Sierra Construction Attacked by LockBit Ransomware Gang

Background

Sierra Construction, a Pacific Northwest general contractor and construction management company founded in 1986, has fallen victim to the ransomware gang LockBit. Unfortunately, no further details are currently available about the attack.

About LockBit

LockBit is a Ransomware as a Service (RaaS) that has been active since 2019. Known for its expertise in evading security tools and its rapid encryption speed, LockBit employs various methods of extortion. In addition to demanding a ransom for the encryption key, victims may also be asked to pay for any sensitive information that was exfiltrated during the attack.

Modus Operandi

LockBit utilizes publicly available file-sharing services and a custom tool called Stealbit for data exfiltration. The ransomware operation gained notoriety in Q4-2023 when it exposed a significant amount of exfiltrated Boeing data. LockBit has demanded ransoms exceeding $50 million and targeted major companies like Taiwan Semiconductor Manufacturing Company (TSMC) with a $70 million ransom demand.

Evolution and Threat

LockBit continues to evolve its RaaS platform, with the release of LockBit 3.0 in June 2022. In April 2023, it introduced the first macOS ransomware variant. The latest versions of LockBit feature advanced anti-analysis capabilities and pose a threat to both Windows and Linux systems. The ransomware employs a custom Salsa20 algorithm for file encryption and exploits remote desktop protocol (RDP) vulnerabilities for infection.

Target and Affiliates

LockBit primarily targets large enterprises capable of meeting high ransom demands, although it has shown a preference for healthcare organizations. The ransomware operation runs a well-organized affiliate program, offering generous payouts of up to 75% of the ransom proceeds to attackers. LockBit operators have been observed exploiting vulnerabilities like the Citrix Bleed vulnerability (CVE 2023-4966) to further their malicious activities.