LockBit Remains Top Global Ransomware Threat

/in


The LockBit ransomware strain continues to be the primary digital extortion threat to all regions, and almost all industries globally, according to a report by ZeroFox.

Researchers found that LockBit was leveraged in more than a quarter of global ransomware and digital extortion (R&DE) attacks in the seven quarters analyzed from January 2022 to September 2023.

This includes 30% of all R&DE attacks in Europe and 25% in North America during the period.

However, ZeroFox said that the overall proportion of attacks that LockBit accounts for is on a downward trajectory. This is likely due to increasing diversification of the R&DE landscape, with ransomware-as-a-service (RaaS) offerings lowering the barriers to entry for threat actors.

LockBit Trends in North America

The researchers noted that historically LockBit has been consistently under-deployed in attacks against North America compared to other regions, such as Europe. An average of 40% of LockBit victims were based in North America, but there is evidence this is on an upward trajectory, expected to reach 50% by the end of 2023.

The industries most frequently targeted by LockBit in North America between January 2022 and September 2023 were manufacturing, construction, retail, legal & consulting and healthcare.

Meanwhile, LockBit made up 43.41% of R&DE attacks in Europe in Q1 2022, but decreased to 28.48% in the final quarter of the period, Q3 2023.

LockBit Intrusion Vectors

Due to the wide range of LockBit operators, a variety of intrusion methods have been used to deploy the payload.

The primary techniques identified were:

  • Exploiting Internet-Facing Applications. These were primarily a range of remote code execution and privilege escalation vulnerabilities.
  • Phishing. LockBit affiliates leveraged a variety of phishing lures to access victims’ networks, including attaching malicious documents and fraudulent resume and copyright-related emails.
  • External Remote Services. Threat actors leverage legitimate user credentials obtained via credential harvesting to access external-facing remote working services.
  • Drive-by Compromise. Operators have been observed accessing systems via a user visiting a website, often targeting…

Source…