SAN FRANCISCO/LONDON – A cyber-criminal group named Lockbit, which on Friday said it breached the Industrial and Commercial Bank of China (ICBC), has hacked some of the world’s largest organisations in recent months, stealing and leaking their sensitive data if they did not pay ransom.
Here are some details about the group:
Where is Lockbit from?
Lockbit was discovered in 2020 when its eponymous malicious software was found on Russian-language cybercrime forums, leading some security analysts to believe the gang is based in Russia.
The gang has not professed support for any government, however, nor has any government formally attributed it to a nation-state.
“We are located in the Netherlands, completely apolitical and only interested in money,” the gang says on its Dark Web blog.
In just three years, it has become the world’s top ransomware threat, according to US officials.
Nowhere has it been more disruptive than in the United States, hitting more than 1,700 American organisations in nearly every industry – from financial services and food to schools and transport and government departments.
Among its latest victims is defence and aerospace giant Boeing.
On Friday, Lockbit leaked a cache of internal data it had obtained by breaching Boeing’s systems. Earlier in 2023, the gang’s hack into financial trading services group ION disrupted operations for customers that included some of the world’s biggest banks, brokerages and hedge funds.
How does Lockbit target organisations?
The cybercrime gang infects a victim organisation’s system with ransomware – malicious software that encrypts data – and then coerces targets into paying ransom to decrypt or unlock it.
Such ransom is usually demanded in the form of cryptocurrency, which is harder to trace and gives the receiver anonymity.
US and other officials in a 40-country alliance have been trying to stem the global scourge of ransomware by sharing intelligence between nations on the cryptocurrency wallet addresses of such criminals.
On the Dark Web, Lockbit’s blog displays an ever-growing gallery of victim organisations that is updated almost daily.
Next to their names are digital clocks showing the number of days left to the deadline given to each organisation to provide ransom payment, failing which, the gang publishes the sensitive data it has collected.
Often, victim organisations will seek the help of cyber-security companies to identify what data was leaked and negotiate ransom amounts with the hackers.
Such behind-the-scenes talks usually remain private and can sometimes take days or weeks, according to security analysts.
It is common for some victim names to not show up on the Lockbit blog if the threat was made privately. ICBC’s US unit, which said it was working on recovering from the breach, was not listed on Lockbit’s blog on Friday.
How does Lockbit operate?
In part, Lockbit’s success depends on its so-called “affiliates” – like-minded criminal groups that are recruited to wage attacks using Lockbit’s digital extortion tools.
On its website, the gang boasts of its successes in hacking various organisations and lays out a detailed set of rules for cyber criminals who may submit an “application form” to work with them.
“Ask your friends or acquaintances who already work with us to vouch for you,” one of those rules says.
This web of alliances between cyber-criminal groups makes tracking such hacking activity and attempts to ransom victims difficult, as their tactics and techniques can vary with each attack. REUTERS
