U.S. and International Partners Release Comprehensive Cyber Advisory on LockBit Ransomware

Joint Advisory Helps Organizations Around the World Better Understand and Protect Against this Global Ransomware Threat

WASHINGTON – The U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and the cybersecurity authorities of Australia, Canada, United Kingdom, Germany, France, and New Zealand (CERT NZ, NCSC-NZ) today published a joint Cybersecurity Advisory entitled, Understanding Ransomware Threat Actors: LockBit. This joint advisory is a comprehensive resource with common tools; exploitations; and tactics, techniques, and procedures (TTPs) used by LockBit affiliates, along with recommended mitigations for organizations to reduce the likelihood and impact of future ransomware incidents.

Threat actors using LockBit, the most globally used and prolific Ransomware-as-a-Service (RaaS) in 2022 and 2023, have attacked organizations of various sizes across a wide array of critical infrastructure sectors. To help organizations understand and defend against this global threat and its large number of unconnected LockBit affiliates, this advisory includes:

• A list of approximately 30 freeware and open-source tools used by LockBit actors,
• More than 40 of their TTPs mapped to MITRE ATT&CK,
• Observed common vulnerabilities and exposures (CVEs) used for exploitation,
• An evolution of LockBit RaaS along with worldwide trends and statistics, and
• Resources and services available from authoring agencies and recommended mitigations to help protect against the worldwide LockBit activity.

“Working with our U.S. and international partners, CISA is focused on reducing the prevalence of ransomware intrusions and their impacts, which include applying lessons learned from prior ransomware incidents that have affected far too many organizations,” said CISA Executive Assistant Director for Cybersecurity, Eric Goldstein. “This joint advisory on LockBit is another example of effective collaboration with our partners to provide timely and actionable resources to help all organizations understand and defend against this ransomware activity. As we look to the future, we must all work together to evolve to a model where ransomware actors are unable to use common tactics and techniques to compromise victims and work to ensure ransomware intrusions are detected and remediated before harm can occur.” 

"The FBI relentlessly pursues ransomware actors who continue to exploit vulnerable cyber ecosystems," said Bryan Vorndran, Assistant Director of the FBI's Cyber Division. "We are better positioned to combat this type of malicious activity through coordination and collaboration with our federal and international partners, which are key to better mitigating and preventing harm against the American public and our allies. The FBI encourages all organizations to review this CSA and implement the recommended mitigation measures to better defend against threat actors using LockBit. If you believe you are the victim of a cyber crime, please contact your local FBI field office."

“LockBit is one of the most prolific and disruptive ransomware variants, having been used by cybercriminals against multiple sectors and organisations worldwide, including in Australia,” said Abigail Bradshaw, Head of the Australian Cyber Security Centre (ACSC). “With ransomware variants constantly evolving, this advice can help organisations strengthen and defend their networks.”

“The Canadian Centre for Cyber Security (part of the Communications Security Establishment) joins its international partners in sharing this important resource to shed some light on LockBit, one of the most deployed ransomware variants across the world, that has been used to target our critical infrastructure. Arming organizations with this knowledge will enable them to better understand, recognize and face this threat, making the cyber ecosystem safer for everyone,” said Sami Khoury, Head of the Canadian Centre for Cyber Security.

“Ransomware remains a major threat to businesses worldwide, including in the UK, and the LockBit operation has been the most active, with widespread consequences. It is essential for organisations to understand the serious consequences that ransomware attacks can have on their operations, finances and reputation,” said Paul Chichester, United Kingdom’s National Cyber Security Centre (NCSC) Director of Operations. “This advisory, issued with our international partners, emphasises the importance of network defenders taking the recommended actions to establish effective protections against such attacks.”

“Ransomware is one of the most severe cyber threats for government, businesses and society,” said acting President for Germany’s Federal Office for Information Security (BSI) Dr. Gerhard Schabhueser. “Amongst those actors guided by financial motivations, the Ransomware-as-a-Service LockBit is currently the most menacing in Germany as well as globally. We reiterate our call to all organizations to take appropriate action and increase their resilience.”

“We all face the same devastating cybercriminal threat posed by ransomwares. Therefore, we need to raise the level of cyber security of hospitals, public authorities, local administrations, compagnies, and help them protect themselves,” said Vincent Strubel, Director General of National Cybersecurity Agency of France (ANSSI). “The publication of this advisory contributes to this goal. It foremost demonstrates our shared desire to strengthen our relation with our close international partners to address this common challenge of massification and industrialization of this threat.”

“The National Cyber Security Centre (NCSC), part of New Zealand’s Government Communications Security Bureau, shares international partners focus on addressing ransomware. The NCSC welcomes this advisory which reflects the experience of our partners and the NCSC’s learnings from helping organisations address LockBit’s impact in New Zealand,” said Lisa Fong, Deputy Director General, New Zealand's National Cyber Security Centre (NCSC). “These combined learnings will help ensure organisations have the best information to increase their resilience to the threat of from ransomware. Helping build cyber security resilience through sharing of cyber threat information is a key part of the NCSC’s focus and we encourage all readers apply the mitigations set in this advisory.”

New Zealand’s Computer Emergency Response Team (CERT-NZ) Director Rob Pope said that businesses in New Zealand need to be aware of this and take action. “Ransomware is one the most devastating things that can happen to an organisation and we need to ensure that our countries are resilient to these attacks.”

All organizations are urged to promptly report cyber incidents, including ransomware, to their country’s respective authorities. In the U.S., report incidents and anomalous activity to a local FBI Field Office or CISA’s 24/7 Operations Center at Report@cisa.dhs.gov, cisa.gov/report, or (888) 282-0870.