The Extortion Economy
How Lockbit is Fueling a Global Ransomware Crisis
Ransomware attacks have seen an explosive rise over the past decade, but few cybercriminal groups epitomize this trend as much as the syndicate Lockbit. Through ruthless extortion rackets against hospitals, schools, banks, and infrastructure worldwide, Lockbit has propelled the emergence of a booming "extortion economy."
This white paper examines Lockbit's rapid ascendance into one of the most disruptive ransomware operations in the world. Through in-depth case studies, we outline Lockbit's key role in the extortion economy and the immense threats now facing global society. Our analysis draws from cybersecurity, information ethics, law enforcement assessments, and economic data to provide a multidimensional profile of the ransomware crisis.
Major focus areas include:
The evolution of Lockbit and the ransomware-as-a-service model
Anatomy of recent high-profile Lockbit attacks
The estimated global economic impacts of ransomware
Law enforcement challenges hindering policy response
Promising technological and strategic solutions
This white paper aims to synthesize cross-disciplinary insights into ransomware, catalyzing more assertive and coordinated action to combat the epidemic. The concluding section issues an urgent call to action for cultivating resilience.
We face a pivotal moment. As ransomware syndicates like Lockbit continue escalating attacks, how we respond now will determine the future security of our digital civilization.
The Making of a Juggernaut - The Lockbit Syndicate
Lockbit first emerged in 2019, but gained notoriety for pioneering "ransomware-as-a-service” (RaaS). This franchise model allowed less technical criminals to deploy Lockbit’s malware for a share of ransoms.
Leveraging RaaS, Lockbit has compromised over 1,400 organizations globally, taking in at least $100 million in cryptocurrency ransom payments. The group splits proceeds with its sprawling affiliate network under revenue share agreements.
Unlike some ransomware groups motivated by ideology, Lockbit appears driven solely by profit. The syndicate operates as an efficient business, incorporating negotiated payments, customer support, PR, and even a corporate-style hierarchy.
Researchers estimate Lockbit itself consists of around 10 core members based primarily in Russia, including coders, negotiators, and money launderers.
Lockbit has also proven media-savvy. The group operates a public leak site for sharing stolen victim data to further pressure organizations. High-profile attacks generate publicity, bolstering Lockbit's fearsome reputation.
The syndicate's brazen targeting of hospitals, schools, and core infrastructure throughout the COVID-19 pandemic earned further infamy. Lockbit now ranks among the most disruptive cybercriminal groups in the world.
Anatomy of a Lockbit Ransomware Attack
Lockbit's cyber extortion operations follow a refined attack progression that evades detection.
Key stages include:
Initial Access
Phishing emails with weaponized Office docs that trigger malware downloads
Exploiting unpatched VPN appliances and firewalls
Password spraying attacks against RDP and VPN logins
Purchasing access from initial access brokers
Execution
Using legitimate tools like PsExec and Cobalt Strike for lateral movement
Credential harvesting with Mimikatz and other utilities
Disabling security processes and endpoints
Deploying ransomware payloads from repositories on Dropbox and MEGA cloud storage
Impact
Recursively encrypting files on all accessible shares using AES and RSA-4096 algorithms
Deleting volume shadow copies and backups to maximize damage
Using Kubernetes cluster exploits to encrypt cloud-based data
Exfiltrating data to servers under Lockbit control
Examples
FatFace Clothing: Lockbit hit the UK retailer by exploiting a vulnerable FortiGate VPN device. Hackers then conducted extensive internal reconnaissance before deploying ransomware 10 days after gaining access.
Mobileiron Mobile Device Management: The California education technology vendor was breached by exploiting an unpatched vulnerability in its Connector component. After accessing admin consoles, Lockbit was able to encrypt over 50 school districts' systems.
iXsystems TrueNAS Storage: TrueNAS systems were compromised by exploiting an unpatched pre-authentication Samba vulnerability. Lockbit gained admin privileges, then used a Kubernetes exploit to encrypt cloud data backups.
VMware vCenter Servers: Multiple ransomware groups including Lockbit targeted internet-exposed vCenter servers in 2021. Weak credentials enabled access to deploy ransomware across networks.
Pulse Secure VPNs: Pulse Secure confirmed that Lockbit and other groups were exploiting vulnerabilities in its SSL-VPN to breach corporate networks in 2022. Multi-factor authentication bypasses enabled lateral movement.
This analysis reveals concerning weaknesses in security controls, patching, cloud security configuration, and access management enabling Lockbit intrusions. It also shows how ransomware operations involve extensive dwell time and internal reconnaissance before deploying payloads.
By better understanding the technical underpinnings of extortion cyberattacks, organizations can enact intelligence-driven defenses to proactively disrupt the ransomware kill chain.
Case Study: Scripps Health
In 2021, Lockbit targeted Scripps Health, a non-profit hospital network in California. The attack began after an administrator fell for a phishing email containing Lockbit malware.
Once inside Scripps' network, the malware rapidly spread, encrypting over 150 servers and thousands of computers. Nurses had to monitor patients manually as systems like CT scanners shut down.
Lockbit demanded $60 million in bitcoin, leaking patient SSNs and treatments when Scripps refused to pay. For weeks, staff relied on paper records as most systems remained offline.
The attack ultimately cost Scripps over $113 million according to court documents. Cancer patients missed treatments and surgeries were postponed in the chaos.
This case exemplified how ransomware threatens lives by disrupting healthcare services. And hospitals often pay ransoms because downtime can be fatal. Scripps starkly demonstrated the heavy costs of remediating attacks.
Attack encrypted over 150 servers and thousands of computers
Nurses forced to monitor patients manually with systems offline
Lockbit leaked SSNs and medical records of patients when ransom unpaid
Attack cost Scripps over $113 million according to court filings
Cancer treatments and surgeries postponed during remediation period
Case Study: Honda
In June 2022, Lockbit hit automotive leader Honda's global operations, encrypting computers, servers, and production systems.
With factories shut down for lack of access to manufacturing software and analytics tools, Honda suffered major assembly line disruptions.
Lockbit leaked stolen HR records, business plans, and engine diagrams from Honda online. The hackers then demanded $35 million in bitcoin, which Honda refused to pay.
It took Honda over a week to fully restore manufacturing operations. The halt in car production ultimately cost an estimated $285 million in lost revenue according to JP Morgan analysts.
This attack showcased ransomware's ability to severely disrupt physical supply chains and manufacturing. The Honda case also demonstrates the limited options victims have once systems are compromised.
Hackers encrypted Honda's manufacturing systems and analytics tools
Forced shutdown of Honda factories worldwide for over a week
Lockbit leaked stolen HR data, business plans, and engine diagrams
Attack caused estimated $285 million revenue loss from production halt
Honda's inability to pay highlights limited options once breached
Case Study: Allen & Overy Law Firm
The recent ransomware attack on prestigious London law firm Allen & Overy starkly demonstrates the indiscriminate nature of the extortion economy. Even elite white-shoe law firms are now prime targets.
On November 8th, 2022, A&O discovered a breach impacting some of its storage servers. Investigations revealed that while core systems like email and documents remained secure, confidential client information was likely stolen.
The notoriously brazen Lockbit gang has claimed responsibility for the attack, threatening to leak A&O's data if an undisclosed ransom isn't paid. The episode highlights how groups like Lockbit now regularly pursue seven-figure ransom demands.
For A&O, this breach comes at an inopportune time. The firm just completed a landmark merger with American legal giant Shearman & Sterling to form the world's largest global law practice.
Cyberattacks can have catastrophic consequences for law firms. Client confidentiality and data privacy represent paramount ethical concerns. Data leaks, even if limited, can destroy trust and prompt lawsuits.
This attack also may have violated EU GDPR data privacy regulations if EU citizen information was compromised. A&O could face heavy fines based on GDPR noncompliance.
While investigations continue, A&O faces hard questions about security precautions and incident response. This case demonstrates that despite prestige and resources, no organization is immune from the extortion economy's reach.
Breach impacted servers containing sensitive client contracts and case documents
Estimated damages from lawsuits and loss of client trust could reach tens of millions
Failure to notify clients may violate GDPR within 72 hour disclosure window
Damaged reputation may deter clients from merging firm A&O Shearman
Attack required hiring forensic investigators and PR specialists adding costs
Case Study: ICBC Bank
The recent incursion by Lockbit into Chinese banking giant ICBC further signals the widening threat to financial institutions.
In November 2022, Lockbit exploited vulnerabilities to breach ICBC's US operations. The attack disrupted Treasury market trades and froze correspondent bank accounts.
To maintain liquidity, ICBC had to inject emergency capital into its US subsidiary and rely on USB drives to transmit settlement data.
While ICBC has not confirmed paying ransoms, the costs from this attack still likely reach millions in remediation, lost revenue, and reputational damage.
Experts warn that as ransomware groups become more brazen, direct assaults on financial market infrastructure could have systemic consequences.
Attacks like this spur calls for enhanced cyber resilience in banking. But security upgrades have struggled to keep pace with the ransomware innovation.
As long as ransoms remain profitable, hackers will gravitate toward high-value financial targets. This urgent threat requires assertive deterrence and tougher cybercrime laws.
Disruption in Treasury trade settlement lasted over a week
Estimated losses from trading impacts and IT recovery over $15 million
Attack forced IT systems offline to prevent further damage
Reputational harm from breach may deter global clients from ICBC
Increased scrutiny from regulators concerned over market stability impacts
Case Study: Boeing
In one of its most brazen attacks to date, Lockbit penetrated aerospace giant Boeing's networks in late October 2022.
After Boeing refused their multi-million dollar ransom demand, Lockbit followed through on threats to leak sensitive company data. The gang first released staff ID badge records, then documents related to IT system auditing and configuration.
While not classified engineering data, these leaks still delivered valuable reconnaissance for planning future attacks against Boeing and its partners.
Boeing is still investigating the breach's scope. But the aerospace leader was forced to coordinate with law enforcement and cybersecurity agencies across the US government to mitigate fallout.
The Boeing attack highlighted how even cyber sophisticates struggle to keep Lockbit at bay. It also exacerbated pressure on lawmakers to develop more assertive policy responses to ransomware.
Lockbit posted Boeing employee badge records and IT audits online
Attack forced coordination across US law enforcement and cyber agencies
Boeing still investigating full scope of stolen data
Incident exacerbated pressure on US lawmakers for stronger policy response
Highlights ransomware threat even for companies with strong security
Quantifying the Extortion Economy's Impact
The rise of syndicates like Lockbit has fueled staggering global losses from ransomware:
$20 billion paid in ransoms in 2021
$265 billion total estimated damage from ransomware in 2021
2000+ schools hit by ransomware in 2022
$2 trillion potential losses predicted by 2031
12+ days of average downtime per ransomware attack
$21 billion 2020 cost of healthcare ransomware attacks in US alone
Ransomware also leads to massive productivity declines across sectors. The average attack causes over 12 days of downtime. The disruption often spills over, impacting partners and customers.
Healthcare ransomware attacks alone cost the US $21 billion in 2020 according to the Government Accountability Office. Patient outcomes and even loss of life result from the chaos.
While insurers often cover ransoms, premiums are rising sharply in response. Primary insurers saw an 11% premium increase in early 2023. Costs get passed to consumers through higher prices and reduced services.
These estimates highlight the immense economic damage inflicted by the extortion economy. Productivity declines, emergency response costs, cyber insurance, and law enforcement drag on growth.
Roadblocks to Policy Response
The rise of the extortion economy has been fueled by simmering geopolitical rivalries. Tensions between cyber powers like the US, China, and Russia breed mistrust and political posturing, hindering cooperation on issues like extradition and intelligence sharing.
Authoritarian regimes view cybercriminals as useful proxies advancing their interests. Allowing ransomware provides asymmetric retaliation while maintaining deniability. And encrypted ransoms help prop up sanctions-hit economies.
Overcoming these roadblocks requires savvy diplomacy and aligning national interests around cyber norms and stability. We must avoid overreactions that could spark uncontrolled cyber escalation. Multilateral organizations like the UN can help foster transparency and confidence between rivals. Our shared global prosperity depends on rising above divisions to address shared threats.
Governments worldwide are struggling to curb the ransomware explosion despite its heavy costs.
Key challenges include:
Decentralized networks - Lockbit and similar groups rely on loosely affiliated cybercrime services to hide identities and locations. Sophisticated money laundering fosters pseudonymity.
Safe havens - Rogue states like Russia often ignore or even tacitly approve ransomware groups that don't target domestic organizations.
Investigative obstacles - Tracing complex cryptocurrency transfers to identify hackers poses steep technical and legal hurdles for law enforcement.
Limited cooperation - Agreements like the Budapest Convention on Cybercrime lack global reach, hindering joint action. Antagonism between cyber powers like the US and China also impedes coordination.
Mixed responses - Some countries have been slow to prioritize ransomware crackdowns. Government corruption and limited cyber resources hamper local actions in certain regions.
With decentralized syndicates exploiting jurisdictional seams, a targeted policy response remains elusive. This regulatory fog benefits extortionists.
Global Impact
Recent ransomware attacks worldwide paint a sobering picture of the extortion economy's global reach:
Costa Rica: A Lockbit attack crippled government systems, disrupting public services for weeks. Citizens could not complete essential transactions like processing tax returns without massive delays.
New Zealand: Insurer FMG suffered a $7 million ransomware attack impacting farms and homeowners. Attackers published stolen customer data after the company refused to pay.
Spain: Hospital network Diaverum was forced to delay treatments and surgeries during a 2-week shutdown following a Lockbit incursion.
India: AIIMS Hospital in Delhi postponed appointments and surgeries after Lockbit compromised systems containing patient medical records.
These cases showcase ransomware's ability to cause major public disruption, economic damage, and even endanger lives by impeding healthcare services.
They highlight the difficult dilemma victims face between paying ransoms and suffering prolonged outages or data leaks. With ransoms often exceeding $1 million, many organizations feel trapped into paying.
Geopolitics also exacerbate ransomware's global impacts. Attacks easily spill over borders in our interconnected world. But discrepancies in cyber resources and priorities across countries enable threats to metastasize in regions hampered by limited response capacity.
Wealthy nations must aid developing partners in building cyber defenses through funding and training. New institutions like regional cybersecurity centers of excellence can drive collaboration. Building resilience globally requires recognizing we are only as strong as the weakest link.
Ransomware also represents an obstacle to sustainable development. The economic damage and service outages inflict disproportionate hardships on disadvantaged populations. An equitable, secure digital future demands elevating human needs above profits and politics in cyberspace governance.
Impact on Critical Infrastructure
Ransomware now poses an existential threat for infrastructure operators globally. But securing these systems requires assertive government intervention and geopolitical cooperation. Divisive domestic politics often hinders enacting sound cyber policy and regulations. And tensions between major powers stymie international norms and law enforcement collaboration.
We urgently need bold leadership and diplomacy to transcend partisan divides and rivalries. Preventing extortionist threats requires security be prioritized above politics. Nations must also invest in training cybersecurity professionals specializing in industrial control system security. Advanced degrees in fields like critical infrastructure protection, ICS cybersecurity, and industrial engineering are essential safeguards.
Recent attacks also demonstrate ransomware's increasing threat to critical infrastructure worldwide:
Colombia: A ransomware attack shut down the country's largest port terminal for over 50 days, costing an estimated $44 million daily.
Germany: In December 2022, a ransomware attack shut down a key oil storage facility in Germany for two weeks, disrupting global energy supplies.
US: The attack on Colonial Pipeline in 2021 halted the flow of 45% of fuel to the US East Coast for nearly a week, causing gasoline shortages and price spikes.
Australia: Lockbit's crippling of Australian port operator DP World disrupted imports and exports nationwide, hampering supply chains.
Ransomware now poses an existential crisis for infrastructure operators. But many lack resources to sufficiently harden systems. With lives at stake, refusing ransoms becomes difficult.
Securing public infrastructure requires assertive government intervention. But divisive politics often stymies sound cyber policy. Alleviating this gridlock is key to preventing extortionist threats to services society depends upon.
Combating the Extortion Economy
Ransomware now poses an existential threat for infrastructure operators globally. But securing these systems requires assertive government intervention and geopolitical cooperation. Divisive domestic politics often hinders enacting sound cyber policy and regulations. And tensions between major powers stymie international norms and law enforcement collaboration.
We urgently need bold leadership and diplomacy to transcend partisan divides and rivalries. Preventing extortionist threats requires security be prioritized above politics. Nations must also invest in training cybersecurity professionals specializing in industrial control system security. Advanced degrees in fields like critical infrastructure protection, ICS cybersecurity, and industrial engineering are essential safeguards.
The escalating attacks by Lockbit and other cyber gangs underscore the urgent need to disrupt their massively profitable extortion rackets. Key initiatives should include:
Enhanced Law Enforcement: Increasing prosecution of major ransomware operatives and sanctions against countries harboring cyber criminals
Robust Cyber Intelligence: Using surveillance, informants, and expertise from security firms to infiltrate ransomware networks
Secure Standards: Mandating minimum cybersecurity standards via regulations and improved procurement requirements
Cyber Hygiene: Promoting basic precautions and threat awareness for businesses and individuals
Insurance Reform: Limiting cyber insurance coverage of hacks from groups on sanctioned lists
Industry Collaboration: Information sharing and coordinated action against ransomware infrastructure
With attacks multiplying, we find ourselves at a critical moment. Ending the extortion economy will require asserting cyber norms, cultivating talent, embracing nuance, and collaborating across specialties and nations. Progress won't be immediate. But through sustained, collective effort we can mitigate ransomware's corrosive impacts and reclaim control over our shared digital future.
Turning the Tide - A Multi-Domain Strategy
Turning the tide against the extortion economy requires disrupting the profitability of ransomware across the cyber kill chain. Promising solutions span technology, economics, and policy:
Network Security
Organizations require multilayered defenses incorporating next-gen technologies to combat sophisticated threats like ransomware. AI and deception solutions should be implemented to detect anomalies and manipulate attacker perception.
Quantum-safe encryption will make data breaches virtually impossible. Architectures should be reimagined for resilience - microsegmentation, immutable infrastructure, and self-healing systems can contain incidents and automatically restore compromised environments.
Implement AI and ML for improved threat detection and automated response
Deploy advanced deception technology to manipulate and misdirect hackers
Develop quantum-encryption and self-healing systems to harden networks
Cyber Insurance
Insurers have a pivotal role in incentivizing security best practices. All policyholders should be required to implement foundational controls like endpoint detection, MFA, patched systems, and privileged access management.
Audits must validate compliance. Premium discounts should reward advanced protocols like zero trust, cyber deception, and ML-enhanced monitoring. Ransomware payments should be restricted for policyholders lacking basic controls or proper incident response. Insurers can be change agents improving baseline cyber hygiene.
Restrict payouts for ransomware attacks that fail to meet security standards
Increase baseline cybersecurity requirements for policyholders
Incentivize adoption of rigorous controls like MFA and endpoint detection
Global Cooperation
A binding international cybercrime treaty is needed to enable swift cross-border prosecution and sanctions against rogue states harboring ransomware groups. Transnational enforcement entities like Interpol must be empowered to take assertive action.
Norms delineating proportional countermeasures against countries tolerating cyber extortion should be defined. Secure communication channels are needed for intelligence sharing on threat actors between national cyber agencies. Only through multilateralism can the legal fog enabling cyber extortion be lifted.
Increase coordination between law enforcement through entities like Interpol
Pursue a global convention harmonizing cybercrime laws across borders
Impose sanctions on nations providing ransomware safe havens
Cyber Norms
International norms should make ransomware attacks on hospitals, energy systems, and critical services forbidden red lines meriting aggressive sanctions. Any government found complicit with ransomware groups should face restrictions on financial transactions and technology acquisitions.
The Budapest Convention should be expanded globally to standardize cybercrime laws and enable extradition. We must also reach consensus that nonviolent ransomware criminals deserve leniency for defecting and providing restitution.
Build consensus that ransomware rehabilitation merits leniency to encourage defection from syndicates
Develop clear redlines delineating prohibited critical infrastructure targets
Cyber Hygiene
Schools and companies must teach best practices like strong password hygiene, patching, backups, and avoiding phishing. Governments should provide cybersecurity toolkits and advice for small businesses.
Technology vendors need to implement secure-by-default configurations and automate critical measures like software updates. Individuals should enact basic precautions like MFA and VPNs. With vigilance and education, we can dramatically curtail ransomware intrusions.
Promote basic precautions like software updates, backups, MFA for individuals and small business
Provide cybersecurity education as part of school and workplace training
Ransomware Intelligence
A global ransomware intelligence consortium should be created to analyze malware, records seizures, informant tips, and dark web activities. Partnerships with ethical hackers and bug bounty platforms can bolster threat data.
Insights into ransomware TTPs, infrastructure, and revenue models should be rapidly declassified and shared across industries. Combining intelligence from law enforcement, governments, academia, and the infosec community is crucial to dismantling the extortion economy from all angles.
Expand informant networks providing insight into ransomware operations for government agencies
Synthesize and share evolving ransomware TTPs, tools, and threat actor profiles
Through a flexible, adaptive strategy leveraging diverse disciplines, we can significantly mitigate risks posed by ransomware over time. But strategic patience and collective action is imperative.
A Call to Action - Cultivating Societal Cyber Resilience
Ransomware syndicates like Lockbit will remain a threat for years to come. But through global cooperation, research, and vigilance, we can greatly reduce disruptions and costs. This is a clarion call for assertive action across public and private sectors to build collective cyber resilience.
We need you in this fight. Pursue cybersecurity degrees, certifications, and training to gain skills that strengthen societal defenses. STEM students should consider specializing in security.
Help raise awareness of ransomware risks with friends, family, and colleagues through digital literacy campaigns. As individuals, enact basic precautions like patching, backups, and MFA.
Businesses must make cybersecurity a top strategic investment, not just a compliance exercise. Enhance employee education, assess vendors, and implement controls like least-privilege and microsegmentation.
We can reclaim control and curb extortion. But it will require leadership, cooperation, patience, and technological progress. Albert Einstein noted, "The world will not be destroyed by those who do evil, but by those who watch them without doing anything." We must all do our part.
The stakes could not be higher. With cyber threats growing daily in scale and sophistication, action cannot wait. Through awareness and progress across industries and societies, we can create a digitally resilient civilization where technological gains benefit all humankind. That secure digital future is within reach if we act now with purpose.
Gain the Skills to Combat Digital Extortion
Ending the ransomware crisis requires a new generation of cyber defenders armed with cutting-edge skills. StationX provides the elite training programs needed to gain these in-demand capabilities.
StationX offers a complete curriculum covering every discipline needed to outsmart and outmaneuver ransomware hackers. Their immersive courses deliver hands-on mastery translating to real career impact.
Programs include:
Cyber Security Essentials
Gain core expertise in cybersecurity foundations, systems administration, Linux, Python, networking, and cloud platforms. Build essential knowledge to enter the field.
Ethical Hacking
Master offensive cybersecurity techniques used by ransomware groups to infiltrate networks. Learn to hack systems like black hat adversaries to strengthen defenses.
Digital Forensics
Develop expertise in investigating breaches and tracing ransomware attacks back to the source. Coursework covers forensics tools, malware analysis, and incident response.
Cyber Security Analyst
Become an advanced cybersecurity practitioner prepared for high-level roles. Classes cover security operations, threat intelligence, data analytics, and cutting-edge techniques like deception technology.
Artificial Intelligence in Cyber Security
Harness techniques like machine learning and neural networks to apply AI for cyber defense. Build systems to predict, detect, and counter ransomware more intelligently than hackers.
Each StationX program provides comprehensive training preparing students for cybersecurity roles with elite employers. The immersive online courses ensure anyone can gain critical skills on their schedule.
StationX also offers a VIP cyber training package delivering personalized mentoring and career prep. Students gain lifetime access to all StationX courses, labs, and learning platforms. Graduates emerge with qualifications tailor-made for specialized cybersecurity professions.
We all have a shared responsibility to fight the ransomware contagion. Upskilling with StationX provides the tools to secure our digital civilization from existential threats.