Aug 18–Around the world, LockBit ransomware attacks are proliferating. These types of attacks start out by targeting business employees. People are promised millions of dollars if they share valid account credentials that enable hackers to infiltrate corporate networks.
Recently, reports of LockBit attacks have flooded media outlets. Organizations in Italy, Taiwan, the UK and Chile have experienced threats.
What is LockBit ransomware?
LockBit ransomware is purchased through the ransomware-as-a-service model. Recent LockBit attacks have leveraged the LockBit 2.0 software. This provides an extreme encryption method.
In other words, on a more technical level, automatic encryption of devices occurs via Windows domains through the abuse of Active Directory (AD) group policies. In turn, the LockBit ransomware hackers state that they maintain one of the fastest and most efficient encryption protocols known.
However, research analysis indicates that a multi-threaded approach to encryption by LockBit means that it only partially encrypts files. Per file, only 4 KB of data surface as encrypted.
The affiliate recruitment strategy
LockBit ransomware operators have a second devious means of infecting network systems. They not only use a unique encryption methodology, but they also recruit insiders from organizations to help them deploy malware. This is known as an ‘affiliate recruitment’ strategy.
To lure in affiliates, LockBit’s malware changes the wallpaper on a target’s computer. Moreover, it swaps regular wallpaper with an advertisement with information about how to join the LockBit cyber criminal group. The hackers dangle promises of million dollar payouts in front of potential affiliates.
LockBit 2.0 infection and Accenture
The globally renowned consulting firm Accenture recently experienced a LockBit ransomware attack. The ransomware attack did not lead to downtime for Accenture, as they were able to restore systems from backups. The company stated that the ransomware did not cause impact. However, attackers demanded $50 million in exchange for refraining from leaking stolen corporate data.
The attack is believed to have been executed from the inside of the firm. This allegation aligns with LockBit’s known operating model.
The LockBit 2.0 toolkit
Once affiliates have been recruited, LockBit intrusions typically occur via valid remote desktop protocol (RDP) account credentials. Operators also leverage the StealBit trojan variant. This enables operators to access and automatically exfiltrate information.
When in the network of a given organization, the gang observes network structure and pin points a victim’s domain controllers. Multiple batch files are used. These include terminating security tools, learning Windows Event logs, and rendering certain processes dysfunctional.
In addition, LockBit 2.0 disrupts legitimate tools, from Process Hacker to PC Hunter, halting critical processes on a target’s system. The gang moves laterally across a network after all of this.
Maze and LockBit: Reinvention
Experts state that LockBit operators derive from the Maze ransomware group. While Maze formally disbanded last year, informally, it may have reinvented itself.
The Maze gang was known as a pioneer in double-extortion. Since then, it developed a strong network of cyber criminals who deployed assorted ransomware strains. These individuals collaborated on ideas and exchanged resources.
The LockBit malware appears to have evolved from Ryuk and Egregor strains. Notable similarities in features exist.
Further LockBit insights
Experts expect that the LockBit gang will continue to recruit affiliates in coming weeks and months. Organizations can expect to see continued evolution and further deployment of the ransomware.