Understanding Ransomware Threat Actors: LockBit

LockBit, which first appeared in September 2019, is a ransomware strain operating under the Ransomware-as-a-Service business model. The operators of this cybercriminal group have developed and made available to their affiliates several variants of LockBit. It is the most commonly used ransomware in incidents reported to ANSSI in 2022. This document details the tactics, techniques and procedures, including the tools and vulnerabilities exploited, used by LockBit affiliates. It also contains technical recommendations to help limit the likelihood and impact of ransomware attacks.

This publication, entitled ‘Understanding Ransomware Threat Actors: LockBit’, is produced jointly by ANSSI, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the UK National Cyber Security Centre (NCSC-UK), the German Federal Office for Information Security (BSI), the New Zealand Computer Emergency Response Team (CERT-NZ) and the New Zealand National Cyber Security Centre (NCSC-NZ).