On June 14, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) along with other US-based and international security organizations released a joint cybersecurity advisory (CSA) detailing the operations behind the LockBit ransomware attacks. LockBit was the most deployed ransomware in 2022 and has continued to be prolific in attacks this year.
LockBit is a ransomware family that has been active since September 2019 and operates under the Ransomware-as-a-Service (RaaS) model. Multiple affiliates conduct the initial intrusions and delivery of LockBit ransomware. Then the LockBit operators take control handling the encryption and ransom negotiations. LockBit has continued to evolve with variations constantly under development.
The latest advisory from CISA is a follow-up to an alert published in March 2023 as part of CISA’s #StopRansomware effort to arm network defenders with the intelligence they need to combat different ransomware variants and ransomware threat actors. AttackIQ immediately released a fully featured attack graph that emulated various LockBit 3.0 attacks so customers could begin testing their security controls against similar attacks.
There is extensive overlap between the two advisories and customers should continue to use the previously released attack graph to test against LockBit operators. A full writeup containing all of the techniques used along with mitigation recommendations can be found in our previous blog post “Attack Graph Response to CISA Advisory (AA23-075A): #StopRansomware: LockBit 3.0”.
Since LockBit operates under a RaaS model, there isn’t a standard intrusion playbook used by all affiliates. Those initial access brokers will leverage a wide variety of Tactics, Techniques, and Procedures (TTPs) in the initial stages of the attack. In addition to the LockBit-specific attack graph, AttackIQ can recommend that customers review the attack graphs we’ve released in response to previous #StopRansomware advisories.
Many of these ransomware groups also operate under RaaS models and these graphs can be used to give a wider picture of security control effectiveness against many different affiliates.
- AA23-158A: #StopRansomware: CL0P Ransomware
- AA23-136A: #StopRansomware: BianLian Ransomware Group
- AA23-061A: #StopRansomware: Royal Ransomware
- AA22-335A: #StopRansomware: Cuba Ransomware
- AA22-321A: #StopRansomware: Hive Ransomware
- AA22-249A: #StopRansomware: Vice Society
- AA22-223A: #StopRansomware: Zeppelin Ransomware
Wrap-up
In summary, these attack graphs will help evaluate security and incident response processes and support the improvement of your security control posture against many different ransomware affiliate operators. With data generated from continuous testing and use of these attack graphs, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.
AttackIQ stands at the ready to help security teams implement this attack graph and other aspects of the AttackIQ Security Optimization Platform, including through our fully managed service, AttackIQ Ready!, and our co-managed security service, AttackIQ Enterprise.