the ransom is paid, it was found when LockBit was taken down by law enforcement that it had not been deleted. [11] )

LockBit gained attention for its creation and use of the malware called "StealBit", which automates transferring data to the intruder. This tool was introduced with the release of LockBit 2.0, which has fast and efficient encryption capabilities. To expand their reach, LockBit also released Linux-ESXI Locker version 1.0, targeting Linux hosts, particularly VMware ESXi servers. [1]

LockBit recruits affiliates and develops partnerships with other criminal groups. They hire network access brokers, cooperate with organizations like Maze, and recruit insiders from targeted companies. To attract talented hackers, they have sponsored underground technical writing contests. [1]

LockBit has targeted various industries globally, however, healthcare and education sectors are the biggest victims. According to Trend Micro, in terms of attack attempts, United States, India and Brazil are the top targeted countries. [1]

LockBit is efficient and adaptable: they emphasize their malware's speed and capabilities to attract victims. They take external factors like data privacy laws into consideration when targeting potential victims. LockBit's success also relies heavily on their affiliate program, which helps them innovate and compete in the ransomware landscape. [1]

On its site on the dark web, LockBit stated that it was "located in the Netherlands, completely apolitical and only interested in money". [12]

Techniques and tactics

LockBit operators frequently gain initial access by exploiting vulnerable Remote Desktop Protocol (RDP) servers or compromised credentials purchased from affiliates. Initial access vectors also include phishing emails with malicious attachments or links, brute-forcing weak RDP or VPN passwords, and exploiting vulnerabilities such as CVE-2018-13379 in Fortinet VPNs. [1]

Once installed, LockBit ransomware is often executed in Microsoft Windows via command-line arguments, scheduled tasks, or PowerShell scripts such as PowerShell Empire. LockBit uses tools such as Mimikatz, GMER, Process Hacker, and registry edits to gather credentials, disable security products, and evade defenses. It enumerates network connections to identify high-value targets such as domain controllers using scanners such as Advanced Port Scanner. [1]

For lateral movement, LockBit spreads through SMB file-sharing connections inside networks, using credentials gathered earlier. Other lateral movement techniques include distributing itself via compromised Group Policy objects, or using tools such as PsExec or Cobalt Strike. [1]

LockBit's ransomware payload encrypts files and network shares using AES and RSA encryption. It encrypts only the first few kilobytes of each file for faster processing, and adds a ".lockbit" extension. LockBit then replaces the desktop wallpaper with a ransom note; it can also print ransom notes to attached printers. The goal is to extort payment of a ransom to reverse system disruption and restore file access. [1]

History

LockBit malware was previously known as ".abcd", after the file extension that was added to encrypted files as they were made inaccessible. [13]

LockBit was first observed in September 2019. [14]

LockBit 2.0

LockBit 2.0 appeared in 2021 [14] and came into the spotlight with their attack on Accenture the same year, where an insider probably helped the group entering the network. LockBit published some of the data stolen in this attack. [15] [1]

In January 2022, the electronics company Thales was one of the victims of Lockbit 2.0. [16]

In July 2022, the administrative and management services of La Poste Mobile were attacked. [17]

In September 2022, the group's hackers claimed cyberattacks against 28 organizations, 12 of which involved French organizations. [18] Among them, the Corbeil Essonnes hospital was targeted with a ransom demand of US$10 million. [19]

In October 2022, the LockBit group claimed responsibility for an attack on Pendragon PLC, a group of automotive retailers in the UK, demanding a ransom of US$60 million to decrypt the files and not leak them; the company stated that they refused the demand. [20]

On October 31, 2022, the LockBit hacker group claimed to have attacked Thales Group for the second time and did not demand a ransom, but said that the data would be released. The hacker group offered assistance to Thales customers affected by the theft, in order to lodge a complaint against Thales, a group "that has greatly disregarded confidentiality rules". [21] On November 10, 2022, the LockBit 3.0 group published on the darknet a 9.5 GB archive with stolen information on Thales contracts in Italy and Malaysia. [22] [23]

In November 2022, OEHC - Office d'Équipement Hydraulique de Corse - was the victim of a cyberattack that encrypted the company's computer data. A ransom demand was made by the hacker group, to which OEHC did not respond. [24]

In December 2022, the LockBit hacker group claimed responsibility for the attack on the California Finance Administration. The governor's office acknowledged being the victim of an attack, without specifying its scale. Lockbit claims to have stolen 246,000 files with a total size of 75.3 GB. [25]

In December 2022, the hacker group claimed to have attacked the port of Lisbon. The ransom was set at US$1.5 million, to be paid by January 18, 2023. [26]

On December 18, 2022, a group of hackers attacked Toronto's Hospital for Sick Children. After realizing their blunder, the hacker group stopped the attack, apologized and offered a free solution to recover the encrypted files. [27]

LockBit 3.0

In late June 2022, the group launched "LockBit 3.0", the latest variant of their ransomware, after two months of beta testing. Notably, the group introduced a bug bounty program, the first of its kind in the realm of ransomware operations. They invited security researchers to test their software to improve their security, offering substantial monetary rewards ranging from US$1,000 to $1 million. [1]

In August 2022, German equipment manufacturer Continental suffered a LockBit ransomware attack. In November 2022, with no response to its ransom demand, the hacker group published part of the stolen data and offered access to all of it for 50 million euros. Among the stolen data are the private lives of the Group's employees, as well as exchanges with German car manufacturers. Beyond the theft of data, the danger lies in opening the way to industrial espionage. Indeed, among the exchanges with Volkswagen are IT aspects, from automated driving to entertainment, in which Volkswagen wanted Continental to invest. [28]

In November 2022, the United States Department of Justice announced the arrest of Mikhail Vasiliev, a dual Russian and Canadian national, in connection with the LockBit ransomware campaign. According to the charges, Vasiliev allegedly conspired with others involved in LockBit, a ransomware variant that had been used in over 1,000 attacks globally as of November 2022. According to reports, the operators of LockBit had made at least $100 million in ransom demands, of which tens of millions had been paid by victims. The arrest followed a 2.5 year investigation into the LockBit ransomware group by the Department of Justice. [29]

In January 2023, the hacker group claimed to have attacked the French luxury goods company Nuxe [30] and ELSAN, a French group of private clinics. The hacker group filched 821 GB of data from the company's headquarters. [31] The same month, Royal Mail's international export services were severely disrupted by a Lockbit ransomware attack. [32] [33]

In February 2023, the group claimed responsibility for an attack on Indigo Books and Music, a chain of Canadian bookstores. [34]

In March 2023, the group claimed responsibility for attacking BRL Group  [ fr ], a water specialist in France. [35]

On May 16, 2023, the hacker group claimed responsibility for attacking the Hong Kong branch of the Chinese newspaper China Daily. This is the first time the hacker group has attacked a Chinese company. LockBit does not attack Russian entities and avoids attacking Russian allies. [36]

In May 2023, the hacker group claimed responsibility for the attack on Voyageurs du Monde  [ fr ]. The hacker group stole some 10,000 identity documents from the company's customer files. [37]

In June 2023, the United States Department of Justice announced criminal charges against Ruslan Magomedovich Astamirov, a Russian national, for his alleged participation in the LockBit ransomware campaign as an affiliate. The charges allege that Astamirov directly executed at least five ransomware attacks against victims and received a portion of ransom payments in bitcoin. [38]

At the end of June 2023, the TSMC group fell victim to a ransomware attack via one of its suppliers. LockBit demanded a $70 million ransom. [39]

In July 2023, LockBit attacked the Port of Nagoya in Japan, which handles 10% of the country's trade. The attack forced a shutdown of container operations. [40]

In October 2023, LockBit claimed to have stolen sensitive data from Boeing. [41] Boeing acknowledged they were aware of a cyber incident affecting some of their parts and distribution business a few days later, though it did not affect flight safety; they did not name the suspected attackers. [42]

In November 2023, LockBit attacked the U.S. subsidiary of the Chinese state-owned Industrial and Commercial Bank of China. [43] Bloomberg reported that the US unit of ICBC at the time was considered the world's largest lender by assets. [44]

In November 2023, LockBit released internal data that the group had stolen a month earlier from Boeing onto the Internet. [45]

In November 2023, the LockBit gang attacked the Chicago Trading Company and Alphadyne Asset Management. Bloomberg reported that the CTC had been hacked in October, and that over the prior year Lockbit had "become the world’s most prolific ransomware group." Since 2020, it had reportedly carried out 1,700 attacks and extorted $91 million, according to the US Cybersecurity and Infrastructure Security Agency. [46] The Register reported in late November 2023 that LockBit was facing growing internal frustrations, and that its leaders were overhauling some of its negotiation methods with victims in response to the low pay rate achieved. [47]

In January 2024, the LockBit gang attacked Fulton County computers. [48] [49] The county released a statement on the attack the following month, saying they had not paid the ransom, that it was not associated with the election process, they were not aware of any extraction of sensitive information about citizens or employees. [48] [49]

In May 2024, the LockBit gang claimed responsibility for an attack on Canadian retailer London Drugs, which closed all locations across Canada. LockBit then threatened to release data within 48 hours if a ransom of $25 million was not paid. London Drugs stated that that they are "unwilling and unable to pay ransom" to the parties involved." No customer or primary employee data was compromised. On May 23, 2024, the company confirmed that data had been leaked by Lockbit, and that affected employees were being offered identity theft protection services.

In June 2024, the LockBit gang attacked the University Hospital Center in Zagreb, the largest medical facility in Croatia. The cyberattack caused significant disruption, taking the hospital "back 50 years—to paper and pencil". LockBit claimed to have exfiltrated a large number of files, including medical records and employee information, and demanded an undisclosed sum in exchange for not publishing the data. The Croatian government refused the demands. [50] [51]

LockBit-NG-Dev (LockBit 4?)

When the LockBit server was closed down by law enforcement in February 2024, it was found that a new version, LockBit-NG-Dev, probably to be released as LockBit 4.0, had been under advanced development; [52] Trend Micro published a detailed report on it. [53]

Seizure by law enforcement in 2024

On February 19, 2024, the National Crime Agency in collaboration with Europol and other international law enforcement agencies seized control of darknet websites belonging to the LockBit ransomware gang as a part of Operation Cronos. [54] [55] [56] [6] [7] An unverified report said that Lockbit had said that its servers running on the programming language PHP had been hit, but that it had backup servers without PHP that were "not touched". [12] One person was arrested in Ukraine, one in Poland, and two in the United States. Two Russians were also named, but have not been arrested. According to Graeme Biggar, Director General of the National Crime Agency, law enforcement has "taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems." [11] A decryptor for LockBit 3.0 was made using the seized keys and released for free use on No More Ransom. [57]

After the takedown, law enforcement posted information about the group on its dark web site, including that it had at least 188 affiliates. [8] Law enforcement also obtained 30,000 Bitcoin addresses used for managing the group's profits from ransom payments, which contained 2,200 BTC ($112 million USD). [58]

As of 22 February 2024 LockBit ransomware was still spreading. [59] [8]

On 24 February 2024 a new website claiming to be run by LockBit appeared. [60] The new site listed more than a dozen alleged victims including the FBI, hospitals and Fulton County, Georgia. [60] The new site threatened to release information relating to Fulton County unless a ransom was paid by 2 March 2024. [60] The new site claimed to have the identities of members of a jury in a murder trial. [60] There was also a threat to release Fulton County documents relating to court cases involving Donald Trump if the ransom wasn't paid. [60]

On 7 May 2024 charges and sanctions were announced against Dmitry Khoroshev, the alleged administrator and developer of LockBit. [61] [62]

On 21 May 2024, LockBit claimed responsibility for an attack on the corporate offices of Canadian retail chain London Drugs, demanding a payment of $25 million. [63] [64] All London Drugs stores were closed nationwide from 28 April–7 May 2024 due to the attack. [65] [66] London Drugs is refusing to pay the ransom, and stated that customer and "primary employee" data was not compromised. [63] [64]

In June 2024, LockBit claimed responsibility for a major breach of Evolve Bank & Trust, [67] a partner bank of many financial technology companies including Stripe, Mercury, Affirm, and Airwallex. [68] The group had threatened to leak data from the US Federal Reserve, but the leaked data appeared to come directly from Evolve, not the Federal Reserve. [69]

Related Research Articles

Ransomware is a type of malware that permanently blocks access to the victim's personal data unless a "ransom" is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

<span class="mw-page-title-main">Timeline of Internet conflicts</span>

The Internet has a long history of turbulent relations, major maliciously designed disruptions, and other conflicts. This is a list of known and documented Internet, Usenet, virtual community and World Wide Web related conflicts, and of conflicts that touch on both offline and online worlds with possibly wider reaching implications.

<span class="mw-page-title-main">Bitdefender</span> Romanian cybersecurity technology company

Bitdefender is a multinational cybersecurity technology company dual-headquartered in Bucharest, Romania and Santa Clara, California, with offices in the United States, Europe, Australia and the Middle East.

The CryptoLocker ransomware attack was a cyberattack using the CryptoLocker ransomware that occurred from 5 September 2013 to late May 2014. The attack utilized a trojan that targeted computers running on Microsoft Windows, and was believed to have first been posted to the Internet on 5 September 2013. It propagated via infected email attachments, and via an existing Gameover ZeuS botnet. When activated, the malware encrypted certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displayed a message which offered to decrypt the data if a payment was made by a stated deadline, and it threatened to delete the private key if the deadline passes. If the deadline was not met, the malware offered to decrypt data via an online service provided by the malware's operators, for a significantly higher price in bitcoin. There was no guarantee that payment would release the encrypted content.

TeslaCrypt was a ransomware trojan. It is now defunct, and its master key was released by the developers.

REvil was a Russia-based or Russian-speaking private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page Happy Blog unless the ransom was received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.

Emsisoft Ltd. is a New Zealand-based anti-virus software distributed company. They are notable for decrypting ransomware attacks to restore data.

FIN7, also called Carbon Spider, ELBRUS, or Sangria Tempest, is a Russian criminal advanced persistent threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. A portion of FIN7 is run out of the front company Combi Security. It has been called one of the most successful criminal hacking groups in the world. FIN7 is also associated with GOLD NIAGARA, ITG14, ALPHV and BlackCat.

DarkSide is a cybercriminal hacking group, believed to be based in Russia, that targets victims using ransomware and extortion; it is believed to be behind the Colonial Pipeline cyberattack. The group provides ransomware as a service.

Conti is malware developed and first used by the Russia-based hacking group "Wizard Spider" in December, 2019. It has since become a full-fledged ransomware-as-a-service (RaaS) operation used by numerous threat actor groups to conduct ransomware attacks.

Wizard Spider, also known as Trickbot, DEV-0193, UNC2053, or Periwinkle Tempest, was a cybercrime group based in and around Saint Petersburg in Russia. Some members may be based in Ukraine. They are estimated to number about 80, some of them may not know they are employed by a criminal organisation.

On 2 July 2021, a number of managed service providers (MSPs) and their customers became victims of a ransomware attack perpetrated by the REvil group, causing widespread downtime for over 1,000 companies. The attack was carried out by exploiting a vulnerability in VSA, a remote monitoring and management software package developed by Kaseya. Two suspects were identified and one sentenced.

<span class="mw-page-title-main">2022 Costa Rican ransomware attack</span> Attack on Costa Rican government systems

Beginning on the night (UTC-6:00) of April 17, 2022, a ransomware attack began against nearly 30 institutions of the government of Costa Rica, including its Ministry of Finance, the Ministry of Science, Innovation, Technology and Telecommunications (MICITT), the National Meteorological Institute, state internet service provider RACSA, the Costa Rican Social Security Fund, the Ministry of Labor and Social Security, the Fund for Social Development and Family Allowances, and the Administrative Board of the Municipal Electricity Service of Cartago.

Hive was a ransomware as a service (RaaS) operation carried out by the eponymous cybercrime organization between June 2021 and January 2023. The group's purpose was to attack mainly public institutions to subsequently demand ransom for release of hijacked data.

Clop is a cybercriminal organization known for its multilevel extortion techniques and global malware distribution. It has extorted more than $500 million in ransom payments, targeting major organizations worldwide. Clop gained notoriety in 2019 and has since conducted high-profile attacks, using large-scale phishing campaigns and sophisticated malware to infiltrate networks and demand ransom, threatening to expose data if demands are not met.

Royal is a cybercriminal ransomware organization known for its aggressive targeting, its high ransom demands, and its use of double extortion. Royal does not use affiliates.

BlackCat, also known as ALPHV and Noberus, is a ransomware family written in Rust. It made its first appearance in November 2021. By extension, it is also the name of the threat actor(s) who exploit it.

Qilin is a Russian-speaking cybercrime organisation that has been linked to a number of incidents, including a ransomware attack on hospitals in London.

References

  1. 1 2 3 4 5 6 7 8 9 10 11 "Ransomware Spotlight: LockBit". Trendmicro. Archived from the original on 2023-07-07. Retrieved 2023-07-07.
  2. "Understanding Ransomware Threat Actors: LockBit". CISA. 2023-06-14. Archived from the original on 2023-11-25. Retrieved 2023-11-25.
  3. 1 2 Tunney, Catharine (February 3, 2023). "Intelligence agency says ransomware group with Russian ties poses 'an enduring threat' to Canada". Canadian Broadcasting Corporation . Archived from the original on November 25, 2023. Retrieved November 25, 2023.
  4. 1 2 "Understanding Ransomware Threat Actors: LockBit". CISA. 2023-06-14. Archived from the original on 2023-11-25. Retrieved 2023-11-25.
  5. Siddiqui, Zeba; Pearson, James; Pearson, James (2023-11-10). "Explainer: What is Lockbit? The digital extortion gang on a cybercrime spree". Reuters. Archived from the original on 2023-11-25. Retrieved 2023-11-25.
  6. 1 2 Sharwood, Simon (2024-02-20). "LockBit ransomware gang disrupted by global operation". The Register . Archived from the original on 2024-02-21. Retrieved 2024-02-21.
  7. 1 2 Jones, Conor (2024-02-20). "Cops turn LockBit ransomware gang's countdown timers against them". The Register . Archived from the original on 2024-02-21. Retrieved 2024-02-21.
  8. 1 2 3 4 Gatlan, Sergiu (22 February 2024). "ScreenConnect servers hacked in LockBit ransomware attacks". BleepingComputer. Archived from the original on 23 February 2024. Retrieved 23 February 2024. despite the law enforcement operation against LockBit, it seems as though some affiliates are still up and running.
  9. "Latest LockBit news". BleepingComputer. Archived from the original on 21 February 2024. Retrieved 23 February 2024. Developments added as they happen; latest 22 February 2024
  10. "How LockBit Ransomware Works (TT&P)". BlackBerry. Archived from the original on 20 February 2024. Retrieved 20 February 2024.
  11. 1 2 Hern, Alex (2024-02-20). "UK and US hack the hackers to bring down LockBit crime gang". The Guardian. ISSN   0261-3077. Archived from the original on 2024-02-20. Retrieved 2024-02-20.
  12. 1 2 "Prolific cybercrime gang disrupted by joint UK, US and EU operation". The Guardian. Reuters. 19 February 2024. Archived from the original on 20 February 2024. Retrieved 20 February 2024.
  13. Milmo, Dan (2023-01-13). "What is LockBit ransomware and how does it operate?". The Guardian. ISSN   0261-3077. Archived from the original on 2023-06-14. Retrieved 2023-07-20.
  14. 1 2 "What Is LockBit Ransomware?". Blackberry. Archived from the original on 2023-07-20. Retrieved 2023-07-20.
  15. "LockBit 2.0 Ransomware: An In-Depth Look at Lockfile & LockBit". Avertium. Archived from the original on 2023-07-07. Retrieved 2023-07-07.
  16. Damien Licata Caruso (18 January 2022). "Thales refuse le chantage, des hackers publient les données volées à sa branche aérospatiale". Le Parisien (in French). Archived from the original on 5 June 2023. Retrieved 21 July 2023.
  17. "Qui est LockBit 3.0, le cyber-rançonneur de La Poste Mobile ?". La Tribune (in French). 2022-07-08. Archived from the original on 2023-06-04. Retrieved 2023-07-21.
  18. Bodnar, Bogdan (2022-09-14). "Les hackers de l'hôpital de Corbeil-Essonnes revendiquent 12 cyberattaques d'organismes français". Numerama (in French). Archived from the original on 2022-09-15. Retrieved 2023-07-21.
  19. "Cybercriminalité : l'hôpital de Corbeil-Essonnes refuse de payer la rançon, les hackeurs ont commencé à diffuser des données". Le Monde (in French). 2022-09-25. Archived from the original on 2024-03-20. Retrieved 2023-07-21.
  20. "Pendragon car dealer refuses $60 million LockBit ransomware demand". BleepingComputer. 24 October 2022. Archived from the original on 2 June 2023. Retrieved 21 July 2023.
  21. "INFO FRANCEINFO. Un groupe de hackers revendique une cyberattaque contre Thales". Franceinfo (in French). 2022-10-31. Archived from the original on 2023-04-13. Retrieved 2023-07-21.
  22. "Cybersécurité : des données volées à Thales publiées sur le darkweb". Le Figaro (in French). 2022-11-11. Archived from the original on 2023-07-21. Retrieved 2023-07-21.
  23. "Thales : Lockbit diffuse des données volées, l'entreprise dément toute intrusion dans son système". Le Monde (in French). 2022-11-11. Archived from the original on 2023-07-21. Retrieved 2023-07-21.
  24. "Cyberattaque : L'OEHC refuse de négocier, et promet un retour à la normale le plus rapidement possible". France 3 Corse ViaStella (in French). 2022-11-16. Archived from the original on 2022-12-03. Retrieved 2023-07-21.
  25. Ilascu, Ionut (13 December 2022). "LockBit claims attack on California's Department of Finance". BleepingComputer. Archived from the original on 2023-01-11. Retrieved 2023-07-21.
  26. "LockBit ransomware claims attack on Port of Lisbon in Portugal". BleepingComputer. Archived from the original on 2023-03-28. Retrieved 2023-07-21.
  27. "Ransomware : après l'attaque d'un hôpital pour enfants, comment ce gang de pirates s'est excusé". Clubic (in French). 2023-01-02. Archived from the original on 2023-08-30. Retrieved 2023-07-21.
  28. "Continental victime d'une cyberattaque à 50 millions de dollars". Les Echos (in French). 2022-11-15. Archived from the original on 2023-06-29. Retrieved 2023-07-21.
  29. "Russian-Canadian arrested over global LockBit ransomware campaign". BBC News. 2022-11-10. Archived from the original on 2023-07-20. Retrieved 2023-07-20.
  30. Thierry, Gabriel (2023-01-13). "Le gang LockBit tente de faire chanter l'entreprise Nuxe". ZDNet France (in French). Archived from the original on 2023-01-16. Retrieved 2023-07-21.
  31. Thierry, Gabriel (2023-01-26). "Le leader français de la santé privée visé par LockBit". ZDNet France (in French). Archived from the original on 2023-03-26. Retrieved 2023-07-21.
  32. "Royal Mail faces threat from ransomware group LockBit". Reuters. 2023-02-08. Archived from the original on 2023-07-20. Retrieved 2023-07-20.
  33. "Royal Mail cyberattack linked to LockBit ransomware operation". BleepingComputer. Archived from the original on 2023-06-28. Retrieved 2023-07-21.
  34. "Qu'est-ce que LockBit, le rançongiciel utilisé contre les librairies Indigo?". Les affaires (in French). Archived from the original on 2023-04-01. Retrieved 2023-07-21.
  35. Thierry, Gabriel (2023-04-18). "LockBit étoffe encore son tableau de chasse hexagonal". ZDNet France (in French). Archived from the original on 2023-07-19. Retrieved 2023-07-21.
  36. Bodnar, Bogdan (2023-05-16). "Cyberattaque contre un grand média chinois, pourquoi est-ce inédit ?". Numerama (in French). Archived from the original on 2023-07-21. Retrieved 2023-07-21.
  37. Thierry, Gabriel (2023-06-01). "Le piratage de Voyageurs du monde se solde par la fuite de plusieurs milliers de copies de passeports". ZDNet France (in French). Archived from the original on 2023-07-21. Retrieved 2023-07-21.
  38. "Office of Public Affairs | Russian National Arrested and Charged with Conspiring to Commit LockBit Ransomware Attacks Against U.S. and Foreign Businesses | United States Department of Justice". www.justice.gov. 2023-06-15. Archived from the original on 2023-07-20. Retrieved 2023-07-20.
  39. "TSMC denies LockBit hack as ransomware gang demands $70 million". BleepingComputer. Archived from the original on 2023-07-27. Retrieved 2023-07-21.
  40. Robinson, Teri (2023-07-14). "Lockbit 3.0 Claims Credit for Ransomware Attack on Japanese Port". Security Boulevard. Archived from the original on 2023-07-21. Retrieved 2023-07-21.
  41. Vigliarolo, Brandon (2023-10-30). "LockBit alleges it boarded Boeing, stole 'sensitive data'". The Register . Archived from the original on 2023-11-19. Retrieved 2023-11-19.
  42. Dobberstein, Laura (2023-11-02). "Boeing acknowledges cyberattack on parts and distribution biz". The Register . Archived from the original on 2023-11-19. Retrieved 2023-11-19.
  43. "World's Biggest Bank Forced to Trade Via USB Stick After Hack". Bloomberg. 2023-11-10. Archived from the original on 2023-11-10. Retrieved 2023-11-10.
  44. Doherty, Katherine; McCormick, Liz Capo (9 November 2023). "World's Largest Bank Hit By Ransomware Gang Linked to Boeing, Ion Attacks". Bloomberg. Archived from the original on 2023-11-10. Retrieved 2023-12-06.
  45. "Boeing data published by Lockbit hacking gang". Reuters. November 10, 2023. Archived from the original on 2023-11-10. Retrieved 2023-11-10.
  46. Gallagher, Ryan; Doherty, Katherine; Almeida, Isis (17 November 2023). "Lockbit Gang Hacks Into Another US Financial Firm, Threatens to Dump Data". Bloomberg. Archived from the original on 2023-11-17. Retrieved 2023-12-06.
  47. Jones, Connor (17 November 2023). "LockBit revamps ransomware negotiations as payments dwindle". The Register. Archived from the original on 7 December 2023. Retrieved 6 December 2023.
  48. 1 2 Chidi, George (2024-02-12). "Fulton county's systems were hacked. Already weary officials are tight-lipped". The Guardian . Archived from the original on 2024-02-21. Retrieved 2024-02-21.
  49. 1 2 Lyngaas, Sean; Spells, Alta. "Fulton County faces ransomware attack by 'financially motivated actors,' but county elections still on track". CNN. Archived from the original on 2024-02-21. Retrieved 2024-02-21.
  50. "Croatian hospital's data leaked on dark web after cyberattack". Yahoo! Finance . 2024-07-02. Retrieved 2024-07-02.
  51. "Government to Russian hackers: We will not negotiate with criminals". Croatian Radiotelevision. 2024-07-02. Retrieved 2024-07-02.
  52. Toulas, Bill (22 February 2024). "LockBit ransomware secretly building next-gen encryptor before takedown". Bleeping Computer. Archived from the original on 23 February 2024. Retrieved 23 February 2024.
  53. Technical Appendix: LockBit-NG-Dev Detailed Analysis (PDF) (Report). Trend Research. 22 February 2024. Archived (PDF) from the original on 23 February 2024. Retrieved 23 February 2024.
  54. Gatlan, Sergiu (2024-02-19). "LockBit ransomware disrupted by global police operation". BleepingComputer. Archived from the original on 2024-02-19. Retrieved 2024-02-19.
  55. Vicens, A. J. (2024-02-19). "FBI, British authorities seize infrastructure of LockBit ransomware group". CyberScoop. Archived from the original on 2024-02-19. Retrieved 2024-02-19.
  56. Fingert, Tyler (2024-02-19). "Site run by cyber criminals behind Fulton County ransomware attack taken over". Fox 5 Atlanta. Archived from the original on 2024-02-19. Retrieved 2024-02-19.
  57. "Police arrest LockBit ransomware members, release decryptor in global crackdown". BleepingComputer. Archived from the original on 2024-02-24. Retrieved 2024-02-24.
  58. "LockBit ransomware gang has over $110 million in unspent bitcoin". BleepingComputer. Archived from the original on 2024-02-24. Retrieved 2024-02-24.
  59. Goodin, Dan (2024-02-22). "Ransomware associated with LockBit still spreading 2 days after server takedown". Ars Technica . Archived from the original on 2024-02-22. Retrieved 2024-02-22.
  60. 1 2 3 4 5 Lyons, Jessica (2024-02-26). "Back from the dead: LockBit taunts cops, threatens to leak Trump docs". The Register . Archived from the original on 2024-02-26. Retrieved 2024-02-26.
  61. "LockBit leader unmasked and sanctioned". NCA. 2024-05-07. Archived from the original on 2024-05-07. Retrieved 2024-05-07.
  62. "U.S. Charges Russian National with Developing and Operating LockBit Ransomware". Justice.gov. 2024-05-07. Archived from the original on 2024-05-07. Retrieved 2024-05-07.
  63. 1 2 "London Drugs hackers seek millions in ransom on claims of stolen employee data". Global News. Retrieved 2024-05-22.
  64. 1 2 "Cybercriminals threaten to leak London Drugs data if it doesn't pay $25M ransom". CTV News British Columbia. 2024-05-21. Retrieved 2024-05-22.
  65. "All London Drugs stores in Western Canada reopen following cyberattack". Global News. Retrieved 2024-05-22.
  66. "'Cybersecurity incident' leads to closure of London Drugs stores in western Canada". Global News. Retrieved 2024-04-29.
  67. Xie, Teresa; Gorrivan, Charles (2024-06-26). "Evolve Bank & Trust Confirms Data Was Stolen in Cyber Attack". Bloomberg. Retrieved 2024-06-27.
  68. "FinTech Banking Partner Evolve Bancorp Hit by Major Ransomware Attack". PYMNTS.com. 2024-06-26. Retrieved 2024-06-27.
  69. Croft, Daniel (2024-06-26). "LockBit lies about US Federal Reserve data, publishes alleged Evolve Bank data". www.cyberdaily.au. Retrieved 2024-06-27.

See also