Flash Report: LockBit Ends 2023 with Record Number of Attacks
Key Findings
- Ransomware & Digital Extortion (R&DE) threat collective LockBit conducted more attacks during Q4 2023 (October-December) than in any other quarter, despite their activity accounting for a significantly reduced proportion of the wider threat landscape’s activity.
- It is almost certain that LockBit is benefitting from the December disruption of other R&DE collectives—particularly through procuring affiliates from ALPHV and NoEscape.
- A greater proportion of LockBit’s attacks were leveraged against the manufacturing and retail industries in Q4 2023, both of which are above the threat landscape average.
Details
R&DE threat collective LockBit conducted at least 233 attacks during Q4 2023, the highest of any quarter observed by ZeroFox Intelligence. Q4 2023 represents a significant increase compared to the 165 attacks conducted by LockBit affiliates during Q3 2023.
- LockBit’s 2023 activity increased approximately 10 percent when compared with 2022.
- Total R&DE activity across the threat landscape in 2023 saw a 70 percent increase over 2022.
Number of LockBit attacks by quarter
Source: ZeroFox Intelligence
LockBit’s targeting has increased almost uniformly across the landscape, with a greater number of victims across the majority of geographies and industries. A significant proportion of LockBit’s increased activity results from affiliates’ increased targeting of organizations in the manufacturing sector.
- Manufacturing organizations have typically comprised approximately 20 percent of all LockBit victims in 2023. However, in Q4 2023, manufacturing organizations represented 26 percent of its victims.
- This uptick is largely driven by LockBit’s increased targeting of Asia-Pacific manufacturers, which rose by approximately 300 percent during Q4.
Targeting of the retail sector is also on an upward trajectory, particularly against organizations based in the Asia-Pacific and North America regions. The only industries to experience a slight reduction in LockBit targeting in Q4 2023 were education, construction, and technology.
- The Asia-Pacific region accounted for the biggest proportional increase in targeting, accounting for approximately 13 percent of LockBit victims (up from 6 percent the quarter before) and returning to levels observed in early 2023.
LockBit affiliates continue to target the majority of regions at proportionally higher rates than the wider threat landscape, with the exception of North America. LockBit’s proportion of attacks targeting North America have been consistently less than the wider landscape average since Q2 2022, despite the number of attacks increasing significantly in Q4 2023.
Proportion of LockBit attacks by region
(ANZAC region omitted due to very low number)
Source: ZeroFox Intelligence
LockBit is almost certainly benefitting from the disruption of other R&DE collectives in December. The collective sought affiliates from prominent ransomware outfits ALPHV (also known as BlackCat) and NoEscape, offering the use of both its data breach site and trading panel as well as the option to transfer ongoing extortion activities to its platform.
Despite this, LockBit’s market share of total R&DE activity continues to fall, indicating continued diversification across the threat landscape.
- While LockBit accounted for more than 35 percent of total R&DE attacks in early 2023—peaking at almost 50 percent in February 2023—it accounted for approximately 20 percent of total R&DE attacks in Q4 2023.
- In November 2023, ZeroFox published ZeroFox Intelligence Brief: Ransomware & Digital Extortion-LockBit Targeting, revealing analysis of LockBit’s in-depth targeting patterns.
LockBit attacks as a proportion of total R&DE activity, by month
Source: ZeroFox Intelligence
It is likely that LockBit will continue to acquire additional affiliates and targeting opportunities, enabling the collective to conduct an increasing number of attacks over the next two quarters.
- There is a roughly even chance that LockBit will use this opportunity to offer potential affiliates novel and attractive services in an attempt to stand out amongst newer, highly-active R&DE collectives such as Akira, Cactus, WereWolves, and Rhysida.
However, LockBit’s proportional share of R&DE activity across the threat landscape is unlikely to increase significantly due to the current upward trajectory in overall attacks and new extortion operations that are diversifying the threat landscape.
Recommendations
- Implement secure password policies with phishing-resistant multi-factor authentication, complex passwords, and unique credentials.
- Configure ongoing monitoring for Compromised Account Credentials.
- Proactively monitor for compromised accounts being brokered in deep and dark web forums.
- Leverage cyber threat intelligence to inform the detection of R&DE threats; their associated tactics, techniques, and procedures (TTPs); and Indicators of Compromise (IOCs).
- Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site, or cloud servers at least once per year—and ideally more frequently.
- Adopt a Zero-Trust cybersecurity posture based upon a principle of least privilege.
- Implement network segmentation to separate resources.
- Develop a comprehensive incident response strategy.
- Configure email servers to block emails with malicious indicators, and deploy authentication protocols to prevent spoofed emails.
- Deploy a holistic patch management system, and ensure all business IT assets are updated with the latest software as quickly as possible.
Tags: Deep & Dark Web, Flash Report, Ransomware, Threat Intelligence