LockBit Targeting of the United Kingdom

Executive Summary

LockBit is ransomware used by threat actors to infect and extort victims. The strain, identified as early as September 2019, is run as a ransomware-as-a-service (RaaS) offering with a subscription-based business model involving the selling or leasing of malicious code to multiple, fee-paying affiliates on dark web forums. LockBit 3.0—currently the most prolific extortion operation—has been equipped with worm-like capabilities that enable self-propagation across a compromised network. The strain is renowned for its speed of compromise, leveraging strong cryptography to render thousands of files inaccessible to users within seconds. Backups are removed to prevent file recovery attempts.

This report outlines the threat from LockBit to UK-based organizations over the last two years. All data and analysis included in this report are based on ZeroFox collections only and do not include data from third parties.

Details

Between January 2022 and November 2023, LockBit has been the primary ransomware and digital extortion (R&DE) threat to UK-based organizations. On a quarterly average, LockBit has accounted for approximately 20 percent of all R&DE attacks against UK-based organizations. 

In the reporting period, LockBit’s most frequently-targeted industries in the UK have been:

• Manufacturing
• Retail
• Professional Services
• Education
• Legal & Consulting

LockBit Industry Targeting as a Proportion of Its Total Attacks

Source: ZeroFox

When considering LockBit’s operation as a whole, there is no evidence to indicate a disproportionate focus on targets in the UK. The proportion of LockBit deployment against UK-based targets has been consistent with total R&DE attacks in the UK. However, it is likely specific LockBit affiliates have a bias towards targeting particular countries or regions, with it more likely than not that some have a focus on UK-based targets.

How LockBit’s Targeting of the UK Compares to R&DE as a Whole

Source: ZeroFox

*Q4 2023 data as of November 30, 2023

The UK consistently accounts for approximately 20 percent of total European R&DE attacks. LockBit’s Europe-focused targeting has decreased, whereas its attacks against the UK have remained broadly consistent—meaning UK organizations represent an increasing proportion of LockBit’s Europe-focused targeting. This likely indicates that, while LockBit affiliates focused on targeting wider Europe have reduced activity or pivoted to other strains, UK-focused affiliates continue to leverage LockBit and maintain their operational tempo.

Proportion of European R&DE targeting the UK

Source: ZeroFox

*Q4 2023 data as of November 30, 2023

While LockBit remains the primary R&DE threat to UK-based organizations (accounting for approximately 20 percent of all R&DE attacks against UK-based organizations on average), diversification of the R&DE threat landscape is driving LockBit to account for an increasingly smaller proportion of total R&DE against the UK. Despite the frequency of LockBit attacks against the region remaining high, other groups—including newly formed, highly prolific collectives—are demonstrating an even greater focus on targets in the country. This mirrors LockBit’s market share decline more broadly in Europe and around the world.

Proportion of R&DE for Which LockBit is Responsible

Source: ZeroFox

*Q4 2023 data as of November 30, 2023

ZeroFox anticipates LockBit will remain the primary R&DE threat to the region over the next two quarters, with attacks very likely to remain frequent. However, LockBit’s falling UK market share and the rise of highly-prolific strains driving an increase in UK-focused targeting means security teams will need to monitor for, and mitigate the threats from, an increasingly diverse range of extortion operations.

Recommendations

• Adopt a Zero-Trust cybersecurity architecture based upon a principle of least privilege. 
• Implement network segmentation to separate resources by sensitivity and/or function. 
• Implement secure password policies, with phishing- resistant MFA, complex passwords, and unique credentials.
• Leverage cyber threat intelligence to inform detection of relevant cyber threats and associated TTPs.
• Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site, or cloud servers at least once per year—and ideally more frequently. 
• Develop a comprehensive incident response strategy.
• Configure email servers to block emails with malicious indicators, and deploy authentication protocols to prevent spoofed emails.
• Deploy a holistic patch management process, and ensure all IT assets are updated with the latest software updates as quickly as possible. 
• Proactively monitor for compromised accounts being brokered in DDW forums. 
• Configure ongoing monitoring for Compromised Account Credentials.
• Deploy robust External Attack Surface Management solutions for ongoing Lockbit-targeted discovery.