LockBit Remains Top Global Ransomware Threat
The LockBit ransomware strain continues to be the primary digital extortion threat to all regions, and almost all industries globally, according to a report by ZeroFox.
Researchers found that LockBit was leveraged in more than a quarter of global ransomware and digital extortion (R&DE) attacks in the seven quarters analyzed from January 2022 to September 2023.
This includes 30% of all R&DE attacks in Europe and 25% in North America during the period.
However, ZeroFox said that the overall proportion of attacks that LockBit accounts for is on a downward trajectory. This is likely due to increasing diversification of the R&DE landscape, with ransomware-as-a-service (RaaS) offerings lowering the barriers to entry for threat actors.
LockBit Trends in North America
The researchers noted that historically LockBit has been consistently under-deployed in attacks against North America compared to other regions, such as Europe. An average of 40% of LockBit victims were based in North America, but there is evidence this is on an upward trajectory, expected to reach 50% by the end of 2023.
The industries most frequently targeted by LockBit in North America between January 2022 and September 2023 were manufacturing, construction, retail, legal & consulting and healthcare.
Meanwhile, LockBit made up 43.41% of R&DE attacks in Europe in Q1 2022, but decreased to 28.48% in the final quarter of the period, Q3 2023.
LockBit Intrusion Vectors
Due to the wide range of LockBit operators, a variety of intrusion methods have been used to deploy the payload.
The primary techniques identified were:
- Exploiting Internet-Facing Applications. These were primarily a range of remote code execution and privilege escalation vulnerabilities.
- Phishing. LockBit affiliates leveraged a variety of phishing lures to access victims’ networks, including attaching malicious documents and fraudulent resume and copyright-related emails.
- External Remote Services. Threat actors leverage legitimate user credentials obtained via credential harvesting to access external-facing remote working services.
- Drive-by Compromise. Operators have been observed accessing systems via a user visiting a website, often targeting…