The LockBit ransomware group has emerged as a formidable cyber threat, targeting large corporations and disrupting global operations. This blog post delves into the recent activities of LockBit, highlighting their tactics, techniques, and procedures (TTPs), and showcasing high-profile attacks on companies such as Boeing and the Industrial and Commercial Bank of China (ICBC).
Boeing Cybersecurity Breach
In late October 2023, Boeing, a leading aerospace company, became a victim of the LockBit ransomware attack. The group exploited the Citrix Bleed vulnerability (CVE-2023-4966) to gain unauthorized access to Boeing’s systems, highlighting the importance of timely patching as patches were available before the attack. The severity of this breach was evident when LockBit published about 40 GB of Boeing’s data, raising major concerns about aviation industry cybersecurity (source: Boeing’s Cybersecurity Breach by LOCKBIT Ransomware – TIR).
ICBC Financial Services Attack
On November 8, 2023, ICBC Financial Services, part of the world’s largest commercial bank, experienced a ransomware attack that notably disrupted the U.S. Treasury market. This incident was potentially linked to the CitrixBleed vulnerability (CVE-2023-4966), emphasizing the widespread impact of such attacks on financial services and global trades (source: ICBC hit by ransomware attack – TIR).
LockBit’s Evolving Tactics
LockBit’s tactics demonstrate their adaptability and focus on maximizing profits. For instance, they have restructured their ransom negotiation methods, addressing declining ransom payments. New policies include setting ransom amounts based on a victim’s annual revenue and capping the maximum discount offered by affiliates at 50% of the initial ransom demand. A notable case involved CDW, a large reseller, where LockBit discontinued negotiations due to an offer significantly lower than their calculated demand (source: LockBit Reforms Negotiation Tactics – TIR).
TTPs and Impact
LockBit’s TTPs are diverse and sophisticated. They range from exploiting vulnerabilities for initial access to utilizing software deployment tools for execution. LockBit ensures persistence and privilege escalation within the network, often obfuscating their activities and deleting traces to evade defense mechanisms. Their techniques also include OS credential dumping, network service discovery, remote services for lateral movement, and application layer protocols for command and control. The ultimate impact includes data theft, data destruction, and service disruptions.
Conclusion
The LockBit ransomware group’s recent activities, particularly the attacks on Boeing and ICBC FS, underscore the necessity for robust cybersecurity measures across all sectors. The group’s strategic shift towards more controlled and profitable operations highlights the evolving landscape of cyber threats and the need for continuous vigilance and adaptive cybersecurity strategies.
Further Reading
- Boeing’s Cybersecurity Breach by LOCKBIT Ransomware – TIR
- ICBC hit by ransomware attack – TIR
- LockBit Reforms Negotiation Tactics – TIR