SAN FRANCISCO/LONDON: A cybercriminal group called Lockbit, which said Friday it had breached the Industrial and Commercial Bank of China (ICBC), has hacked some of the world’s largest organizations in recent months, stealing and leaking their sensitive data if they were doing. I will not pay a ransom. Here are some details about the group:
WHERE DOES LOCKBIT COME FROM?
Lockbit came to light in 2020 when its eponymous malware was discovered on Russian-language cybercrime forums, leading some security analysts to believe the gang is based in Russia. However, the gang has not declared its support to any government and no government has officially attributed it to a nation-state.
“We are located in the Netherlands, completely apolitical and only interested in money,” the gang explains on its dark web blog.
In just three years, it has become the world’s leading ransomware threat, according to U.S. officials. Nowhere has this crisis been more disruptive than in the United States, impacting more than 1,700 U.S. organizations across nearly every industry, from financial and food services to schools, transportation and government departments.
Among its latest victims is defense and aerospace giant Boeing. On Friday, Lockbit disclosed a cache of internal data obtained by hacking Boeing systems. Earlier this year, the gang’s hack of financial trading services group ION disrupted operations at clients including some of the world’s largest banks, brokerages and hedge funds.
HOW DOES LOCKBIT TARGET ORGANIZATIONS?
The cybercriminal gang infects a victim organization’s system with ransomware (malware that encrypts data) and then coerces targets into paying a ransom to decrypt or unlock it. Such a ransom is usually demanded in the form of cryptocurrency, which is more difficult to trace and gives anonymity to the recipient.
The United States and other officials in a 40-nation alliance have tried to stem the global scourge of ransomware by sharing intelligence between countries on the addresses of these criminals’ cryptocurrency wallets.
On the dark web, Lockbit’s blog displays an ever-growing gallery of victim organizations, updated almost daily. Next to their names are digital clocks indicating the number of days remaining until each organization is due to pay the ransom, or the gang releases the sensitive data it has collected.
Often, victim organizations seek help from cybersecurity companies to identify the data that has been leaked and negotiate ransom amounts with the hackers. Such behind-the-scenes discussions usually remain private and can sometimes take days or even weeks, according to security analysts.
It is common for some victims’ names not to appear on the Lockbit blog if the threat was made privately. ICBC’s U.S. unit, which said it was working to recover from the breach, was not listed on Lockbit’s blog Friday.
HOW DOES LOCKBIT WORK?
Lockbit’s success depends in part on its so-called “affiliates,” like-minded criminal groups who are recruited to carry out attacks using Lockbit’s digital extortion tools.
On its website, the gang boasts of its successes in hacking various organizations and outlines a detailed set of rules for cybercriminals who can submit an “application form” to work with them. “Ask your friends or acquaintances who already work with us to vouch for you,” one of those rules says.
This network of alliances between cybercriminal groups makes it difficult to track these hacking activities and attempts to ransom victims, because their tactics and techniques can vary with each attack.