Skip to main content

Cybersecurity Alert - LockBit (Threat Actor)

IMPACT: All Firms 

Firms should review this information with any vendors who provide information technology services to the firm.

LockBit, one of the most deployed ransomware variants in recent years, continues to impact organizations across the globe, including FINRA member firms.1 Since November of 2023, FINRA has received reports from several member firms related to cyber incidents allegedly perpetrated by LockBit. The reported incidents varied in severity from no impact to significant disruptions in firms’ business operations. As a result, the Cyber and Analytics Unit (CAU) within FINRA’s Member Supervision Program is notifying firms of the increased activity of this threat actor to heighten awareness and visibility of this risk. CAU is also providing a compilation of resources that outline effective practices firms may consider in response to this elevated risk.

Ransomware, which includes the use of malicious software to encrypt, exfiltrate, or deny access to data belonging to another entity and then demanding payment to return access or not publish the data, continues to prove profitable for criminals. The profitability and increased activity related to ransomware is likely the result of threat actors’ use of the “Ransomware as a Service (RaaS)” model that involves the sale of off-the-shelf malicious software allowing quick deployment against a desired target. The RaaS model lowers the technical expertise and resources required for threat actors to become perpetrators of ransomware attacks by enabling the purchase of the necessary programs, infrastructure, and support – a process generally facilitated through illicit marketplaces.

The LockBit enterprise, an organization reportedly operating under the RaaS model, is one of the most active ransomware groups in recent years and continues to target member firms.  As ransomware continues to pose operational, financial, and reputational risks to organizations, including FINRA member firms, vigilant cybersecurity measures are necessary to enhance data security and protect operations. 

As part of a comprehensive cybersecurity program, member firms may consider the following effective practices:

  • Reviewing FINRA compliance resources that highlight effective practices for addressing ransomware risks and responding to a cyber incident:
  • Visiting
  • Prioritizing the management and implementation of software updates and security patches, especially those addressing known vulnerabilities that are exploited “in the wild”.2
  • Increasing employee awareness of the threats posed by social engineering.
  • Enabling and enforce multi-factor authentication. 
  • Subdividing networks into separate sections (i.e., segment networks) to restrict the ability of threat actors to move across networks to find valuable data (i.e., lateral movement).

For questions related to this Alert or other cybersecurity-related topics, contact the FINRA Cyber and Analytics Unit (CAU). Both the FBI and CISA urge you to promptly report ransomware incidents to a local FBI Field Office, report the incident to the FBI Internet Crime Complaint Center (IC3) at, or CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870).

Note: This Alert does not create new legal or regulatory requirements or new interpretations of existing requirements, nor does it relieve firms of any existing obligations under federal securities laws, regulations, and FINRA rules. Member firms may consider the information in this Alert in developing new, or modifying existing, policies and procedures that are reasonably designed to achieve compliance with relevant regulatory obligations based on the member firm’s size and business model. Moreover, some questions may not be relevant due to certain firms’ business models, sizes, or practices. 

If you would like to add or change who receives this email, please update your firm’s Chief Information Security Officer (CISO) and/or Chief Compliance Officer (CCO) contacts in FINRA Gateway.

2 The term “in the wild” is a reference to cybersecurity vulnerabilities actively being exploited by threat actors.