LockBit’s Ever-Increasing Victim List

Recent news articles have shone a light on LockBit’s current operations which seem to be yielding results in encrypting data and putting a halt to several organizations' operations. The most recent of which is Essendant, a wholesale distributor of stationery and office supplies owned by Staples. The company generates over 5.4 billion USD in annual revenue and employs more than 6,400 people.

Initially, Bleeping Computer reported that Essendant was suffering a major service outage on March 12, 2023.

lockbit ransomware essendant

The service outage prevented customers from placing orders online and the company’s ability to fulfill orders. The outage is understood to have begun on March 6, 2023, and Essendant appears to be still making recovery efforts at the time of writing. During this time, customers have not been able to place orders or contact Essendant's customer care services.

A nightmare for any business dependent on the fast delivery of paid-for goods. On March 15, 2023, the company published an update, stating,

“We’re pleased to report we have reached another important milestone and want to provide an update on the next steps in our recovery process. First, per our anticipated schedule, we successfully completed the clean-up effort on orders that had been in process for distribution at the time of disruption. This significant effort involved the physical capabilities in our distribution facilities and included restoration of more than 150,000 cartons in mid-stage back to inventory. This is just one of many examples of the tremendous work performed by our teams so far this week. As a result, we are now able to move into the next phase of system testing and recovery. Tomorrow, March 16, 2023, we will begin the first steps in the next phase of our work to establish connections with Essendant’s systems and electronic feeds. This is inclusive of end-to-end testing that must be successful before we can launch limited pick, pack, and ship capabilities.”

At the time Bleeping Computer published its article it was still up in the air as to whether the outage was a result of a technical issue or something far more malicious. On March 15, 2023, Bleeping Computer published an article noting that LockBit ransomware operators were claiming responsibility for the attack.

The ransomware operation used its data leak site to make the announcement on March 14, 2023. Essendant despite claims to the contrary still claimed the event was a mere network outage stating,

“Essendant experienced a network outage on Monday, March 6, 2023, resulting in the disruption of certain of our systems. The incident, which was limited to the Essendant network, disrupted certain systems and operations for customers, suppliers, and our carriers. The company mobilized a dedicated team of cross-functional experts who have worked expeditiously to restore all systems as quickly and securely as possible and investigate the nature of the outage.”

The truth might take some time to come out but the result of the ransomware attack, or network outage depending on who you believe, has left many customers in the lurch unable to do their jobs efficiently, let alone Essendant’s own employees.

The Victim List Keeps Growing

LockBit, now on its third iteration, has a habit of being able to take out a victim’s entire operation for extended periods. This was certainly the case with the UK's largest mail delivery service, Royal Mail which suffered outages to several services for several days.

On March 13, 2023, LockBit operators were again to make it public they scalped another high-profile victim. This time operators announced they had stolen and encrypted data belonging to Maximum Industries, a contractor on SpaceX’s books. The Register reported that,

“Ransomware gang Lockbit has boasted it broke into Maximum Industries, which makes parts for SpaceX, and stole 3,000 proprietary schematics developed by Elon Musk's rocketeers. The prolific cybercrime crew also mocked the SpaceX supremo, and threatened to leak or sell on the blueprints from March 20 if the gang's demands to pay up aren't met. This may therefore be a bill Musk can't avoid to reconcile, unlike others, reportedly.”

A response from either Maximum Industries or SpaceX has not been forthcoming, and it still needs to be confirmed if Maximum Industries did indeed suffer a data breach let alone a ransomware attack. ION is yet another high-profile victim of LockBit.

The result of the attack was ION had to suspend trades using their software on several stock exchanges. This ultimately resulted in banks and brokers, who make use of the software, to manually process derivative trades.

The incident prompted the UK’s Financial Conduct Authority (FCA) to investigate the incident noting that they are "aware of this incident and we will continue to work with our counterparts and the firms affected." The FCA regulates British banks and financial services companies.

ION, a third-party software developer, isn't an FCA-regulated business, however, it does provide services to several firms that do fall under the agency's purview.

The ransomware news cycle continues, one week some good news but most of it bad. It is clear that ransomware is still a major hurdle faced by organizations, regardless of the size of the business.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal