Lockbit

Last updated
Lockbit
Formation2019
TypeCybercrime

LockBit is a cybercriminal group proposing ransomware as a service (RaaS). Software developed by the group (also called ransomware) enables malicious actors who are willing to pay for using it to carry out attacks in two tactics where they not only encrypt the victim's data and demand payment of a ransom, but also threaten to leak it publicly if their demands are not met. [1]

Contents

According to a joint statement by various government agencies, LockBit was the world's most prolific ransomware in 2022. [2] It was estimated in early 2023 to be responsible for 44% of all ransomware incidents globally. [3]

In the United States between January 2020 and May 2023, Lockbit was used in approximately 1,700 ransomware attacks, with US$91 million paid in ransom to hackers. [4]

Government agencies did not formally attribute the group to any nation-state. [5] Software with the name "LockBit" appeared on a Russian-language based cybercrime forum in January 2020. [4] The group is financially-motivated. [3]

In February 2024 law enforcement agencies seized control of LockBit dark web sites used for attacks. [6] [7] However, further attacks with LockBit ransomware were later reported, with the group attempting to perform a comeback. [8] [9]

Description

LockBit software, written in the C and C++ programming languages until .NET was used for the LockBit-NG-Dev under development at takedown in 2024, [8] gains initial access to computer systems using purchased access, unpatched vulnerabilities, insider access, and zero-day exploits, in the same way as other malware. LockBit then takes control of the infected system, collects network information, and steals and encrypts data. Demands are then made for the victim to pay a ransom for their data to be decrypted so that it is again available, and for the perpetrators to delete their copy, with the threat of otherwise making the data public. [10] (While the data are not published if the ransom is paid, it was found when LockBit was taken down by law enforcement that it had not been deleted. [11] )

LockBit gained attention for its creation and use of the malware called "StealBit", which automates transferring data to the intruder. This tool was introduced with the release of LockBit 2.0, which has fast and efficient encryption capabilities. To expand their reach, LockBit also released Linux-ESXI Locker version 1.0, targeting Linux hosts, particularly VMware ESXi servers. [1]

LockBit recruits affiliates and develops partnerships with other criminal groups. They hire network access brokers, cooperate with organizations like Maze, and recruit insiders from targeted companies. To attract talented hackers, they have sponsored underground technical writing contests. [1]

LockBit has targeted various industries globally, however, healthcare and education sectors are the biggest victims. According to Trend Micro, in terms of attack attempts, United States, India and Brazil are the top targeted countries. [1]

LockBit is efficient and adaptable: they emphasize their malware's speed and capabilities to attract victims. They take external factors like data privacy laws into consideration when targeting potential victims. LockBit's success also relies heavily on their affiliate program, which helps them innovate and compete in the ransomware landscape. [1]

On its site on the dark web, LockBit stated that it was "located in the Netherlands, completely apolitical and only interested in money". [12]

Techniques and tactics

LockBit operators frequently gain initial access by exploiting vulnerable Remote Desktop Protocol (RDP) servers or compromised credentials purchased from affiliates. Initial access vectors also include phishing emails with malicious attachments or links, brute-forcing weak RDP or VPN passwords, and exploiting vulnerabilities such as CVE-2018-13379 in Fortinet VPNs. [1]

Once installed, LockBit ransomware is often executed in Microsoft Windows via command-line arguments, scheduled tasks, or PowerShell scripts such as PowerShell Empire. LockBit uses tools such as Mimikatz, GMER, Process Hacker, and registry edits to gather credentials, disable security products, and evade defenses. It enumerates network connections to identify high-value targets such as domain controllers using scanners such as Advanced Port Scanner. [1]

For lateral movement, LockBit spreads through SMB file-sharing connections inside networks, using credentials gathered earlier. Other lateral movement techniques include distributing itself via compromised Group Policy objects, or using tools such as PsExec or Cobalt Strike. [1]

LockBit's ransomware payload encrypts files and network shares using AES and RSA encryption. It encrypts only the first few kilobytes of each file for faster processing, and adds a ".lockbit" extension. LockBit then replaces the desktop wallpaper with a ransom note; it can also print ransom notes to attached printers. The goal is to extort payment of a ransom to reverse system disruption and restore file access. [1]

History

Lockbit malware was previously known as ".abcd", after the file extension that was added to encrypted files as they were made inaccessible. [13]

LockBit was first observed in September 2019. [14]

LockBit 2.0

LockBit 2.0 appeared in 2021 [14] and came into the spotlight with their attack on Accenture the same year, where an insider probably helped the group entering the network. LockBit published some of the data stolen in this attack. [15] [1]

In January 2022, the electronics company Thales was one of the victims of Lockbit 2.0. [16]

In July 2022, the administrative and management services of La Poste Mobile were attacked. [17]

In September 2022, the group's hackers claimed cyberattacks against 28 organizations, 12 of which involved French organizations. [18] Among them, the Corbeil Essonnes hospital was targeted with a ransom demand of US$10 million. [19]

In October 2022, the Lockbit group claimed responsibility for an attack on Pendragon PLC, a group of automotive retailers in the UK, demanding a ransom of US$60 million to decrypt the files and not leak them; the company stated that they refused the demand. [20]

On October 31, 2022, the Lockbit hacker group claimed to have attacked Thales Group for the second time and did not demand a ransom, but said that the data would be released. The hacker group offered assistance to Thales customers affected by the theft, in order to lodge a complaint against Thales, a group "that has greatly disregarded confidentiality rules". [21] On November 10, 2022, the LockBit 3.0 group published on the darknet a 9.5 GB archive with stolen information on Thales contracts in Italy and Malaysia. [22] [23]

In November 2022, OEHC - Office d'Équipement Hydraulique de Corse - was the victim of a cyberattack that encrypted the company's computer data. A ransom demand was made by the hacker group, to which OEHC did not respond. [24]

In December 2022, the Lockbit hacker group claimed responsibility for the attack on the California Finance Administration. The governor's office acknowledged being the victim of an attack, without specifying its scale. Lockbit claims to have stolen 246,000 files with a total size of 75.3 GB. [25]

In December 2022, the hacker group claimed to have attacked the port of Lisbon. The ransom was set at US$1.5 million, to be paid by January 18, 2023. [26]

On December 18, 2022, a group of hackers attacked Toronto's Hospital for Sick Children. After realizing their blunder, the hacker group stopped the attack, apologized and offered a free solution to recover the encrypted files. [27]

LockBit 3.0

In late June 2022, the group launched "LockBit 3.0", the latest variant of their ransomware, after two months of beta testing. Notably, the group introduced a bug bounty program, the first of its kind in the realm of ransomware operations. They invited security researchers to test their software to improve their security, offering substantial monetary rewards ranging from US$1,000 to $1 million. [1]

In August 2022, German equipment manufacturer Continental suffered a Lockbit ransomware attack. In November 2022, with no response to its ransom demand, the hacker group published part of the stolen data and offered access to all of it for 50 million euros. Among the stolen data are the private lives of the Group's employees, as well as exchanges with German car manufacturers. Beyond the theft of data, the danger lies in opening the way to industrial espionage. Indeed, among the exchanges with Volkswagen are IT aspects, from automated driving to entertainment, in which Volkswagen wanted Continental to invest. [28]

In November 2022, the United States Department of Justice announced the arrest of Mikhail Vasiliev, a dual Russian and Canadian national, in connection with the LockBit ransomware campaign. According to the charges, Vasiliev allegedly conspired with others involved in LockBit, a ransomware variant that had been used in over 1,000 attacks globally as of November 2022. According to reports, the operators of LockBit had made at least $100 million in ransom demands, of which tens of millions had been paid by victims. The arrest followed a 2.5 year investigation into the LockBit ransomware group by the Department of Justice. [29]

In January 2023, the hacker group claimed to have attacked the French luxury goods company Nuxe [30] and ELSAN, a French group of private clinics. The hacker group filched 821 GB of data from the company's headquarters. [31] The same month, Royal Mail's international export services were severely disrupted by a Lockbit ransomware attack. [32] [33]

In February 2023, the group claimed responsibility for an attack on Indigo Books and Music, a chain of Canadian bookstores. [34]

In March 2023, the group claimed responsibility for attacking BRL Group  [ fr ], a water specialist in France. [35]

On May 16, 2023, the hacker group claimed responsibility for attacking the Hong Kong branch of the Chinese newspaper China Daily. This is the first time the hacker group has attacked a Chinese company. Lockbit does not attack Russian entities and avoids attacking Russian allies. [36]

In May 2023, the hacker group claimed responsibility for the attack on fr:Voyageurs du Monde . The hacker group stole some 10,000 identity documents from the company's customer files. [37]

In June 2023, the United States Department of Justice announced criminal charges against Ruslan Magomedovich Astamirov, a Russian national, for his alleged participation in the LockBit ransomware campaign as an affiliate. The charges allege that Astamirov directly executed at least five ransomware attacks against victims and received a portion of ransom payments in bitcoin. [38]

At the end of June 2023, the TSMC group fell victim to a ransomware attack via one of its suppliers. LockBit demanded a $70 million ransom. [39]

In July 2023, Lockbit attacked the Port of Nagoya in Japan, which handles 10% of the country's trade. The attack forced a shutdown of container operations. [40] In October 2023, Lockbit claimed to have stolen sensitive data from Boeing. [41] Boeing acknowledged they were aware of a cyber incident affecting some of their parts and distribution business a few days later, though it did not affect flight safety; they did not name the suspected attackers. [42]

In November 2023, Lockbit attacked the U.S. subsidiary of the Chinese state-owned Industrial and Commercial Bank of China. [43] Bloomberg reported that the US unit of ICBC at the time was considered the world's largest lender by assets. [44]

In November 2023, Lockbit released internal data that the group had stolen a month earlier from Boeing onto the Internet. [45]

In November 2023, the Lockbit gang attacked the Chicago Trading Company and Alphadyne Asset Management. Bloomberg reported that the CTC had been hacked in October, and that over the prior year Lockbit had "become the world’s most prolific ransomware group." Since 2020, it had reportedly carried out 1,700 attacks and extorted $91 million, according to the US Cybersecurity and Infrastructure Security Agency. [46] The Register reported in late November 2023 that LockBit was facing growing internal frustrations, and that its leaders were overhauling some of its negotiation methods with victims in response to the low pay rate achieved. [47]

In January 2024, the Lockbit gang attacked Fulton County computers. [48] [49] The county released a statement on the attack the following month, saying they had not paid the ransom, that it was not associated with the election process, they were not aware of any extraction of sensitive information about citizens or employees. [48] [49]

LockBit-NG-Dev (LockBit 4?)

When the LockBit server was closed down by law enforcement in February 2024, it was found that a new version, LockBit-NG-Dev, probably to be released as LockBit 4.0, had been under advanced development; [50] Trend Micro published a detailed report on it. [51]

Seizure by law enforcement

On February 19, 2024, the National Crime Agency in collaboration with Europol and other international law enforcement agencies seized control of darknet websites belonging to the LockBit ransomware gang as a part of Operation Cronos. [52] [53] [54] [6] [7] An unverified report said that Lockbit had said that its servers running on the programming language PHP had been hit, but that it had backup servers without PHP that were "not touched". [12] One person was arrested in Ukraine, one in Poland, and two in the United States. Two Russians were also named, but have not been arrested. According to Graeme Biggar, Director General of the National Crime Agency, law enforcement has "taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems." [11] A decryptor for LockBit 3.0 was made using the seized keys and released for free use on No More Ransom. [55]

After the takedown, law enforcement posted information about the group on its dark web site, including that it had at least 188 affiliates. [8] Law enforcement also obtained 30,000 Bitcoin addresses used for managing the group's profits from ransom payments, which contained 2,200 BTC ($112 million USD). [56]

As of 22 February 2024 LockBit ransomware was still spreading. [57] [8]

On 24 February 2024 a new website claiming to be run by Lockbit appeared. [58] The new site listed more than a dozen alleged victims including the FBI, hospitals and Fulton County, Georgia. [58] The new site threatened to release information relating to Fulton County unless a ransom was paid by March 2 2024. [58] The new site claimed to have the identities of members of a jury in a murder trial. [58] There was also a threat to release Fulton County documents relating to court cases involving Donald Trump if the ransom wasn't paid. [58]

Related Research Articles

Ransomware is a type of cryptovirological malware that permanently blocks access to the victim's personal data unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

Bleeping Computer is a website covering technology news and offering free computer help via its forums that was created by Lawrence Abrams in 2004. It publishes news focusing heavily on cybersecurity, but also covers other topics including computer software, computer hardware, operating system and general technology.

The CryptoLocker ransomware attack was a cyberattack using the CryptoLocker ransomware that occurred from 5 September 2013 to late May 2014. The attack utilized a trojan that targeted computers running Microsoft Windows, and was believed to have first been posted to the Internet on 5 September 2013. It propagated via infected email attachments, and via an existing Gameover ZeuS botnet. When activated, the malware encrypted certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displayed a message which offered to decrypt the data if a payment was made by a stated deadline, and it threatened to delete the private key if the deadline passes. If the deadline was not met, the malware offered to decrypt data via an online service provided by the malware's operators, for a significantly higher price in bitcoin. There was no guarantee that payment would release the encrypted content.

Dridex, also known as Bugat and Cridex, is a form of malware that specializes in stealing bank credentials via a system that utilizes macros from Microsoft Word.

<span class="mw-page-title-main">Petya (malware family)</span> Family of encrypting ransomware discovered in 2016

Petya is a family of encrypting malware that was first discovered in 2016. The malware targets Microsoft Windows–based systems, infecting the master boot record to execute a payload that encrypts a hard drive's file system table and prevents Windows from booting. It subsequently demands that the user make a payment in Bitcoin in order to regain access to the system.

<span class="mw-page-title-main">Jigsaw (ransomware)</span> Encrypting ransomware created in 2016

Jigsaw is a form of encrypting ransomware malware created in 2016. It was initially titled "BitcoinBlackmailer", but later came to be known as "Jigsaw" due to featuring an image of Billy the Puppet from the Saw film franchise. The malware encrypts computer files and gradually deletes them, demanding payment of a ransom to decrypt the files and halt the deletion.

REvil was a Russia-based or Russian-speaking private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page Happy Blog unless the ransom was received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian, who target organizations rather than individual consumers.

Emsisoft Ltd. is a New Zealand-based anti-virus software distributed company. They are notable for decrypting ransomware attacks to restore data.

FIN7, also called Carbon Spider, ELBRUS, or Sangria Tempest, is a Russian criminal advanced persistent threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. A portion of FIN7 is run out of the front company Combi Security. It has been called one of the most successful criminal hacking groups in the world. FIN7 is also associated with GOLD NIAGARA, ITG14, ALPHV and BlackCat.

DarkSide is a cybercriminal hacking group, believed to be based in Russia, that targets victims using ransomware and extortion; it is believed to be behind the Colonial Pipeline cyberattack. It is thought that they have been able to hack and extort money from around 90 companies in the USA alone. The group provides ransomware as a service.

Conti is a ransomware hacker group that has been observed since 2020, believed to be distributed by a Russia-based group. It operates as a ransomware-as-a-service (RaaS), enabling other cybercriminals to deploy this malware for their own purposes. Conti is particularly known for its utilization of double extortion techniques, where it not only encrypts victim's files but also steals and threatens to publish sensitive data if the ransom is not paid.

Wizard Spider, also known as Trickbot, DEV-0193, UNC2053, or Periwinkle Tempest, is a cybercrime group based in and around Saint Petersburg in Russia. Some members may be based in Ukraine. They are estimated to number about 80, some of them may not know they are employed by a criminal organisation.

On 2 July 2021, a number of managed service providers (MSPs) and their customers became victims of a ransomware attack perpetrated by the REvil group, causing widespread downtime for over 1,000 companies. The attack was carried out by exploiting a vulnerability in VSA, a remote monitoring and management software package developed by Kaseya.

Ransomware as a service (RaaS) is a cybercrime business model where ransomware operators write software and affiliates pay to launch attacks using said software. Affiliates do not need to have technical skills of their own but rely on the technical skills of the operators.

Hive was a ransomware as a service (RaaS) operation carried out by the eponymous cybercrime organization between June 2021 and January 2023. The group's purpose was to attack mainly public institutions to subsequently demand ransom for release of hijacked data.

Clop is a cybercriminal organization known for its multilevel extortion techniques and global malware distribution. It has extorted more than $500 million in ransom payments, targeting major organizations worldwide. Clop gained notoriety in 2019 and has since conducted high-profile attacks, using large-scale phishing campaigns and sophisticated malware to infiltrate networks and demand ransom, threatening to expose data if demands are not met.

Royal is a cybercriminal ransomware organization known for its aggressive targeting, its high ransom demands, and its use of double extortion. Royal does not use affiliates.

BlackCat, also known as ALPHV and Noberus, is a ransomware family written in Rust. It made its first appearance in November 2021. By extension, it is also the name of the threat actor(s) who exploit it.

References

  1. 1 2 3 4 5 6 7 8 9 10 11 "Ransomware Spotlight: LockBit". Trendmicro. Archived from the original on 2023-07-07. Retrieved 2023-07-07.
  2. "Understanding Ransomware Threat Actors: LockBit". CISA. 2023-06-14. Archived from the original on 2023-11-25. Retrieved 2023-11-25.
  3. 1 2 Tunney, Catharine (February 3, 2023). "Intelligence agency says ransomware group with Russian ties poses 'an enduring threat' to Canada". Canadian Broadcasting Corporation . Archived from the original on November 25, 2023. Retrieved November 25, 2023.
  4. 1 2 "Understanding Ransomware Threat Actors: LockBit". CISA. 2023-06-14. Archived from the original on 2023-11-25. Retrieved 2023-11-25.
  5. Siddiqui, Zeba; Pearson, James; Pearson, James (2023-11-10). "Explainer: What is Lockbit? The digital extortion gang on a cybercrime spree". Reuters. Archived from the original on 2023-11-25. Retrieved 2023-11-25.
  6. 1 2 Sharwood, Simon (2024-02-20). "LockBit ransomware gang disrupted by global operation". The Register . Archived from the original on 2024-02-21. Retrieved 2024-02-21.
  7. 1 2 Jones, Conor (2024-02-20). "Cops turn LockBit ransomware gang's countdown timers against them". The Register . Archived from the original on 2024-02-21. Retrieved 2024-02-21.
  8. 1 2 3 4 Gatlan, Sergiu (22 February 2024). "ScreenConnect servers hacked in LockBit ransomware attacks". BleepingComputer. Archived from the original on 23 February 2024. Retrieved 23 February 2024. despite the law enforcement operation against LockBit, it seems as though some affiliates are still up and running.
  9. "Latest LockBit news". BleepingComputer. Archived from the original on 21 February 2024. Retrieved 23 February 2024. Developments added as they happen; latest 22 February 2024
  10. "How LockBit Ransomware Works (TT&P)". BlackBerry. Archived from the original on 20 February 2024. Retrieved 20 February 2024.
  11. 1 2 Hern, Alex (2024-02-20). "UK and US hack the hackers to bring down LockBit crime gang". The Guardian. ISSN   0261-3077. Archived from the original on 2024-02-20. Retrieved 2024-02-20.
  12. 1 2 "Prolific cybercrime gang disrupted by joint UK, US and EU operation". The Guardian. Reuters. 19 February 2024. Archived from the original on 20 February 2024. Retrieved 20 February 2024.
  13. Milmo, Dan (2023-01-13). "What is LockBit ransomware and how does it operate?". The Guardian. ISSN   0261-3077. Archived from the original on 2023-06-14. Retrieved 2023-07-20.
  14. 1 2 "What Is LockBit Ransomware?". Blackberry. Archived from the original on 2023-07-20. Retrieved 2023-07-20.
  15. "LockBit 2.0 Ransomware: An In-Depth Look at Lockfile & LockBit". Avertium. Archived from the original on 2023-07-07. Retrieved 2023-07-07.
  16. Damien Licata Caruso (18 January 2022). "Thales refuse le chantage, des hackers publient les données volées à sa branche aérospatiale". Le Parisien (in French). Archived from the original on 5 June 2023. Retrieved 21 July 2023.
  17. "Qui est LockBit 3.0, le cyber-rançonneur de La Poste Mobile ?". La Tribune (in French). 2022-07-08. Archived from the original on 2023-06-04. Retrieved 2023-07-21.
  18. Bodnar, Bogdan (2022-09-14). "Les hackers de l'hôpital de Corbeil-Essonnes revendiquent 12 cyberattaques d'organismes français". Numerama (in French). Archived from the original on 2022-09-15. Retrieved 2023-07-21.
  19. "Cybercriminalité : l'hôpital de Corbeil-Essonnes refuse de payer la rançon, les hackeurs ont commencé à diffuser des données". Le Monde (in French). 2022-09-25. Archived from the original on 2024-03-20. Retrieved 2023-07-21.
  20. "Pendragon car dealer refuses $60 million LockBit ransomware demand". BleepingComputer. 24 October 2022. Archived from the original on 2 June 2023. Retrieved 21 July 2023.
  21. "INFO FRANCEINFO. Un groupe de hackers revendique une cyberattaque contre Thales". Franceinfo (in French). 2022-10-31. Archived from the original on 2023-04-13. Retrieved 2023-07-21.
  22. "Cybersécurité : des données volées à Thales publiées sur le darkweb". Le Figaro (in French). 2022-11-11. Archived from the original on 2023-07-21. Retrieved 2023-07-21.
  23. "Thales : Lockbit diffuse des données volées, l'entreprise dément toute intrusion dans son système". Le Monde (in French). 2022-11-11. Archived from the original on 2023-07-21. Retrieved 2023-07-21.
  24. "Cyberattaque : L'OEHC refuse de négocier, et promet un retour à la normale le plus rapidement possible". France 3 Corse ViaStella (in French). 2022-11-16. Archived from the original on 2022-12-03. Retrieved 2023-07-21.
  25. Ilascu, Ionut (13 December 2022). "LockBit claims attack on California's Department of Finance". BleepingComputer. Archived from the original on 2023-01-11. Retrieved 2023-07-21.
  26. "LockBit ransomware claims attack on Port of Lisbon in Portugal". BleepingComputer. Archived from the original on 2023-03-28. Retrieved 2023-07-21.
  27. "Ransomware : après l'attaque d'un hôpital pour enfants, comment ce gang de pirates s'est excusé". Clubic (in French). 2023-01-02. Archived from the original on 2023-08-30. Retrieved 2023-07-21.
  28. "Continental victime d'une cyberattaque à 50 millions de dollars". Les Echos (in French). 2022-11-15. Archived from the original on 2023-06-29. Retrieved 2023-07-21.
  29. "Russian-Canadian arrested over global LockBit ransomware campaign". BBC News. 2022-11-10. Archived from the original on 2023-07-20. Retrieved 2023-07-20.
  30. Thierry, Gabriel (2023-01-13). "Le gang LockBit tente de faire chanter l'entreprise Nuxe". ZDNet France (in French). Archived from the original on 2023-01-16. Retrieved 2023-07-21.
  31. Thierry, Gabriel (2023-01-26). "Le leader français de la santé privée visé par LockBit". ZDNet France (in French). Archived from the original on 2023-03-26. Retrieved 2023-07-21.
  32. "Royal Mail faces threat from ransomware group LockBit". Reuters. 2023-02-08. Archived from the original on 2023-07-20. Retrieved 2023-07-20.
  33. "Royal Mail cyberattack linked to LockBit ransomware operation". BleepingComputer. Archived from the original on 2023-06-28. Retrieved 2023-07-21.
  34. "Qu'est-ce que LockBit, le rançongiciel utilisé contre les librairies Indigo?". Les affaires (in French). Archived from the original on 2023-04-01. Retrieved 2023-07-21.
  35. Thierry, Gabriel (2023-04-18). "LockBit étoffe encore son tableau de chasse hexagonal". ZDNet France (in French). Archived from the original on 2023-07-19. Retrieved 2023-07-21.
  36. Bodnar, Bogdan (2023-05-16). "Cyberattaque contre un grand média chinois, pourquoi est-ce inédit ?". Numerama (in French). Archived from the original on 2023-07-21. Retrieved 2023-07-21.
  37. Thierry, Gabriel (2023-06-01). "Le piratage de Voyageurs du monde se solde par la fuite de plusieurs milliers de copies de passeports". ZDNet France (in French). Archived from the original on 2023-07-21. Retrieved 2023-07-21.
  38. "Office of Public Affairs | Russian National Arrested and Charged with Conspiring to Commit LockBit Ransomware Attacks Against U.S. and Foreign Businesses | United States Department of Justice". www.justice.gov. 2023-06-15. Archived from the original on 2023-07-20. Retrieved 2023-07-20.
  39. "TSMC denies LockBit hack as ransomware gang demands $70 million". BleepingComputer. Archived from the original on 2023-07-27. Retrieved 2023-07-21.
  40. Robinson, Teri (2023-07-14). "Lockbit 3.0 Claims Credit for Ransomware Attack on Japanese Port". Security Boulevard. Archived from the original on 2023-07-21. Retrieved 2023-07-21.
  41. Vigliarolo, Brandon (2023-10-30). "LockBit alleges it boarded Boeing, stole 'sensitive data'". The Register . Archived from the original on 2023-11-19. Retrieved 2023-11-19.
  42. Dobberstein, Laura (2023-11-02). "Boeing acknowledges cyberattack on parts and distribution biz". The Register . Archived from the original on 2023-11-19. Retrieved 2023-11-19.
  43. "World's Biggest Bank Forced to Trade Via USB Stick After Hack". Bloomberg. 2023-11-10. Archived from the original on 2023-11-10. Retrieved 2023-11-10.
  44. Doherty, Katherine; McCormick, Liz Capo (9 November 2023). "World's Largest Bank Hit By Ransomware Gang Linked to Boeing, Ion Attacks". Bloomberg. Archived from the original on 2023-11-10. Retrieved 2023-12-06.
  45. "Boeing data published by Lockbit hacking gang". Reuters. November 10, 2023. Archived from the original on 2023-11-10. Retrieved 2023-11-10.
  46. Gallagher, Ryan; Doherty, Katherine; Almeida, Isis (17 November 2023). "Lockbit Gang Hacks Into Another US Financial Firm, Threatens to Dump Data". Bloomberg. Archived from the original on 2023-11-17. Retrieved 2023-12-06.
  47. Jones, Connor (17 November 2023). "LockBit revamps ransomware negotiations as payments dwindle". The Register. Archived from the original on 7 December 2023. Retrieved 6 December 2023.
  48. 1 2 Chidi, George (2024-02-12). "Fulton county's systems were hacked. Already weary officials are tight-lipped". The Guardian . Archived from the original on 2024-02-21. Retrieved 2024-02-21.
  49. 1 2 Lyngaas, Sean; Spells, Alta. "Fulton County faces ransomware attack by 'financially motivated actors,' but county elections still on track". CNN. Archived from the original on 2024-02-21. Retrieved 2024-02-21.
  50. Toulas, Bill (22 February 2024). "LockBit ransomware secretly building next-gen encryptor before takedown". Bleeping Computer. Archived from the original on 23 February 2024. Retrieved 23 February 2024.
  51. Technical Appendix: LockBit-NG-Dev Detailed Analysis (PDF) (Report). Trend Research. 22 February 2024. Archived (PDF) from the original on 23 February 2024. Retrieved 23 February 2024.
  52. Gatlan, Sergiu (2024-02-19). "LockBit ransomware disrupted by global police operation". BleepingComputer. Archived from the original on 2024-02-19. Retrieved 2024-02-19.
  53. Vicens, A. J. (2024-02-19). "FBI, British authorities seize infrastructure of LockBit ransomware group". CyberScoop. Archived from the original on 2024-02-19. Retrieved 2024-02-19.
  54. Fingert, Tyler (2024-02-19). "Site run by cyber criminals behind Fulton County ransomware attack taken over". Fox 5 Atlanta. Archived from the original on 2024-02-19. Retrieved 2024-02-19.
  55. "Police arrest LockBit ransomware members, release decryptor in global crackdown". BleepingComputer. Archived from the original on 2024-02-24. Retrieved 2024-02-24.
  56. "LockBit ransomware gang has over $110 million in unspent bitcoin". BleepingComputer. Archived from the original on 2024-02-24. Retrieved 2024-02-24.
  57. Goodin, Dan (2024-02-22). "Ransomware associated with LockBit still spreading 2 days after server takedown". Ars Technica . Archived from the original on 2024-02-22. Retrieved 2024-02-22.
  58. 1 2 3 4 5 Lyons, Jessica (2024-02-26). "Back from the dead: LockBit taunts cops, threatens to leak Trump docs". The Register . Archived from the original on 2024-02-26. Retrieved 2024-02-26.

See also

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.