InfoSecBulletin Cybersecurity for mankind
The LockBit ransomware gang has been active since at least January 2020, and has launched roughly 1,700 attacks in the United States, resulting in approximately $91 million in ransom payments. The gang operates under the Ransomware-as-a-Service (RaaS) model, which allows affiliates to use the malware and its infrastructure to target organizations in a variety of sectors, including critical infrastructure, education, energy, government and emergency response, financial services, food and agriculture, healthcare, manufacturing, and transportation.
Last year, LockBit accounted for roughly one-fifth of all ransomware attacks observed in Australia, Canada, New Zealand, and the US. The gang has been observed using dozens of freeware and open-source tools in attacks, for reconnaissance, tunneling, remote access, credential dumping, and data exfiltration. They also use PowerShell and batch scripts and penetration-testing tools such as Metasploit and Cobalt Strike.
YouTube geo-blocks at least 4 Bangladeshi TV channels in India
Microsoft Patches Four Critical Azure and Power Apps Vulns
Qilin Ransomware topped April 2025 with 45+ data leak disclosures
SonicWall Patches 3 Flaws in SMA 100 Devices
Top Ransomware Actively Attacking Financial Sector: 406 Incidents Disclosed
Critical (CVSS 10) Flaw in Cisco IOS XE WLCs Allows RRA
CVE-2025-29824
Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day
Hacker exploited Samsung MagicINFO 9 Server RCE flaw
CISA adds Langflow flaw to its KEV catalog
Google Fixes Android Flaw (CVE-2025-27363) Exploited by Attackers
ALSO READ:
Microsoft Warns of AitM Phishing Attacks Against Financial Organizations
The attackers have also been seen exploiting numerous vulnerabilities, such as the recent Fortra GoAnyhwere remote code execution (RCE) and PaperCut MF/NG improper access control flaws, as well as older bugs in Apache Log4j2, F5 BIG-IP, NetLogon, Microsoft remote desktop services, Fortinet FortiOS, and F5 iControl.
In addition to encrypting data, LockBit hackers have also been observed attempting secondary extortion after compromising a company responsible for managing other organizations’ networks. The attackers attempted to extort the victim organization’s customers by locking down their services or by threatening to publish sensitive information.
A joint advisory from Australian, Canadian, French, German, New Zealand, and US government agencies provides information on the tactics, techniques, and procedures (TTPs) used by LockBit affiliates, as well as mitigation recommendations for initial access, privilege escalation, persistence, code execution, lateral movement, credential access, and data exfiltration.
