As part of its roll-out of news about the LockBit disruption, the governments involved have provided additional information and resources. One of the resources is an article by Secureworks. The summary of their article:
Summary
The GOLD MYSTIC threat group has operated the LockBit name-and-shame ransomware-as-a-service (RaaS) scheme since mid-2019, exploiting unauthorized access to thousands of organizations to deploy ransomware and steal data to facilitate the extortion of victims. At approximately 4:00 pm EST on February 19, 2024, the UK’s National Crime Agency (NCA) and U.S. Federal Bureau of Investigation (FBI), in conjunction with international law enforcement partners, took disruptive action against the infrastructure used by the LockBit RaaS operation.
Secureworks® incident responders investigated 22 compromises featuring LockBit ransomware from July 2020 through January 2024. These investigations revealed the tactics, techniques, and procedures (TTPs) that LockBit affiliates have used in their intrusions. The complexity of operations varies from manual encryption of individual hosts to automated ransomware deployments from domain controllers. In some incidents, ransomware is not deployed at all. Instead, affiliates rely on data theft alone to extort victims. LockBit’s evolution includes targeting VMware ESXi hosts to encrypt virtual machines, which can have a devastating impact on organizations that rely heavily on virtualized infrastructure. As the LockBit brand has grown in stature, copycat cybercriminals have sought to exploit the name for their own ransomware operations or other extortion threats.
Access the full article at Secureworks.