LockBit 5.0 Adds Singaporean Construction Firm SCB Group to its Victim List in Double-Extortion Attack
LockBit 5.0 Ransomware Gang Claims Attack on Singapore's SCB Group
Impact Scope
Affected Companies
Industries Affected
Geographic Impact
Related Entities
Threat Actors
Other
Full Report
Executive Summary
The prolific LockBit ransomware gang, operating under its 'LockBit 5.0' moniker, has publicly claimed a successful cyberattack against SCB Group, a construction firm in Singapore. The claim appeared on the group's dark web leak site on June 9, 2026. The attackers are employing their standard double-extortion methodology, having allegedly exfiltrated sensitive corporate data before encrypting the victim's network. They have threatened to release the stolen data publicly if the company fails to negotiate a ransom payment. This attack underscores LockBit's continued operational capability and its focus on targeting commercial enterprises globally, regardless of industry or size, to extort money.
Threat Overview
- Threat Actor: LockBit 5.0. This is one of the most active and enduring Ransomware-as-a-Service (RaaS) operations in the world. They provide their malware and infrastructure to affiliates, who carry out the attacks in exchange for a share of the profits.
- Victim: SCB Group, a construction company located in Singapore.
- Attack Type: Double-Extortion Ransomware. This involves two key components:
- Data Exfiltration: Stealing sensitive data from the victim's network before encryption (
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage). - Data Encryption: Encrypting files across the victim's network to disrupt operations (
T1486 - Data Encrypted for Impact).
- Data Exfiltration: Stealing sensitive data from the victim's network before encryption (
- Threat: The group has explicitly threatened a "full leak" of company data, which is used as leverage to force the victim to pay the ransom. This stolen data could include financial records, employee PII, and proprietary construction plans.
Technical Analysis
LockBit affiliates use a wide variety of TTPs, but a common attack chain involves:
- Initial Access: Often gained by exploiting vulnerabilities in public-facing infrastructure, such as VPNs or remote desktop protocol (RDP) servers (
T1133 - External Remote Services). They are also known to purchase access from initial access brokers. - Credential Access: Once inside, they use tools like Mimikatz to harvest credentials from memory, allowing them to escalate privileges and move laterally.
- Discovery & Lateral Movement: The attackers map the Active Directory environment and use the stolen credentials to spread across the network, often using legitimate tools like PsExec or WMI to execute their payload on remote systems (
T1021.002 - Remote Services: SMB/Windows Admin Shares). - Defense Evasion: LockBit is known to attempt to disable security software and delete Volume Shadow Copies to prevent recovery (
T1490 - Inhibit System Recovery).
Impact Assessment
For a construction firm like SCB Group, the impact of this attack could be severe:
- Project Delays: Loss of access to project plans, schedules, and financial data would bring operations to a standstill.
- Financial Costs: The direct cost of the ransom (if paid), plus incident response, system restoration, and potential regulatory fines.
- Data Leakage: The public release of sensitive data could expose confidential client information, proprietary building plans, and competitive bids, causing significant reputational and competitive damage.
- Supply Chain Effects: Disruption at a primary construction firm can have knock-on effects for subcontractors, suppliers, and clients.
IOCs β Directly from Articles
No specific Indicators of Compromise (IOCs) were provided in the source articles.
Cyber Observables β Hunting Hints
Security teams can hunt for LockBit activity using the following clues:
PsExec.exe, procdump.exewmic.exe process call create "..."HKCU\Software\LockBit*.lockbitDetection & Response
- EDR with Behavioral Blocking: Deploy an EDR solution that can detect and block ransomware based on its behavior (e.g., rapid file encryption, shadow copy deletion) rather than just static signatures. This is the most effective way to stop the payload itself.
- Network Egress Monitoring: As with other double-extortion attacks, monitoring for large, anomalous outbound data transfers is a key opportunity for early detection.
- Active Directory Auditing: Monitor for the creation of new user accounts, escalation of privileges, and other signs of an attacker attempting to gain domain admin rights. D3FEND's Domain Account Monitoring (D3-DAM) is critical here.
Mitigation
- Secure Remote Access: Harden all remote access points. Disable RDP where not needed, and enforce strong passwords and MFA on all VPN and RDP accounts. This is a direct application of D3FEND's Multi-factor Authentication (D3-MFA).
- Immutable Backups: This is non-negotiable for ransomware defense. Ensure backups are stored offline or in an immutable fashion so they cannot be encrypted or deleted by the attackers.
- Principle of Least Privilege: Restrict user and administrator privileges. Attackers who compromise a standard user account should not be able to easily escalate to domain admin. This involves implementing tiered administration and using Privileged Access Management (PAM) solutions.
Timeline of Events
MITRE ATT&CK Mitigations
Multi-factor Authentication
Enforce MFA on all remote access services to prevent initial access via compromised credentials.
Mapped D3FEND Techniques:
Antivirus/Antimalware
Use an EDR with behavioral detection to identify and block ransomware activities like shadow copy deletion and mass file encryption.
Mapped D3FEND Techniques:
Privileged Account Management
Implement the principle of least privilege and monitor privileged accounts to limit an attacker's ability to move laterally.
Mapped D3FEND Techniques:
D3FEND Defensive Countermeasures
The ultimate defense against any ransomware gang, including LockBit, is the ability to restore operations without paying. SCB Group and other potential targets must invest in a comprehensive backup strategy. This means creating regular backups of all critical data and systems and, most importantly, ensuring at least one copy is immutable or physically offline (air-gapped). Ransomware actively seeks out and encrypts connected backup repositories. An immutable copy, which cannot be altered or deleted for a set period, guarantees a clean source for restoration. This strategy fundamentally undermines the ransomware business model.
LockBit affiliates frequently gain initial access by exploiting weak or compromised credentials for remote access services like RDP and VPNs. Enforcing MFA across the board is a simple yet highly effective control to block this entry vector. For a company like SCB Group, this means any employee or contractor accessing the network remotely must use a second factor. This simple step forces attackers to find a more difficult way in, significantly increasing the cost and complexity of their attack.
On critical servers, implement application control or 'allowlisting'. Instead of trying to block a near-infinite list of malicious files, configure the system to only allow a pre-approved list of legitimate applications to run. This 'default-deny' posture can prevent the LockBit executable and the tools its affiliates use (like Mimikatz or rogue versions of PsExec) from ever running in the first place. While this requires more administrative overhead to maintain the allowlist, it provides a very strong defense against malware execution on high-value assets.
Timeline of Events
LockBit 5.0 posts a claim on its dark web leak site listing SCB Group as a victim.
Sources & References
Article Author
Jason Gomes
β’ Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
π’ Share This Article
Help others stay informed about cybersecurity threats
π― MITRE ATT&CK Mapped
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
π§ Enriched & Analyzed
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
π‘οΈ Actionable Guidance
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
π STIX Visualizer
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph β relationships between actors, malware, techniques, and indicators.
β‘ Sigma Generator
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.