1,700 Attacks in Three Years: How LockBit Ransomware Wreaks Havoc

A decorative image displaying the words Ransomware Updates: LockBit Q2 2023.

The Cybersecurity and Infrastructure Security Agency (CISA) released a joint ransomware advisory last Wednesday, reporting that LockBit ransomware has proven to be the most popular ransomware variant in the world after executing at least 1,700 attacks and raking in $91 million in ransom payments. 

Today, I’m recapping the advisory and sharing some best practices for protecting your business from this prolific threat.

What Is LockBit?

LockBit is a ransomware variant that’s sold as ransomware as a service (RaaS). The RaaS platform requires little to no skill to use and provides a point and click interface for launching ransomware campaigns. That means the barrier to entry for would-be cybercriminals is staggeringly low—they can simply use the software as affiliates and execute it using LockBit’s tools and infrastructure. 

LockBit either gets an up-front fee, subscription payments, a cut of the profits from attacks, or a combination of all three. Since there are a wide range of affiliates with different skill levels and no connection to one another other than their use of the same software, no LockBit attack is the same. Observed tactics, techniques, and procedures (TTP) vary which makes defending against LockBit particularly challenging.

Who Is Targeted by LockBit?

LockBit victims range across industries and sectors, including critical infrastructure, financial services, food and agriculture, education, energy, government, healthcare, manufacturing, and transportation. Attacks have been carried out against organizations large and small. 

What Operating Systems (OS) Are Targeted by LockBit?

By skimming the advisory, you may think that this only impacts Windows systems, but there are variants available through the LockBit RaaS platform that target Linux and VMware ESXi.

How Do Cybercriminals Gain Access to Execute LockBit?

The Common Vulnerabilities and Exposures (CVEs) Exploited section lists some of the ways bad actors are able to get in to drop a malicious payload. Most of the vulnerabilities listed are older, but it’s worth taking a moment to familiarize yourself with them and make sure your systems are patched if they affect you.

In the MITRE ATT&CK Tactics and Techniques section, you’ll see the common methods of gaining initial access. These include:

  • Drive-By Compromise: When a user visits a website that cybercriminals have planted with LockBit during normal browsing.
  • Public-Facing Applications: LockBit cybercriminals have used vulnerabilities like Log4J and Log4Shell to gain access to victims’ systems.
  • External Remote Services: LockBit affiliates exploit remote desktop procedures (RDP) to gain access to victims’ networks.
  • Phishing: LockBit affiliates have used social engineering tactics like phishing, where they trick users into opening an infected email.
  • Valid Accounts: Some LockBit affiliates have been able to obtain and abuse legitimate credentials to gain initial access.

How to Prevent a LockBit Attack

CISA provides a list of mitigations that aim to enhance your cybersecurity posture and defend against LockBit. These recommendations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs are based on established cybersecurity frameworks and guidance, targeting common threats, tactics, techniques, and procedures. Here are some of the key mitigations organized by MITRE ATT&CK tactic (this is not an exhaustive list):

Initial Access:

  • Implement sandboxed browsers to isolate the host machine from web-borne malware.
  • Enforce compliance with NIST standards for password policies across all accounts.
  • Require longer passwords with a minimum length of 15 characters.
  • Prevent the use of commonly used or compromised passwords.
  • Implement account lockouts after multiple failed login attempts.
  • Disable password hints and refrain from frequent password changes.
  • Require multifactor authentication (MFA). 


  • Develop and update comprehensive network diagrams.
  • Control and restrict network connections using a network flow matrix.
  • Enable enhanced PowerShell logging and configure PowerShell instances with the latest version and logging enabled.
  • Configure Windows Registry to require user account control (UAC) approval for PsExec operations.

Privilege Escalation:

  • Disable command-line and scripting activities and permissions.
  • Enable Credential Guard to protect Windows system credentials.
  • Implement Local Administrator Password Solution (LAPS) if using older Windows OS versions.

Defense Evasion:

  • Apply local security policies (e.g., SRP, AppLocker, WDAC) to control application execution.
  • Establish an application allowlist to allow only approved software to run.

Credential Access:

  • Restrict NTLM usage with security policies and firewalling.


  • Disable unused ports and close unused RDP ports.

Lateral Movement:

  • Identify and eliminate critical Active Directory control paths.
  • Use network monitoring tools to detect abnormal activity and potential ransomware traversal.

Command and Control:

  • Implement a tiering model and trust zones for sensitive assets.
  • Reconsider virtual private network (VPN) access and move towards zero trust architectures.


  • Block connections to known malicious systems using a TLS Proxy.
  • Use web filtering or a Cloud Access Security Broker (CASB) to restrict or monitor access to public-file sharing services.


  • Develop a recovery plan and maintain multiple copies of sensitive data in a physically separate and secure location.
  • Maintain offline backups of data with regular backup and restoration practices.
  • Encrypt backup data, make it immutable, and cover the entire data infrastructure.

By implementing these mitigations, organizations can significantly strengthen their cybersecurity defenses and reduce the risk of falling victim to cyber threats like LockBit. It is crucial to regularly review and update these measures to stay resilient in the face of evolving threats.

Ransomware Resources

Take a look at our other posts on ransomware for more information on how businesses can defend themselves against an attack, and more.

And, don’t forget that we offer a thorough walkthrough of ways to prepare yourself and your business for ransomware attacks—free to download below.

Download the Ransomware Guide ➔ 


About Mark Potter

Mark Potter is Backblaze's chief information security officer. He brings experience from over 29 years working in information security governance, risk management, regulatory compliance, and data protection and privacy program design and implementation to Backblaze. He is an IAPP Fellow of Information Privacy and holds over 30 security, privacy, and risk management certifications.