LockBit 3.0 Ransomware Attack on Schmitty & Sons

Overview of the Attack

Schmitty & Sons, an employee-owned transportation company based in Lakeville, Minnesota, was recently targeted by the notorious LockBit 3.0 ransomware group. The attack led to the exfiltration and subsequent leak of sensitive data, including tax forms, financial records, and personally identifiable information (PII). This incident highlights the ongoing threat posed by sophisticated ransomware operations and the increasing vulnerability of organizations across various sectors.

About Schmitty & Sons

Established in 1952, Schmitty & Sons provides a range of transportation services, including school buses, charter buses, and shuttle services. The company has a strong commitment to sustainability and green initiatives and became an employee-owned organization in 2016. With several office locations across Minnesota, including Lakeville, Eagan, Burnsville, and Lake Elmo, Schmitty & Sons is recognized for its focus on customer experience and safety in transportation.

LockBit 3.0 Ransomware Group

LockBit 3.0, also known as LockBit Black, is the latest iteration of the LockBit ransomware family, emerging in 2022. Known for its advanced capabilities and high degree of obfuscation, LockBit 3.0 operates under a Ransomware-as-a-Service (RaaS) model. This allows various cybercriminal affiliates to use the ransomware to conduct attacks, significantly increasing its reach and impact. The group is noted for its ability to encrypt files, modify filenames, and delete traces of its presence to evade detection.

Details of the Attack

The LockBit 3.0 attack on Schmitty & Sons involved the deployment of ransomware through a high-volume email campaign, facilitated by the Phorpiex botnet. The attack began with phishing emails containing malicious attachments that, once executed, downloaded the ransomware payload. This led to the encryption of critical data and the leaking of a sample of the exfiltrated information on LockBit's dark web site.

LockBit 3.0's affiliates have been known to exploit vulnerabilities in widely used software, such as Citrix NetScaler, to gain unauthorized access to systems. Once inside, they establish persistence and move laterally across networks to maximize the impact of their attacks.

Implications and Response

The attack on Schmitty & Sons underscores the critical need for robust cybersecurity measures, particularly for companies in essential service sectors like transportation. The ability of LockBit 3.0 to quickly adapt and exploit vulnerabilities makes it a formidable threat that requires continuous vigilance and proactive defense strategies.

As ransomware groups like LockBit continue to evolve, organizations must enhance their cybersecurity frameworks and ensure regular updates and patches to their systems to mitigate the risk of such attacks.

Sources

• Schmitty & Sons - Who We Are
• Proofpoint - Security Brief on LockBit Black
• Palo Alto Networks - Unmasking LockBit 3.0 Ransomware
• Security Boulevard - LockBit 3.0 Claims Credit for Ransomware Attack
• Resecurity - ICBC Ransomware Attack
• CISA - Stop Ransomware: LockBit 3.0