Live Webinar:

Join us Apr. 1st for a Town Hall as Robert M. Lee shares insights from his testimony before the U.S. House of Representatives Subcommittee on Cybersecurity and Infrastructure Protection.

Skip to main content
The Dragos Blog

03.27.23 | 2 min read

LockBit Ransomware Continued to Impact Operational Technology (OT) in 2022 

There has been a significant uptick in LockBit ransomware attacks since 2021, impacting organizations closely aligned with critical infrastructure or within the critical infrastructure supply chain. This activity continued through 2022, with trends affecting manufacturing, electric, transportation, and logistics businesses. LockBit operators capitalize on extortion tactics to increase the probability of the victim paying the ransom.  

The LockBit ransomware operation was first observed in 2019 as the ‘.abcd’ ransomware group and has undergone at least three evolutions in that time – .abcd ransomware to LockBit, then to LockBit 2.0, and most recently, LockBit 3.0 The most recent iteration is marketed within the cybercriminal ecosystem as ransomware-as-a-service (RaaS), meaning other criminal operators can acquire LockBit and associated infrastructure for a fee to the LockBit purveyors. The LockBit ransomware is highly attractive with low-barrier-of-entry table stakes for any cybercrime actor interested in profiting from a ransomware operation.  

Since 2021, LockBit ransomware has been one of the top cybercriminal threats and the LockBit operators appear to have prioritized attacking industrial organizations and industrial infrastructure in their daily operations. In fact, according to the 2022 Dragos Year in Review, the LockBit variant accounted for 28 percent of total ransomware attacks against industrial infrastructure-reliant organizations in 2022. Publicly reported victims include Bridgestone Tires, multiple energy companies in Italy, Indonesia, and India, and multiple transportation organizations in Canada, Portugal, and Croatia. In 2022, LockBit was the most prevalent and prolific ransomware operation in the cybercrime ecosystem. 

Other than in a handful of circumstances, ransomware operations generally lack the capability of directly impacting industrial control systems (ICS) and operational technology (OT). Dragos has not observed LockBit operations directly targeting or impacting ICS/OT. However, cascading operational impacts from compromised business-critical systems in enterprise IT environments have created a threat landscape where ICS/OT security practitioners must pay more attention to this cyber-criminal element.  

LockBit Ransomware has similarities to other types of ransomware that have impacted industrial operations. LockBit 3.0 ransomware can infect Windows systems, Linux systems, VMware vSphere, and ESXi virtual environments.  

Overview of LockBit Victimology, Capabilities, and Infrastructure

Below is an overview of the victimology, capabilities, and infrastructure of the LockBit ransomware. 

Victimology 
  • Regions: Worldwide, except for post-Soviet countries, though a few reports have stated that adversaries have used LockBit to attack organizations within Ukraine.  
  • Sectors: Electric, Manufacturing, Construction, Wholesale, Finance, Professional Services, Legal, Transportation, Technology, Consumer Services, Retail, Logistics, Healthcare, Education, Oil and Gas, Government, Communications, Food, Real Estate, Consumer Durables, and Automotive 
  • Network: Windows and Linux machines, VMware vSphere, and ESXi virtual platforms
Capability
  • LockBit RaaS provides its affiliates with a full-featured solution to exfiltrate and encrypt data from an organization. The techniques used are similar to other ransomware variants, aside from tools developed by LockBit developers, such as StealBit for information stealing. 
Infrastructure
  • LockBit developers rent the ransomware program and infrastructure to third-party cybercriminals.  
  • Infrastructure typically includes a TOR-hosted website, secure messenger, and a command-line interface for affiliates to enable and disable features during an attack.  
  • LockBit 3.0 claims to be the fastest encryption solution compared to other current ransomware offerings. 

Learn More About LockBit 3.0

This blog shares some of the findings of our recently published whitepaper, Understanding LockBit 3.0 Ransomware. The whitepaper diagrams the ransomware group using the Diamond Model and provides a detailed overview of LockBit 3.0 techniques and tools. It presents full details on LockBit 3.0 capabilities, including: 

  • Initial Access  
  • System Discovery  
  • Persistence
  • Lateral Movement  
  • Exfiltration and Encryption  
  • Infrastructure  
  • Detection and Mitigations

The whitepaper also offers detailed, practical guidance on detecting and mitigating LockBit ransomware in your ICS/OT environment. It breaks down the impact on various industrial sectors and subsectors, and provides a timeline for these impacts and considers the role of RaaS and supply chain on industrial companies.  

Get the Complete Analysis

Download our whitepaper for practical guidance on detecting and mitigating LockBit 3.0 ransomware in your ICS/OT environments.

Ready to put your insights into action?

Take the next steps and contact our team today.