{
	"id": "15a832b5-3943-40ee-baa8-82971203e6ac",
	"created_at": "2026-04-06T00:17:08.434756Z",
	"updated_at": "2026-04-10T13:12:12.195824Z",
	"deleted_at": null,
	"sha1_hash": "80eedf08c0acf10266f0a5115d79c9c4661fe4bf",
	"title": "Understanding Ransomware Threat Actors: LockBit | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 581974,
	"plain_text": "Understanding Ransomware Threat Actors: LockBit | CISA\r\nPublished: 2023-06-14 · Archived: 2026-04-05 18:34:11 UTC\r\nSUMMARY\r\nIn 2022, LockBit was the most deployed ransomware variant across the world and continues to be prolific in\r\n2023. Since January 2020, affiliates using LockBit have attacked organizations of varying sizes across an array of\r\ncritical infrastructure sectors, including financial services, food and agriculture, education, energy, government\r\nand emergency services, healthcare, manufacturing, and transportation. LockBit ransomware operation functions\r\nas a Ransomware-as-a-Service (RaaS) model where affiliates are recruited to conduct ransomware attacks using\r\nLockBit ransomware tools and infrastructure. Due to the large number of unconnected affiliates in the operation,\r\nLockBit ransomware attacks vary significantly in observed tactics, techniques, and procedures (TTPs). This\r\nvariance in observed ransomware TTPs presents a notable challenge for organizations working to maintain\r\nnetwork security and protect against a ransomware threat.\r\nThe Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the following international partners, hereafter\r\nreferred to as “authoring organizations,” are releasing this Cybersecurity Advisory (CSA) detailing observed\r\nactivity in LockBit ransomware incidents and providing recommended mitigations to enable network defenders to\r\nproactively improve their organization’s defenses against this ransomware operation. \r\nAustralian Cyber Security Centre (ACSC)\r\nCanadian Centre for Cyber Security (CCCS)\r\nUnited Kingdom’s National Cyber Security Centre (NCSC-UK)\r\nNational Cybersecurity Agency of France (ANSSI)\r\nGermany’s Federal Office for Information Security (BSI)\r\nNew Zealand’s Computer Emergency Response Team (CERT NZ) and National Cyber Security Centre\r\n(NCSC NZ) \r\nThe authoring organizations encourage the implementation of the recommendations found in this CSA to reduce\r\nthe likelihood and impact of future ransomware incidents.\r\nTECHNICAL DETAILS\r\nNote: This advisory uses the MITRE ATT\u0026CK for Enterprise framework, version 13.1. See the MITRE\r\nATT\u0026CK Tactics and Techniques section for tables of LockBit’s activity mapped to MITRE ATT\u0026CK® tactics\r\nand techniques.\r\nIntroduction\r\nThe LockBit RaaS and its affiliates have negatively impacted organizations, both large and small, across the\r\nworld. In 2022, LockBit was the most active global ransomware group and RaaS provider in terms of the number\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a\r\nPage 1 of 26\n\nof victims claimed on their data leak site. [1 ] A RaaS cybercrime group maintains the functionality of a\r\nparticular ransomware variant, sells access to that ransomware variant to individuals or groups of operators (often\r\nreferred to as “affiliates”), and supports affiliates’ deployment of their ransomware in exchange for upfront\r\npayment, subscription fees, a cut of profits, or a combination of upfront payment, subscription fees, and a cut of\r\nprofits. Some of the methods LockBit has used to successfully attract affiliates include, but are not limited to:\r\nAssuring payment by allowing affiliates to receive ransom payments before sending a cut to the core\r\ngroup; this practice stands in stark contrast to other RaaS groups who pay themselves first and then\r\ndisburse the affiliates’ cut.\r\nDisparaging other RaaS groups in online forums.\r\nEngaging in publicity-generating activities stunts, such as paying people to get LockBit tattoos and putting\r\na $1 million bounty on information related to the real-world identity of LockBit’s lead who goes by the\r\npersona “LockBitSupp.”\r\nDeveloping and maintaining a simplified, point-and-click interface for its ransomware, making it\r\naccessible to those with a lower degree of technical skill. [2 , 3 ]\r\nLockBit has been successful through innovation and ongoing development of the group’s administrative panel and\r\nthe RaaS supporting functions. In parallel, affiliates that work with LockBit and other notable variants are\r\nconstantly revising the TTPs used for deploying and executing ransomware.\r\nTable 1 shows LockBit RaaS’s innovation and development.\r\nTable 1: Evolution of LockBit RaaS\r\nDate Event\r\nSeptember\r\n2019\r\nFirst observed activity of ABCD ransomware, the predecessor to LockBit. [4 ]\r\nJanuary 2020 LockBit-named ransomware first seen on Russian-language based cybercrime forums.\r\nJune 2021\r\nAppearance of LockBit version 2 (LockBit 2.0), also known as LockBit Red including\r\nStealBit, a built-in information-stealing tool.\r\nOctober 2021\r\nIntroduction of LockBit Linux-ESXi Locker version 1.0 expanding capabilities to target\r\nsystems to Linux and VMware ESXi. [5 ]\r\nMarch 2022\r\nEmergence of LockBit 3.0, also known as LockBit Black, that shares similarities with\r\nBlackMatter and Alphv (also known as BlackCat) ransomware.\r\nSeptember\r\n2022\r\nNon-LockBit affiliates able to use LockBit 3.0 after its builder was leaked. [2 , 6 ]\r\nJanuary 2023 Arrival of LockBit Green incorporating source code from Conti ransomware. [7 ]\r\nApril 2023 LockBit ransomware encryptors targeting macOS seen on VirusTotal [8 , 9 ]\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a\r\nPage 2 of 26\n\nLockBit 2.0, LockBit 3.0, LockBit Green, and LockBit Linux-ESXi Locker are still available for affiliates’ use on\r\nLockBit’s panel.\r\nLockBit Statistics\r\nPercentage of ransomware incidents attributed to LockBit:\r\nAustralia: From April 1, 2022, to March 31, 2023, LockBit made up 18% of total reported Australian\r\nransomware incidents. This figure includes all variants of LockBit ransomware, not solely LockBit 3.0.\r\nCanada: In 2022, LockBit was responsible for 22% of attributed ransomware incidents in Canada.[10 ]\r\nNew Zealand: In 2022, CERT NZ received 15 reports of LockBit ransomware, representing 23% of 2022\r\nransomware reports.\r\nUnited States: In 2022, 16% of the State, Local, Tribal, and Tribunal (SLTT) government ransomware\r\nincidents reported to the MS-ISAC were identified as LockBit attacks. This included ransomware incidents\r\nimpacting municipal governments, county governments, public higher education and K-12 schools, and\r\nemergency services (e.g., law enforcement).\r\nNumber of LockBit ransomware attacks in the U.S. since 2020:\r\nAbout 1,700 attacks according to the FBI.\r\nTotal of U.S. ransoms paid to LockBit:\r\nApproximately $91M since LockBit activity was first observed in the U.S. on January 5, 2020.\r\nEarliest observed LockBit activity:\r\nAustralia: The earliest documented occurrence of LockBit 3.0 was in early August 2022.\r\nCanada: The first recorded instance of LockBit activity in Canada was in March 2020.\r\nNew Zealand: The first recorded incident involving LockBit ransomware was in March 2021.\r\nUnited States: LockBit activity was first observed on January 5, 2020.\r\nMost recently observed LockBit activity:\r\nAustralia: April 21, 2023.\r\nNew Zealand: February 2023.\r\nUnited States: As recently as May 25, 2023.\r\nOperational activity related to LockBit in France\r\nSince the first case in July 2020 to present, ANSSI has handled 80 alerts linked to the LockBit ransomware, which\r\naccounts for 11% of all ransomware cases handled by ANSSI in that period. In about 13% of those cases, ANSSI\r\nwas not able to confirm nor deny the breach of its constituents’ networks – as the alerts were related to the threat\r\nactor’s online claims. So far, 69 confirmed incidents have been handled by ANSSI. Table 2 shows the LockBit\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a\r\nPage 3 of 26\n\nactivity observed by ANSSI versus overall ransomware activity tracked by the Computer Emergency Response\r\nTeam-France (CERT-FR).\r\nTable 2: ANSSI-Observed LockBit vs. Overall Ransomware Activity\r\nYear Number of Incidents Percentage of CERT-FR’s Ransomware-Related Activity\r\n2020 (from July) 4 2%\r\n2021 20 10%\r\n2022 30 27%\r\n2023 15 27%\r\nTotal (2020-2023) 69 11%\r\nTable 3 shows the number of instances different LockBit strains were observed by ANSSI from July 2020 to\r\npresent.\r\nTable 3: ANSSI-Observed LockBit Strain and Number of Instances\r\nName of the Strain* Number of Instances\r\nLockBit 2.0 (LockBit Red) 26\r\nLockBit 3.0 (LockBit Black) 23\r\nLockBit 21\r\nLockBit Green 1\r\nLockBit (pre-encryption) 1\r\nTotal 72**\r\n* Name either obtained from ANSSI’s or the victim’s investigations\r\n** Includes incidents with multiple strains\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a\r\nPage 4 of 26\n\nFigure 1: ANSSI-Observed LockBit Strains by Year\r\nFrom the incidents handled, ANSSI can infer that LockBit 3.0 widely took over from LockBit 2.0 and the original\r\nLockBit strain from 2022. In two cases, victims were infected with as many as three different strains of LockBit\r\n(LockBit 2.0/Red, LockBit 3.0/Black, and LockBit Green).\r\nLeak Sites\r\nThe authoring agencies observe data leak sites, where attackers publish the names and captured data of victims if\r\nthey do not pay ransom or hush money. Additionally, these sites can be used to record alleged victims who have\r\nbeen threatened with a data leak. The term 'victims' may include those who have been attacked, or those who have\r\nbeen threatened or blackmailed (with the attack having taken place).\r\nThe leak sites only show the portion of LockBit affiliates’ victims subjected to secondary extortion. Since 2021,\r\nLockBit affiliates have employed double extortion by first encrypting victim data and then exfiltrating that data\r\nwhile threatening to post that stolen data on leak sites. Because LockBit only reveals the names and leaked data of\r\nvictims who refuse to pay the primary ransom to decrypt their data, some LockBit victims may never be named or\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a\r\nPage 5 of 26\n\nhave their exfiltrated data posted on leak sites. As a result, the leak sites reveal a portion of LockBit affiliates’ total\r\nvictims. For these reasons, the leak sites are not a reliable indicator of when LockBit ransomware attacks\r\noccurred. The date of data publication on the leak sites may be months after LockBit affiliates actually executed\r\nransomware attacks.\r\nUp to the Q1 2023, a total of 1,653 alleged victims were observed on LockBit leak sites. With the introduction of\r\nLockBit 2.0 and LockBit 3.0, the leak sites have changed, with some sources choosing to differentiate leak sites\r\nby LockBit versions and others ignoring any differentiation. Over time, and through different evolutions of\r\nLockBit, the address and layout of LockBit leak sites have changed and are aggregated under the common\r\ndenominator of the LockBit name. The introduction of LockBit 2.0 at the end of the Q2 2021 had an immediate\r\nimpact on the cybercriminal market due to multiple RaaS operations shutting down in May and June 2021 (e.g.,\r\nDarkSide and Avaddon). LockBit competed with other RaaS operations, like Hive RaaS, to fill the gap in the\r\ncybercriminal market leading to an influx of LockBit affiliates. Figure 2 shows the alleged number of victims\r\nworldwide on LockBit leak sites starting in Q3 2020. Figure 2 shows the alleged number of victims worldwide on\r\nLockBit leak sites starting in Q3 2020.\r\nFigure 2: Alleged Number of Victims Worldwide on LockBit Leak Sites\r\nTools\r\nDuring their intrusions, LockBit affiliates have been observed using various freeware and open-source tools that\r\nare intended for legal use. When repurposed by LockBit, these tools are then used for a range of malicious cyber\r\nactivity, such as network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration.\r\nUse of PowerShell and batch scripts are observed across most intrusions, which focus on system discovery,\r\nreconnaissance, password/credential hunting, and privilege escalation. Artifacts of professional penetration-testing\r\ntools such as Metasploit and Cobalt Strike have also been observed.\r\nTable 4 shows a list of legitimate freeware and open-source tools LockBit affiliates have repurposed for\r\nransomware operations. The legitimate freeware and open-source tools mentioned in this product are all publicly\r\navailable and legal. The use of these tools by a threat actor should not be attributed to the freeware and open-source tools, absent specific articulable facts tending to show they are used at the direction or under the control of\r\na threat actor.\r\nTable 4: Freeware and Open-Source Tools Used by LockBit Affiliates\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a\r\nPage 6 of 26\n\nTool Intended Use\r\nRepurposed Use by\r\nLockBit Affiliates\r\nMITRE\r\nATT\u0026CK ID\r\n7-zip\r\nCompresses files into an\r\narchive.\r\nCompresses data to avoid\r\ndetection before exfiltration.\r\nT1562\r\nImpair Defenses\r\nAdFind\r\nSearches Active Directory\r\n(AD) and gathers\r\ninformation.\r\nGathers AD information\r\nused to exploit a victim’s\r\nnetwork, escalate privileges,\r\nand facilitate lateral\r\nmovement.\r\nS0552\r\nAdFind\r\nAdvanced Internet\r\nProtocol (IP) Scanner\r\nPerforms network scans and\r\nshows network devices.\r\nMaps a victim’s network to\r\nidentify potential access\r\nvectors.\r\nT1046\r\nNetwork Service\r\nDiscovery\r\nAdvanced Port\r\nScanner\r\nPerforms network scans.\r\nFinds open Transmission\r\nControl Protocol (TCP) and\r\nUser Data Protocol (UDP)\r\nports for exploitation.\r\nT1046\r\nNetwork Service\r\nDiscovery\r\nAdvancedRun\r\nAllows software to be run\r\nwith different settings.\r\nEnables escalation of\r\nprivileges by changing\r\nsettings before running\r\nsoftware.\r\nTA0004\r\nPrivilege\r\nEscalation\r\nAnyDesk\r\nEnables remote connections\r\nto network devices.\r\nEnables remote control of\r\nvictim’s network devices.\r\nT1219\r\nRemote Access\r\nSoftware\r\nAtera Remote\r\nMonitoring \u0026\r\nManagement (RMM)\r\nEnables remote connections\r\nto network devices.\r\nEnables remote control of\r\nvictim’s network devices.\r\nT1219\r\nRemote Access\r\nSoftware\r\nBackstab Terminates antimalware-protected processes.Terminates endpoint\r\ndetection and response T1562.001\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a\r\nPage 7 of 26\n\n(EDR)- protected processes. Impair Defenses:\r\nDisable or Modify\r\nTools\r\nBat Armor\r\nGenerates .bat files using\r\nPowerShell scripts.\r\nBypasses PowerShell\r\nexecution policy.\r\nT1562.001\r\nImpair Defenses:\r\nDisable or Modify\r\nTools\r\nBloodhound\r\nPerforms reconnaissance of\r\nAD for attack path\r\nmanagement.\r\nEnables identification of AD\r\nrelationships that can be\r\nexploited to gain access onto\r\na victim’s network.\r\nT1482\r\nDomain Trust\r\nDiscovery\r\nChocolatey\r\nHandles command-line\r\npackage management on\r\nMicrosoft Windows.\r\nFacilitates installation of\r\nLockBit affiliate actors’\r\ntools.\r\nT1072\r\nSoftware\r\nDeployment Tools\r\nDefender Control\r\nDisables Microsoft\r\nDefender.\r\nEnables LockBit affiliate\r\nactors to bypass Microsoft\r\nDefender.\r\nT1562.001\r\nImpair Defenses:\r\nDisable or Modify\r\nTools\r\nExtPassword\r\nRecovers passwords from\r\nWindows systems.\r\nObtains credentials for\r\nnetwork access and\r\nexploitation.\r\nT1003\r\nOperating System\r\n(OS) Credential\r\nDumping\r\nFileZilla\r\nPerforms cross-platform File\r\nTransfer Protocol (FTP) to a\r\nsite, server, or host.\r\nEnables data exfiltration\r\nover FTP to the LockBit\r\naffiliate actors’ site, server,\r\nor host.\r\nT1071.002\r\nApplication Layer\r\nProtocol: File\r\nTransfer Protocols\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a\r\nPage 8 of 26\n\nFreeFileSync\r\nFacilitates cloud-based file\r\nsynchronization.\r\nFacilitates cloud-based file\r\nsynchronization for data\r\nexfiltration.\r\nT1567.002\r\nExfiltration Over\r\nWeb Service:\r\nExfiltration to\r\nCloud Storage\r\nGMER Removes rootkits.\r\nTerminates and removes\r\nEDR software.\r\nT1562.001\r\nImpair Defenses:\r\nDisable or Modify\r\nTools\r\nImpacket\r\nCollection of Python classes\r\nfor working with network\r\nprotocols.\r\nEnables lateral movement on\r\na victim’s network.\r\nS0357\r\nImpacket\r\nLaZagne\r\nRecovers system passwords\r\nacross multiple platforms.\r\nCollect credentials for\r\naccessing a victim’s systems\r\nand network.\r\nS0349\r\nLaZagne\r\nLigolo\r\nEstablishes SOCKS5 or\r\nTCP tunnels from a reverse\r\nconnection for pen testing.\r\nEnables connections to\r\nsystems within the victim’s\r\nnetwork via reverse\r\ntunneling.\r\nT1095\r\nNon-Application\r\nLayer Protocol\r\nLostMyPassword\r\nRecovers passwords from\r\nWindows systems.\r\nObtains credentials for\r\nnetwork access and\r\nexploitation.\r\nT1003\r\nOS Credential\r\nDumping\r\nMEGA Ltd\r\nMegaSync\r\nFacilitates cloud-based file\r\nsynchronization.\r\nFacilitates cloud-based file\r\nsynchronization for data\r\nexfiltration.\r\nT1567.002\r\nExfiltration Over\r\nWeb Service:\r\nExfiltration to\r\nCloud Storage\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a\r\nPage 9 of 26\n\nMicrosoft\r\nSysinternals\r\nProcDump\r\nMonitors applications for\r\ncentral processing unit\r\n(CPU) spikes and generates\r\ncrash dumps during a spike.\r\nObtains credentials by\r\ndumping the contents of\r\nLocal Security Authority\r\nSubsystem Service\r\n(LSASS).\r\nT1003.001\r\nOS Credential\r\nDumping: LSASS\r\nMemory\r\nMicrosoft\r\nSysinternals PsExec\r\nExecutes a command-line\r\nprocess on a remote\r\nmachine.\r\nEnables LockBit affiliate\r\nactors to control victim’s\r\nsystems.\r\nS0029\r\nPsExec\r\nMimikatz\r\nExtracts credentials from a\r\nsystem.\r\nExtracts credentials from a\r\nsystem for gaining network\r\naccess and exploiting\r\nsystems.\r\nS0002\r\nMimikatz\r\nNgrok\r\nEnables remote access to a\r\nlocal web server by\r\ntunnelling over the internet.\r\nEnables victim network\r\nprotections to be bypassed\r\nby tunnelling to a system\r\nover the internet.\r\nS0508\r\nNgrok\r\nPasswordFox\r\nRecovers passwords from\r\nFirefox Browser.\r\nObtains credentials for\r\nnetwork access and\r\nexploitation.\r\nT1555.003\r\nCredentials from\r\nWeb Browsers\r\nPCHunter\r\nEnables advanced task\r\nmanagement including\r\nsystem processes and\r\nkernels.\r\nTerminates and circumvents\r\nEDR processes and services.\r\nT1562.001\r\nImpair Defenses:\r\nDisable or Modify\r\nTools\r\nPowerTool\r\nRemoves rootkits, as well as\r\ndetecting, analyzing, and\r\nfixing kernel structure\r\nmodifications.\r\nTerminates and removes\r\nEDR software.\r\nT1562.001\r\nImpair Defenses:\r\nDisable or Modify\r\nTools\r\nProcess Hacker Removes rootkits. Terminates and removes\r\nEDR software. T1562.001\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a\r\nPage 10 of 26\n\nImpair Defenses:\r\nDisable or Modify\r\nTools\r\nPuTTY Link (Plink)\r\nAutomates Secure Shell\r\n(SSH) actions on Windows.\r\nEnables LockBit affiliate\r\nactors to avoid detection.\r\nT1572\r\nProtocol\r\nTunneling\r\nRclone\r\nManages cloud storage files\r\nusing a command-line\r\nprogram.\r\nFacilitates data exfiltration\r\nover cloud storage.\r\nS1040\r\nRclone\r\nSeatbelt\r\nPerforms numerous security-oriented checks.\r\nPerforms numerous security-oriented checks to enumerate\r\nsystem information.\r\nT1082\r\nSystem\r\nInformation\r\nDiscovery\r\nScreenConnect (also\r\nknown as\r\nConnectWise)\r\nEnables remote connections\r\nto network devices for\r\nmanagement.\r\nEnables LockBit affiliate\r\nactors to remotely connect to\r\na victim’s systems.\r\nT1219\r\nRemote Access\r\nSoftware\r\nSoftPerfect Network\r\nScanner\r\nPerforms network scans for\r\nsystems management.\r\nEnables LockBit affiliate\r\nactors to obtain information\r\nabout a victim’s systems and\r\nnetwork.\r\nT1046\r\nNetwork Service\r\nDiscovery\r\nSplashtop\r\nEnables remote connections\r\nto network devices for\r\nmanagement.\r\nEnables LockBit affiliate\r\nactors to remotely connect to\r\nsystems over Remote\r\nDesktop Protocol (RDP).\r\nT1021.001\r\nRemote Services:\r\nRemote Desktop\r\nProtocol\r\nTDSSKiller Removes rootkits. Terminates and removes\r\nEDR software. T1562.001\r\nImpair Defenses:\r\nDisable or Modify\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a\r\nPage 11 of 26\n\nTools\r\nTeamViewer\r\nEnables remote connections\r\nto network devices for\r\nmanagement.\r\nEnables LockBit affiliate\r\nactors to remotely connect to\r\na victim’s systems.\r\nT1219\r\nRemote Access\r\nSoftware\r\nThunderShell\r\nFacilitates remote access via\r\nHypertext Transfer Protocol\r\n(HTTP) requests.\r\nEnables LockBit affiliate\r\nactors to remotely access\r\nsystems while encrypting\r\nnetwork traffic.\r\nT1071.001\r\nApplication Layer\r\nProtocol: Web\r\nProtocols\r\nWinSCP\r\nFacilitates file transfer using\r\nSSH File Transfer Protocol\r\nfor Microsoft Windows.\r\nEnables data exfiltration via\r\nthe SSH File Transfer\r\nProtocol.\r\nT1048\r\nExfiltration Over\r\nAlternative\r\nProtocol\r\nCommon Vulnerabilities and Exposures (CVEs) Exploited\r\nBased on secondary sources, it was noted that affiliates exploit older vulnerabilities like CVE-2021-22986, F5\r\niControl REST unauthenticated Remote Code Execution Vulnerability, as well as newer vulnerabilities such as:\r\nCVE-2023-0669: Fortra GoAnyhwere Managed File Transfer (MFT) Remote Code Execution\r\nVulnerability\r\nCVE-2023-27350: PaperCut MF/NG Improper Access Control Vulnerability\r\nLockBit affiliates have been documented exploiting numerous CVEs, including:\r\nCVE-2021-44228: Apache Log4j2 Remote Code Execution Vulnerability,\r\nCVE-2021-22986: F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code\r\nExecution Vulnerability,\r\nCVE-2020-1472: NetLogon Privilege Escalation Vulnerability,\r\nCVE-2019-0708: Microsoft Remote Desktop Services Remote Code Execution Vulnerability, and\r\nCVE-2018-13379: Fortinet FortiOS Secure Sockets Layer (SSL) Virtual Private Network (VPN) Path\r\nTraversal Vulnerability.\r\nFor further information on these CVEs, see CISA’s Known Exploited Vulnerabilities (KEV) Catalog.\r\nPost Detonation TTPs\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a\r\nPage 12 of 26\n\nWhen LockBit affiliates target an organization responsible for managing other organizations’ networks, CERT NZ\r\nhas observed LockBit affiliates attempt secondary ransomware extortion after detonation of the LockBit variant on\r\nthe primary target. Once the primary target is hit, LockBit affiliates then attempt to extort the companies that are\r\ncustomers of the primary target. This extortion is in the form of secondary ransomware that locks down services\r\nthose customers consume. Additionally, the primary target’s customers may be extorted by LockBit affiliates\r\nthreatening to release those customers’ sensitive information.\r\nMITRE ATT\u0026CK Tactics and Techniques\r\nTables 5-16 show the LockBit affiliate tactics and techniques referenced in this advisory.\r\nTable 5: LockBit Affiliates’ ATT\u0026CK Techniques for Enterprise – Initial Access\r\nTechnique Title ID Use\r\nDrive-by Compromise\r\nT1189 LockBit affiliates gain access to a system through a user visiting a\r\nwebsite over the normal course of browsing.\r\nExploit Public-Facing\r\nApplication\r\nT1190 LockBit affiliates may exploit vulnerabilities (e.g., Log4Shell) in\r\ninternet-facing systems to gain access to victims’ systems.\r\nExternal Remote\r\nServices\r\nT1133\r\nLockBit affiliates exploit RDP to gain access to victims’ networks.\r\nPhishing\r\nT1566 LockBit affiliates use phishing and spearphishing to gain access to\r\nvictims' networks.\r\nValid Accounts\r\nT1078 LockBit affiliates obtain and abuse credentials of existing accounts as a\r\nmeans of gaining initial access.\r\nTable 6: LockBit Affiliates’ ATT\u0026CK Techniques for Enterprise – Execution\r\nTechnique Title ID Use\r\nExecution TA0002\r\nLockBit 3.0 launches commands during its\r\nexecution.\r\nCommand and Scripting Interpreter:\r\nWindows Command Shell\r\nT1059.003 LockBit affiliates use batch scripts to execute\r\nmalicious commands.\r\nSoftware Deployment Tools T1072\r\nLockBit affiliates may use Chocolatey, a command-line package manager for Windows.\r\nTechnique Title ID Use\r\nSystem Services: Service\r\nExecution\r\nT1569.002 LockBit 3.0 uses PsExec to execute commands or\r\npayloads.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a\r\nPage 13 of 26\n\nTable 7: LockBit Affiliates’ ATT\u0026CK Techniques for Enterprise – Persistence\r\nTechnique Title ID Use\r\nBoot or Logon Autostart\r\nExecution\r\nT1547\r\nLockBit affiliates enables automatic logon for persistence.\r\nValid Accounts\r\nT1078 LockBit affiliates may use a compromised user account to maintain\r\npersistence on the target network.\r\nTable 8: LockBit Affiliates’ ATT\u0026CK Techniques for Enterprise – Privilege Escalation\r\nTechnique Title ID Use\r\nPrivilege Escalation TA0004\r\nLockBit affiliates will attempt to escalate to the required\r\nprivileges if current account privileges are insufficient.\r\nAbuse Elevation Control\r\nMechanism\r\nT1548\r\nLockBit affiliates may use ucmDccwCOM Method in\r\nUACMe, a GitHub collection of User Account Control\r\n(UAC) bypass techniques.\r\nBoot or Logon Autostart\r\nExecution\r\nT1547\r\nLockBit affiliates enable automatic logon for privilege\r\nescalation.\r\nDomain Policy Modification:\r\nGroup Policy Modification\r\nT1484.001 LockBit affiliates may create Group Policy for lateral\r\nmovement and can force group policy updates. \r\nValid Accounts T1078\r\nLockBit affiliates may use a compromised user account to\r\nescalate privileges on a victim’s network.\r\nTable 9: LockBit Affiliates’ ATT\u0026CK Techniques for Enterprise – Defense Evasion\r\nTechnique Title ID Use\r\nExecution Guardrails:\r\nEnvironmental Keying\r\nT1480.001\r\nLockBit 3.0 will only decrypt the main component or continue\r\nto decrypt and/or decompress data if the correct password is\r\nentered.\r\nImpair Defenses: Disable\r\nor Modify Tools\r\nT1562.001\r\nLockBit 3.0 affiliates use Backstab, Defender Control, GMER,\r\nPCHunter, PowerTool, Process Hacker or TDSSKiller to\r\ndisable EDR processes and services.\r\nLockBit 3.0 affiliates use Bat Armor to bypass the PowerShell\r\nexecution Policy.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a\r\nPage 14 of 26\n\nLockBit affiliates may deploy a batch script, 123.bat, to disable\r\nand uninstall antivirus software.\r\nLockbit 3.0 may modify and/or disable security tools including\r\nEDR and antivirus to avoid possible detection of malware,\r\ntools, and activities.\r\nIndicator Removal: Clear\r\nWindows Event Logs\r\nT1070.001\r\nLockBit executable clears the Windows Event Logs files.\r\nIndicator Removal: File\r\nDeletion\r\nT1070.004\r\nLockBit 3.0 will delete itself from the disk.\r\nObfuscated Files or\r\nInformation\r\nT1027\r\nLockBit 3.0 will send encrypted host and bot information to its\r\ncommand and control (C2) servers.\r\nObfuscated Files or\r\nInformation: Software\r\nPacking\r\nT1027.002\r\nLockBit affiliates may perform software packing or virtual\r\nmachine software protection to conceal their code. Blister\r\nLoader has been used for such purpose.\r\nTable 10: LockBit Affiliates’ ATT\u0026CK Techniques for Enterprise – Credential Access\r\nTechnique Title ID Use\r\nBrute Force T1110\r\nLockBit affiliates may leverage VPN or RDP brute\r\nforce credentials as an initial access.\r\nCredentials from Password Stores:\r\nCredentials from Web Browsers\r\nT1555.003 LockBit 3.0 actors use PasswordFox to recover\r\npasswords from Firefox Browser.\r\nOS Credential Dumping T1003\r\nLockBit 3.0 actors use ExtPassword or\r\nLostMyPassword to recover passwords from Windows\r\nsystems.\r\nOS Credential Dumping: LSASS\r\nMemory\r\nT1003.001\r\nLockBit affiliates may use Microsoft Sysinternals\r\nProDump to dump the contents of lsass.exe.\r\nLockBit affiliates have used Mimikatz to dump\r\ncredentials.\r\nTable 11: LockBit Affiliates’ ATT\u0026CK Techniques for Enterprise – Discovery\r\nTechnique Title ID Use\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a\r\nPage 15 of 26\n\nNetwork Service\r\nDiscovery\r\nT1046\r\nLockBit affiliates use SoftPerfect Network Scanner, Advanced IP\r\nScanner, or Advanced Port Scanner to scan target networks.\r\nLockBit affiliates may use SoftPerfect Network Scanner,\r\nAdvanced Port Scanner, and AdFind to enumerate connected\r\nmachines in the network.\r\nSystem Information\r\nDiscovery\r\nT1082\r\nLockBit affiliates will enumerate system information to include\r\nhostname, host configuration, domain information, local drive\r\nconfiguration, remote shares, and mounted external storage\r\ndevices.\r\nSystem Location\r\nDiscovery: System\r\nLanguage Discovery\r\nT1614.001 LockBit 3.0 will not infect machines with language settings that\r\nmatch a defined exclusion list.\r\nTable 12: LockBit Affiliates’ ATT\u0026CK Techniques for Enterprise – Lateral Movement\r\nTechnique Title ID Use\r\nLateral Movement TA0008\r\nLockBit affiliates will laterally move across\r\nnetworks and access domain controllers.\r\nRemote Services: Remote Desktop\r\nProtocol\r\nT1021.001 LockBit affiliates use Splashtop remote-desktop\r\nsoftware to facilitate lateral movement.\r\nRemote Services: Server Message Block\r\n(SMB)/Admin Windows Shares\r\nT1021.002 LockBit affiliates may use Cobalt Strike and\r\ntarget SMB shares for lateral movement.\r\nTable 13: LockBit Affiliates’ ATT\u0026CK Techniques for Enterprise – Collection\r\nTechnique Title ID Use\r\nArchive Collected Data:\r\nArchive via Utility\r\nT1560.001 LockBit affiliates may use 7-zip to compress and/or encrypt\r\ncollected data prior to exfiltration.\r\nTable 14: LockBit Affiliates’ ATT\u0026CK Techniques for Enterprise – Command and Control\r\nTechnique Title ID Use\r\nApplication Layer Protocol:\r\nFile Transfer Protocols\r\nT1071.002\r\nLockBit affiliates may use FileZilla for C2.\r\nApplication Layer Protocol:\r\nWeb Protocols\r\nT1071.001 LockBit affiliates use ThunderShell as a remote access\r\ntool that communicates via HTTP requests.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a\r\nPage 16 of 26\n\nNon-Application Layer Protocol T1095\r\nLockBit affiliates use Ligolo to establish SOCKS5 or TCP\r\ntunnels from a reverse connection.\r\nProtocol Tunneling T1572\r\nLockBit affiliates use Plink to automate SSH actions on\r\nWindows.\r\nRemote Access Software T1219\r\nLockBit 3.0 actors use AnyDesk, Atera RMM,\r\nScreenConnect or TeamViewer for C2.\r\nTable 15: LockBit Affiliates’ ATT\u0026CK Techniques for Enterprise – Exfiltration\r\nTechnique Title ID Use\r\nExfiltration TA0010\r\nLockBit affiliates use StealBit, a custom exfiltration tool first\r\nused with LockBit 2.0, to steal data from a target network.\r\nExfiltration Over Web\r\nService\r\nT1567\r\nLockBit affiliates use publicly available file sharing services to\r\nexfiltrate a target’s data. \r\nExfiltration Over Web\r\nService: Exfiltration to\r\nCloud Storage\r\nT1567.002\r\nLockBit affiliates use (1) Rclone, an open-source command line\r\ncloud storage manager or FreeFileSync to exfiltrate and (2)\r\nMEGA, a publicly available file sharing service for data\r\nexfiltration.\r\nTable 16: LockBit Affiliates’ ATT\u0026CK Techniques for Enterprise – Impact\r\nTechnique Title ID Use\r\nData Destruction T1485 LockBit 3.0 deletes log files and empties the recycle bin.\r\nData Encrypted for\r\nImpact\r\nT1486\r\nLockBit 3.0 encrypts data on target systems to interrupt\r\navailability to system and network resources.\r\nLockBit affiliates can encrypt Windows and Linux devices, as\r\nwell as VMware instances. \r\nDefacement: Internal\r\nDefacement\r\nT1491.001 LockBit 3.0 changes the host system’s wallpaper and icons to the\r\nLockBit 3.0 wallpaper and icons, respectively.\r\nInhibit System\r\nRecovery\r\nT1490 LockBit 3.0 deletes volume shadow copies residing on disk.\r\nService Stop T1489 LockBit 3.0 terminates processes and services.\r\nMitigations\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a\r\nPage 17 of 26\n\nThe authoring organizations recommend implementing the mitigations listed below to improve their cybersecurity\r\nposture to better defend against LockBit’s activity. These mitigations align with the Cross-Sector Cybersecurity\r\nPerformance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST).\r\nThe CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations\r\nimplement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against\r\nthe most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector\r\nCybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline\r\nprotections.\r\nThe listed mitigations are ordered by MITRE ATT\u0026CK tactic. Mitigations that apply to multiple MITRE\r\nATT\u0026CK tactics are listed under the tactic that occurs earliest in an incident’s lifecycle. For example, account use\r\npolices are mitigations for initial access, persistence, privilege escalation, and credential access but would be listed\r\nunder initial access mitigations.\r\nInitial Access\r\nConsider implementing sandboxed browsers to protect systems from malware originating from web\r\nbrowsing. Sandboxed browsers isolate the host machine from malicious code.\r\nRequire all accounts with password logins (e.g., service account, admin accounts, and domain admin\r\naccounts) to comply with NIST standards for developing and managing password policies [CPG 2.L].\r\nEnforce use of longer passwords consisting of at least 15 characters in length [CPG 2.B, 2.C].\r\nStore passwords in a salted and hashed format using industry-recognized password hashing\r\nalgorithms.\r\nPrevent use of commonly used or known-compromised passwords [CPG 2.C].\r\nImplement multiple failed login attempt account lockouts [CPG 2.G].\r\nDisable password “hints.”\r\nRefrain from requiring password changes more frequently than once per year.\r\nNote: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent\r\npassword resets. Frequent password resets are more likely to result in users developing password\r\n“patterns” cyber criminals can easily decipher.\r\nRequire administrator credentials to install software [CPG 2.Q].\r\nImplement filters at the email gateway to filter out emails with known malicious indicators, such as\r\nknown malicious subject lines, and block suspicious IP addresses at the firewall [CPG 2.M].\r\nInstall a web application firewall and configure with appropriate rules to protect enterprise assets.\r\nSegment networks to prevent the spread of ransomware. Network segmentation can help prevent the\r\nspread of ransomware by controlling traffic flows between—and access to—various subnetworks and by\r\nrestricting adversary lateral movement. Isolate web-facing applications to further minimize the spread of\r\nransomware across a network [CPG 2.F].\r\nFollow the least-privilege best practice by requiring administrators to use administrative accounts for\r\nmanaging systems and use simple user accounts for non-administrative tasks [CPG 2.E].\r\nEnforce the management of and audit user accounts with administrative privileges. Configure access\r\ncontrols according to the principle of least privilege [CPG 2.E].\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a\r\nPage 18 of 26\n\nImplement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the\r\nprinciple of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy\r\nis set in place to automatically disable admin accounts at the Active Directory level when the account is not\r\nin direct need. Individual users may submit their requests through an automated process that grants them\r\naccess to a specified system for a set timeframe when they need to support the completion of a certain task.\r\nKeep all operating systems, software, and firmware up to date. Timely patching is one of the most\r\nefficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.\r\nPublic-facing applications must be patched in a timely manner as vulnerabilities can often be exploited\r\ndirectly by the threat actor. By closely monitoring the threat landscape, threat actors often take advantage\r\nof vulnerabilities before systems are patched. Organizations should patch vulnerable software and\r\nhardware systems within 24 to 48 hours from when a vulnerability is disclosed. Prioritize patching known\r\nexploited vulnerabilities in internet-facing systems [CPG 1.E].\r\nRestrict service accounts from remotely accessing other systems. Configure group policy to Deny log\r\non locally, Deny log on through Terminal Services, and Deny access to this computer from the network for\r\nall service accounts to limit the ability for compromised service accounts to be used for lateral movement.\r\nBlock direct internet access for administration interfaces (e.g., application protocol interface (API)) and\r\nfor remote access.\r\nRequire phishing-resistant multifactor authentication (MFA) for all services to the extent possible,\r\nparticularly for webmail, virtual private networks, and privileged accounts that access critical systems\r\n[CPG 2.H].\r\nConsolidate, monitor, and defend internet gateways.\r\nInstall, regularly update, and enable real-time detection for antivirus software on all hosts.\r\nRaise awareness for phishing threats in your organization. Phishing is one of the primary infection\r\nvectors in ransomware campaigns, and all employees should receive practical training on the risks\r\nassociated with the regular use of  email. With the rise of sophisticated phishing methods, such as using\r\nstolen email communication or artificial intelligence (AI) systems such as ChatGPT, the distinction\r\nbetween legitimate and malicious emails becomes more complex. This particularly applies to employees\r\nfrom corporate divisions that have to deal with a high volume of external email communication (e.g., staff\r\nrecruitment) [CPG 2.I, 2.J].\r\nConsider adding an external email warning banner for emails sent to or received from outside of your\r\norganization [CPG 2.M].\r\nReview internet-facing services and disable any services that are no longer a business requirement to\r\nbe exposed or restrict access to only those users with an explicit requirement to access services, such as\r\nSSL, VPN, or RDP. If internet-facing services must be used, control access by only allowing access from\r\nan admin IP range [CPG 2.X].\r\nReview domain controllers, servers, workstations, and active directories for new and/or unrecognized\r\naccounts.\r\nRegularly verify the security level of the Active Directory domain by checking for misconfigurations.\r\nExecution\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a\r\nPage 19 of 26\n\nDevelop and regularly update comprehensive network diagram(s) that describes systems and data\r\nflows within your organization’s network(s) [CPG 2.P].\r\nControl and restrict network connections accordingly with a network flow matrix.\r\nEnable enhanced PowerShell logging [CPG 2.T, 2.U].\r\nPowerShell logs contain valuable data, including historical OS, registry interaction, and possibility\r\nof a threat actor’s PowerShell use.\r\nEnsure PowerShell instances are configured to use the latest version, and have module, script block,\r\nand transcription logging enabled (enhanced logging).\r\nThe two logs that record PowerShell activity are the PowerShell Windows Event Log and the\r\nPowerShell Operational Log. It is recommended to turn on these two Windows Event Logs with a\r\nretention period of at least 180 days. These logs should be checked on a regular basis to confirm\r\nwhether the log data has been deleted or logging has been turned off. Set the storage size permitted\r\nfor both logs to as large as reasonably practical.\r\nConfigure the Windows Registry to require UAC approval for any PsExec operations requiring\r\nadministrator privileges to reduce the risk of lateral movement by PsExec.\r\nPrivilege Escalation\r\nDisable command-line and scripting activities and permissions. Privilege escalation and lateral\r\nmovement often depend on software utilities running from the command line. If threat actors are not able\r\nto run these tools, they will have difficulty escalating privileges and/or moving laterally [CPG 2.N].\r\nEnable Credential Guard to protect your Windows system credentials. This is enabled by default on\r\nWindows 11 Enterprise 22H2 and Windows 11 Education 22H2. Credential Guard prevents credential\r\ndumping techniques of the Local Security Authority (LSA) secrets. Be aware that enabling this security\r\ncontrol has some downsides. In particular, you can no longer use New Technology Local Area Network\r\n(LAN) Manager (NTLM) classic authentication single sign-on, Kerberos unconstrained delegation, as well\r\nas Data Encryption Standard (DES) encryption.\r\nImplement Local Administrator Password Solution (LAPS) where possible if your OS is older than\r\nWindows Server 2019 and Windows 10 as these versions do not have LAPS built in. NOTE: The\r\nauthoring organizations recommend organizations upgrade to Windows Server 2019 and Windows 10 or\r\ngreater.\r\nDefense Evasion\r\nApply local security policies to control application execution (e.g., Software Restriction Policies (SRP),\r\nAppLocker, Windows Defender Application Control (WDAC)) with a strict allowlist.\r\nEstablish an application allowlist of approved software applications and binaries that are allowed to be\r\nexecuted on a system. This measure prevents unwanted software to be run. Usually, application allowlist\r\nsoftware can also be used to define blocklists so that the execution of certain programs can be blocked, for\r\nexample cmd.exe or PowerShell.exe [CPG 2.Q].\r\nCredential Access\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a\r\nPage 20 of 26\n\nRestrict NTLM uses with security policies and firewalling.\r\nDiscovery\r\nDisable unused ports. Disable ports that are not being used for business purposes (e.g., RDP-TCP Port\r\n3389). Close unused RDP ports.\r\nLateral Movement\r\nIdentify Active Directory control paths and eliminate the most critical among them according to the\r\nbusiness needs and assets.\r\nIdentify, detect, and investigate abnormal activity and potential traversal of the indicated\r\nransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that\r\nlogs and reports all network traffic, including lateral movement activity on a network [CPG 1.E]. EDR\r\ntools are particularly useful for detecting lateral connections as they have insight into common and\r\nuncommon network connections for each host.\r\nCommand and Control\r\nImplement a tiering model by creating trust zones dedicated to an organization’s most sensitive assets.\r\nVPN access should not be considered as a trusted network zone. Organizations should instead consider\r\nmoving to zero trust architectures.\r\nExfiltration\r\nBlock connections to known malicious systems by using a Transport Layer Security (TLS) Proxy.\r\nMalware often uses TLS to communicate with the infrastructure of the threat actor. By using feeds for\r\nknown malicious systems, the establishment of a connection to a C2 server can be prevented.\r\nUse web filtering or a Cloud Access Security Broker (CASB) to restrict or monitor access to public-file\r\nsharing services that may be used to exfiltrate data from a network.\r\nImpact\r\nImplement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and\r\nservers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, the cloud)\r\n[CPG 2.R].\r\nMaintain offline backups of data, and regularly maintain backup and restoration (daily or weekly at the\r\nminimum). By instituting this practice, the organization ensures they will not be severely interrupted,\r\nand/or only have irretrievable data [CPG 2.R]. ACSC recommends organizations follow the 3-2-1 backup\r\nstrategy in which organizations have three copies of data (one copy of production data and two backup\r\ncopies) on two different media, such as disk and tape, with one copy kept off-site for disaster recovery.\r\nEnsure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire\r\norganization’s data infrastructure [CPG 2.K, 2.R].\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a\r\nPage 21 of 26\n\nImplement Mitigations for Defense-in-Depth\r\nImplementing multiple mitigations within a defense-in-depth approach can help protect against ransomware, such\r\nas LockBit. CERT NZ explains How ransomware happens and how to stop it by applying mitigations, or critical\r\ncontrols, to provide a stronger defense to detect, prevent, and respond to ransomware before an organization’s data\r\nis encrypted. By understanding the most common attack vectors, organizations can identify gaps in network\r\ndefenses and implement the mitigations noted in this advisory to harden organizations against ransomware attacks.\r\nIn Figure 3, a ransomware attack is broken into three phases:\r\nInitial Access where the cyber actor is looking for a way into a network.\r\nConsolidation and Preparation when the actor is attempting to gain access to all devices.\r\nImpact on Target where the actor is able to steal and encrypt data and then demand ransom.\r\nFigure 3 shows the mitigations/critical controls, as various colored hexagons, working together to stop a\r\nransomware attacker from accessing a network to steal and encrypt data. In the Initial Access phase, mitigations\r\nworking together to deny an attacker network access include securing internet-exposed services, patching devices,\r\nimplementing MFA, disabling macros, employing application allowlisting, and using logging and alerting. In the\r\nConsolidation and Preparation phase, mitigations working together to keep an attacker from accessing network\r\ndevices are patching devices, using network segmentation, enforcing the principle of least privilege, implementing\r\nMFA, and using logging and alerting. Finally, in the Impact on Target phase, mitigations working together to deny\r\nor degrade an attacker’s ability to steal and/or encrypt data includes using logging and alerting, using and\r\nmaintaining backups, and employing application allowlisting.\r\nCritical Controls Key\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a\r\nPage 22 of 26\n\nFigure 3: Stopping Ransomware Using Layered Mitigations\r\nValidate Security Controls\r\nIn addition to applying mitigations, the authoring organizations recommend exercising, testing, and validating\r\nyour organization's security program against the threat behaviors mapped to the MITRE ATT\u0026CK for Enterprise\r\nframework in this advisory. The authoring organizations recommend testing your existing security controls\r\ninventory to assess how they perform against the ATT\u0026CK techniques described in this advisory.\r\nTo get started:\r\n1. Select an ATT\u0026CK technique described in this advisory (see Tables 5-16).\r\n2. Align your security technologies against the technique.\r\n3. Test your technologies against the technique.\r\n4. Analyze your detection and prevention technologies performance.\r\n5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.\r\n6. Tune your security program, including people, processes, and technologies, based on the data generated by\r\nthis process.\r\nThe authoring organizations recommend continually testing your security program, at scale, in a production\r\nenvironment to ensure optimal performance against the MITRE ATT\u0026CK techniques identified in this advisory.\r\nResources\r\nACSC:\r\nSee 2023-03: ACSC Ransomware Profile – LockBit 3.0 for additional information.\r\nCISA:\r\nStopransomware.gov is a whole-of-government approach that gives one central location for\r\nransomware resources and alerts.\r\nInformation on no-cost cyber hygiene services is available at Cyber Hygiene Services and\r\nRansomware Readiness Assessment .\r\nCISA, NSA, FBI, and MS-ISAC:\r\nSee the #StopRansomware Guide developed through the Joint Ransomware Task Force (JRTF) to\r\nprovide a one-stop resource to help organizations reduce the risk of ransomware incidents through\r\nbest practices to detect, prevent, respond, and recover, including step-by-step approaches to address\r\npotential attacks.\r\nFBI and CISA:\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a\r\nPage 23 of 26\n\nSee Alert AA23-075A - #StopRansomware: LockBit 3.0 for information on IOCs and TTPs\r\nidentified through FBI investigations as recently as March 2023.\r\nMS-ISAC:\r\nSee the Center for Internet Security (CIS) Critical Security Controls (CIS Controls)\r\nhttps://www.cisecurity.org/insights/white-papers/cis-community-defense-model-2-0 for\r\ninformation on strengthening an organization’s cybersecurity posture through implementing a\r\nprescriptive, prioritized, and simplified set of best.\r\nSee the CIS Community Defense Model 2.0 (CDM 2.0) for the effectiveness of the CIS Controls\r\n against the most prevalent types of attacks and how CDM 2.0 can be used to design, prioritize,\r\nimplement, and improve an organization’s cybersecurity program.\r\nSee Blueprint for Ransomware Defense for a clear, actionable framework for ransomware\r\nmitigation, response, and recovery built around the CIS Controls.\r\nNCSC-UK\r\nSee guidance on Mitigating malware and ransomware attacks for information on defending\r\norganizations against malware or ransomware attacks.\r\nBSI:\r\nSee BSI’s Ransomware – Facts and Defense Strategies for a comprehensive collection of\r\nresources on ransomware prevention, detection, and reaction. Note: These resources are in German.\r\nCCCS:\r\nSee CCCS’s Ransomware playbook (ITSM.00.099) for information on ransomware prevention\r\nand response.\r\nSee CCCS’s Top 10 IT security actions based on analysis of cyber threat trends to help minimize\r\nintrusions or the impacts of a successful cyber intrusion.\r\nCERT NZ:\r\nSee CERT NZ’s Security awareness building and Creating an effective security awareness program\r\nto assist organization’s in providing adequate security awareness and training to personnel while\r\ncreating a positive security culture.\r\nBusinesses can find information on developing an incident response plan, creating a contact list, and\r\ncommunicating ransomware incidents at CERT NZ’s Creating an incident response plan.\r\nNCSC NZ:\r\nFor guidance on ransomware for public service agencies, see NCSC NZ’s Ransomware: Your\r\norganization should be both protected and prepared .\r\nReporting\r\nThe authoring organizations do not encourage paying ransom, as payment does not guarantee victim files will be\r\nrecovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage\r\nother criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of\r\nwhether you or your organization have decided to pay the ransom, the authoring organizations urge you to\r\npromptly report ransomware incidents to your country’s respective authorities.\r\nAustralia: Australian organizations that have been impacted or require assistance in regard to a ransomware\r\nincident can contact ACSC via 1300 CYBER1 (1300 292 371), or by submitting a report to cyber.gov.au .\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a\r\nPage 24 of 26\n\nCanada: Canadian victims of ransomware are encouraged to consider reporting cyber incidents to law\r\nenforcement (e.g., local police or the Canadian Anti-Fraud Centre ) as well as to the Canadian Centre for\r\nCyber Security online via My Cyber Portal .\r\nFrance:\r\nIndividuals and small organizations can seek assistance with Cybermalveillance –\r\nhttps://www.cybermalveillance.gouv.fr/ .\r\nLarger organizations, as well as public and regulated entities, can request assistance from CERT-FR\r\nvia cert-fr@ssi.gouv.fr .\r\nGermany: German victims of ransomware are encouraged to consider reporting cyber incidents to law\r\nenforcement (e.g., local police or the Central Contact Point for Cybercrime as well as to the Federal\r\nOffice for Information Security (BSI) via the Reporting and Information Portal .\r\nNew Zealand: New Zealand organizations and businesses can report security incidents to the NCSC at\r\nincidents@ncsc.govt.nz or call 04 498 7654, or to CERT NZ through https://www.cert.govt/nz/it-specialists/report-an-incident/ or to ir@ops.cert.govt.nz.\r\nUnited States:\r\nReport ransomware incidents to a local FBI Field Office or CISA’s 24/7 Operations Center at\r\nContact@mail.cisa.dhs.gov , cisa.gov/report, or 1-844-Say-CISA (1-844-729-2472). When\r\navailable, please include the information regarding the incident: date, time, and location of the\r\nincident; type of activity; number of people affected; type of equipment used for the activity; the\r\nname of the submitting company or organization; and a designated point of contact.\r\nFor SLTTs, email soc@msisac.org or call (866) 787-4722.\r\nUnited Kingdom: UK organizations should report any suspected compromises to NCSC.\r\nDisclaimer\r\nThe information in this report is being provided “as is” for informational purposes only. The authoring\r\norganizations do not endorse any commercial product or service, including any subjects of analysis. Any reference\r\nto specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise,\r\ndoes not constitute or imply endorsement, recommendation, or favoring by the authoring organizations.\r\nReferences\r\n[1] LockBit, BlackCat, and Royal Dominate the Ransomware Scene\r\n[2] Ransomware Diaries: Volume 1\r\n[3] What is LockBit ransomware and how does it operate?\r\n[4] Ransomware Spotlight: LockBit\r\n[5] Analysis and Impact of LockBit Ransomware’s First Linux and VMware ESXi Variant\r\n[6] A first look at the builder for LockBit 3.0 Black\r\n[7] LockBit ransomware gang releases LockBit Green version\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a\r\nPage 25 of 26\n\n[8] LockBit Ransomware Now Targeting Apple macOS Devices\r\n[9] Apple’s Macs Have Long Escaped Ransomware. That May be Changing\r\n[10] Intelligence agency says ransomware group with Russian ties poses 'an enduring threat' to Canada\r\nSource: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a\r\nPage 26 of 26",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a"
	],
	"report_names": [
		"aa23-165a"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434628,
	"ts_updated_at": 1775826732,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/80eedf08c0acf10266f0a5115d79c9c4661fe4bf.pdf",
		"text": "https://archive.orkl.eu/80eedf08c0acf10266f0a5115d79c9c4661fe4bf.txt",
		"img": "https://archive.orkl.eu/80eedf08c0acf10266f0a5115d79c9c4661fe4bf.jpg"
	}
}