eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
In late February 2024, the notorious ransomware group known as LockBit was dealt a severe blow as international law enforcement partners including the Federal Bureau of Investigation (FBI) and the Cyber Division of the U.K. National Crime Agency (NCA) successfully seized many public-facing webservers and servers used for LockBit administration, hobbling the group’s ability to attack, encrypt, and extort victims.
According to cybersecurity expert Kevin Beaumont, a LockBit affiliate claimed that they were behind the ransomware attack that shut down some of the operations of EquiLend, a key financial technology company that processes trillions of dollars of securities lending transactions each month.
What was interesting to me is that despite confirming to Kevin Beaumont that they were behind the EquiLend ransomware attack, LockBit initially did not post EquiLend on their leak site. This may mean that EquiLend negotiated, and paid, the ransom amount. Update: As of February 25, LockBit have posted EquiLend on their new leak site:
In case you aren’t familiar with the LockBit ransomware group, it emerged in 2019 and has since gained notoriety for its highly targeted and damaging cyberattacks. They often use double extortion as a tactic; in addition to encrypting the victim’s files, they threaten to leak sensitive data if the ransom is not paid (thus increasing the pressure on the victims to comply).
The LockBit group operates as a Ransomware-as-a-Service, where other cybercriminals they recruit can use their underlying tools and infrastructure to launch ransomware attacks and share the ransom payments. Since inception, it is believed that they had targeted 2,000+ victims and received more than $120 million USD in ransom payments.
In September 2023, eSentire’s Threat Response Unit (TRU) released a detailed report on the LockBit ransomware group and how they were targeting their victims. Between February 2022 and June 2023, TRU disrupted three incidents targeting a storage materials manufacturer, a manufacturer of home décor, and a Managed Service Provider (MSP).
According to the report, once the LockBit group gained access into their targets’ environment, they used remote monitoring and management (RMM) tools, their remote access software, or brought in their own RMM tools to deploy ransomware. In the case of the MSP, they attempted to deploy malware to the MSP’s downstream customers.
Moreover, our 2024 SMB Ransomware Readiness report also found that LockBit was the most significant threat for small-medium businesses (SMBs) that fall within the $1 million to $25 million annual revenue range.
Authorities stated that they have obtained keys from the seized LockBit infrastructure and will be able to assist victims unlock their encrypted systems. As well, the Justice Department indicted two Russian nationals with deploying LockBit ransomware to many companies throughout the United States. This brings the number of indicted individuals for their participation in the LockBit ransomware group to five.
Here’s my take on the news – this is truly good news, but we should take care to note that the fight is not over. We should expect that the ‘bad guys’ have backups (just as we do) and that they have an incentive to be resilient in their operations.
This co-operative operation has dealt a serious blow to the parent organization and will hopefully increase their cost of doing business. However, they’re certainly not out of business. In fact, LockBit has already spun up a new Dark Web leak site and for all intents and purposes, they’ve resumed operations.
I also think we will continue to see other ransomware groups use RMM tools to gain initial access into their target organizations. With that in mind, here are some recommendations for organizations to protect themselves:
If you haven’t done so, secure your RMM tools and remote access software immediately by enforcing two-factor authentication and ensuring strong and unique passwords are used.
Any employees with access to RMM or remote access software should also receive phishing and security awareness training to scrutinize communications that appear to come from a provider of these services.
Ensure your organization's IT environment, including your network, endpoints and logs (both on-premises and in the cloud) are protected by a 24/7 Managed Detection and Response solution.
Ensure your organization is regularly patching and updating its software applications, operating systems, and all third-party tools by implementing a comprehensive vulnerability management program.
Educate your clients about the importance of cybersecurity and work with them to establish security policies and guidelines for their employees.
Protecting your organization against LockBit and other similar ransomware-as-a-service threats will always come down to how vigilant you are about staying ahead of the threat landscape and proactively preventing business disruption.
If you’ve been targeted by LockBit, please contact the FBI here for next steps you can take.
Eldon Sprickerhoff
Founder and Advisor
Eldon Sprickerhoff is the original pioneer and inventor of what is now referred to as Managed Detection and Response (MDR). In founding eSentire, he responded to the incipient yet rapidly growing demand for a more proactive approach to preventing and investigating information security breaches. Now with over 20 years of tactical experience, Eldon is acknowledged as a subject matter expert in information security analysis. Eldon holds a Bachelor of Mathematics, Computer Science degree from the University of Waterloo.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
