{
	"id": "27334b50-121e-4e3f-b537-e86f8ec5c8b6",
	"created_at": "2026-04-06T00:08:47.264752Z",
	"updated_at": "2026-04-10T03:20:56.124986Z",
	"deleted_at": null,
	"sha1_hash": "19c6c39fd2aa64412b9973dccba5292ab9642b9b",
	"title": "LockBit ransomware group assemble strike team to breach banks, law firms and governments.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4348717,
	"plain_text": "LockBit ransomware group assemble strike team to breach banks,\r\nlaw firms and governments.\r\nBy Kevin Beaumont\r\nPublished: 2023-11-14 · Archived: 2026-04-05 16:29:20 UTC\r\nRecently, I’ve been tracking LockBit ransomware group as they’ve been breaching large enterprises:\r\nI thought it would be good to break down what is happening and how they’re doing it, since LockBit are\r\nbreaching some of the world’s largest organisations — many of whom have incredibly large security budgets.\r\nThrough data allowing the tracking of ransomware operators, it has been possible to track individual targets.\r\nRecently, it has become clear they have been targeting a vulnerability in Citrix Netscaler, called CitrixBleed. Prior\r\nreading:\r\nThis has been done in a co-ordinated fashion amongst multiple LockBit operators — a strike team to break into\r\norganisations using CitrixBleed and then hold them to ransom.\r\nThe Strike\r\nThis vulnerability allows the bypass of all multi-factor authentication controls, and provides a point and click\r\ndesktop PC within the impacted victim’s internal network via “VDI” — think Remote Desktop or RDP.\r\nhttps://doublepulsar.com/lockbit-ransomware-group-assemble-strike-team-to-breach-banks-law-firms-and-governments-4220580bfcee?gi=af98d89a956a\r\nPage 1 of 12\n\nhttps://doublepulsar.com/lockbit-ransomware-group-assemble-strike-team-to-breach-banks-law-firms-and-governments-4220580bfcee?gi=af98d89a956a\r\nPage 2 of 12\n\nThe patch became available on October 10th, however as of writing around five thousand organisations still have\r\nnot installed the patch.\r\nIt is also incredibly easy to exploit, and initial exploitation has no logs at all as Citrix Netscaler/Gateway fails to\r\nlog the exploit request — a product defect that Citrix really need to own and fix.\r\nAn initial challenge has been maintaining access, as hijacking a session boots off the legitimate user, and the\r\nlegitimate user boots off the attacker when they reconnect.\r\nTo combat this, LockBit have been deploying remote access tools such as Atera — which does not trigger\r\nantivirus or EDR alerts — to allow remote, interactive PowerShell requests without any visible signs to the end\r\nuser. This access also persists after patching CitrixBleed.\r\nThe Team\r\nAfter access is obtained, the victims are passed to the execution team. This team escalates privileges via a variety\r\nof techniques, terminates EDR controls, steals data and ultimate deploys ransomware.\r\nThe Victims\r\nGet Kevin Beaumont’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nI am tracking over 10 victims currently being extorted, and lots more in initial stages. As a sample, these include:\r\nAllen \u0026 Overy, one of the world’s biggest law firms — attackers entered via an unpatched for CitrixBleed\r\nvulnerability Netscaler instance on https://myao-us.myallenovery.net/ — this has now been patched post\r\nincident.\r\nPress enter or click to view image in full size\r\nhttps://doublepulsar.com/lockbit-ransomware-group-assemble-strike-team-to-breach-banks-law-firms-and-governments-4220580bfcee?gi=af98d89a956a\r\nPage 3 of 12\n\nhttps://doublepulsar.com/lockbit-ransomware-group-assemble-strike-team-to-breach-banks-law-firms-and-governments-4220580bfcee?gi=af98d89a956a\r\nPage 4 of 12\n\nPress enter or click to view image in full size\r\nhttps://doublepulsar.com/lockbit-ransomware-group-assemble-strike-team-to-breach-banks-law-firms-and-governments-4220580bfcee?gi=af98d89a956a\r\nPage 5 of 12\n\nShodan.io data\r\nhttps://doublepulsar.com/lockbit-ransomware-group-assemble-strike-team-to-breach-banks-law-firms-and-governments-4220580bfcee?gi=af98d89a956a\r\nPage 6 of 12\n\nIndustrial and Commercial Bank of China (ICBC) Financial Services, the world’s biggest bank — attackers\r\nentered via an unpatched for CitrixBleed vulnerability Citrix Netscaler on https://icbcfsclearing.com/ —\r\nthis is still offline.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://doublepulsar.com/lockbit-ransomware-group-assemble-strike-team-to-breach-banks-law-firms-and-governments-4220580bfcee?gi=af98d89a956a\r\nPage 7 of 12\n\nShodan.io data\r\nhttps://doublepulsar.com/lockbit-ransomware-group-assemble-strike-team-to-breach-banks-law-firms-and-governments-4220580bfcee?gi=af98d89a956a\r\nPage 8 of 12\n\nOther victims with unpatched Citrix Netscaler devices for CitrixBleed on Shodan include Boeing — one of the\r\nworld’s largest defence companies, and DP World — a large freight shipping company that Australia relies upon:\r\nPress enter or click to view image in full size\r\nhttps://doublepulsar.com/lockbit-ransomware-group-assemble-strike-team-to-breach-banks-law-firms-and-governments-4220580bfcee?gi=af98d89a956a\r\nPage 9 of 12\n\nhttps://doublepulsar.com/lockbit-ransomware-group-assemble-strike-team-to-breach-banks-law-firms-and-governments-4220580bfcee?gi=af98d89a956a\r\nPage 10 of 12\n\nMost of the victims are not listed on LockBit’s portal, which suggests they are negotiating payment or have\r\nalready paid.\r\nSo what?\r\nRansomware groups are often staffed by almost all teenagers, and haven’t been taken seriously for far too long as\r\na threat. They are a threat to civil society as long as organisations keep paying.\r\nFocusing on cybersecurity fundamentals for enterprise scale organisations is a challenge, as often people are\r\nchasing after the perceived next big thing — metaverse (remember that?), NFTs, generative AI — without being\r\nable to do the fundamentals well. Large scale enterprises need to be able to patch vulnerabilities like CitrixBleed\r\nquickly.\r\nPress enter or click to view image in full size\r\nLockBit operators hacking into your local government between CoD matches\r\nThe cybersecurity reality we live in now is teenagers are running around in organised crime gangs with digital\r\nbazooka’s. They probably have a better asset inventory of your network than you, and they don’t have to wait 4\r\nhttps://doublepulsar.com/lockbit-ransomware-group-assemble-strike-team-to-breach-banks-law-firms-and-governments-4220580bfcee?gi=af98d89a956a\r\nPage 11 of 12\n\nweeks for 38 people to approve a change request for patching 1 thing.\r\nKnow your network boundary and risky products as well as LockBit do. You need to be able to identify and patch\r\nsomething like CitrixBleed within 24 hours — if you cannot, there is a very real possibility it isn’t the ideal\r\nproduct fit for your organisation due to the level of risk it poses, and you need to rethink if the architecture of your\r\nhouse is fit for purpose.\r\nVendors like Citrix need to have clear statements of intent for securing their products, as piling on patch after\r\npatch after patch is not sustainable for many organisations — or customers should opt with their wallets for more\r\nproven solutions. The reality is many vendors are shipping appliance products with cybersecurity standards worse\r\nthan when I started my career in the late 90s — while also advertising themselves as the experts. Marketing is a\r\nhell of a drug.\r\nIn the case of ICBC — the world’s biggest bank — Reuters report the bank has paid the ransom:\r\nThis feeds into my earlier blog about ransomware:\r\nBy LockBit earning hundreds of millions of dollars, they are able to purchase new exploits, tools, resources and\r\npeople to carry out attacks.\r\nHow are schools, libraries and small business — the life blood of the global economy — with usually small IT\r\nbudgets and nobody responsible for cybersecurity — supposed to compete with teenagers who have bigger attack\r\nbudgets than their entire IT budget for a year (or in many cases, a decade)?\r\nGovernments need to aggressively pursue ransomware, and stop payments. It is not a solved problem. Vendors\r\nneed to make better secured products, or be forced into action by governments. We need to break this cycle, where\r\ncivil society is suffering. Let’s get to work.\r\nSource: https://doublepulsar.com/lockbit-ransomware-group-assemble-strike-team-to-breach-banks-law-firms-and-governments-4220580bfce\r\ne?gi=af98d89a956a\r\nhttps://doublepulsar.com/lockbit-ransomware-group-assemble-strike-team-to-breach-banks-law-firms-and-governments-4220580bfcee?gi=af98d89a956a\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://doublepulsar.com/lockbit-ransomware-group-assemble-strike-team-to-breach-banks-law-firms-and-governments-4220580bfcee?gi=af98d89a956a"
	],
	"report_names": [
		"lockbit-ransomware-group-assemble-strike-team-to-breach-banks-law-firms-and-governments-4220580bfcee?gi=af98d89a956a"
	],
	"threat_actors": [],
	"ts_created_at": 1775434127,
	"ts_updated_at": 1775791256,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/19c6c39fd2aa64412b9973dccba5292ab9642b9b.pdf",
		"text": "https://archive.orkl.eu/19c6c39fd2aa64412b9973dccba5292ab9642b9b.txt",
		"img": "https://archive.orkl.eu/19c6c39fd2aa64412b9973dccba5292ab9642b9b.jpg"
	}
}