LockBit is a rapidly developing ransomware that operates as Ransomware-as-a-Service (RaaS). The creators of LockBit distribute their attack framework for people to use and manage the infrastructure for their cliental. LockBit was first seen in September of 2019 and has been advancing and changing their strategy to match Maze, NetWalker, DoppelPaymer, and Sodinokibi gangs. A major concerning change LockBit has made is they now exfiltrate data from the victim networks. LockBit also has recently been associating with the Maze ransomware crew, utilizing their TOR site to leak exfiltrated data.
Leaking victim data only strengthens the leverage these Threat Actors have to extort data from affected organizations and is becoming more and more common across the board. LockBit displays an encryption notice as the background and has adjusted their ransom notes to now state data has been exfiltrated. LockBit, now partnered with Maze, is expected to accelerate the scope of their criminal activity. With LockBit being RaaS, it only expands the number of groups causing destruction since these services allows low skilled individuals to enter into the fold. LockBit has changed their automated deployment to include a UAC bypass for privilege escalation and utilizing ARP requests for enumeration as the ransomware encrypts a system.
We expect to see a rise in LockBit attacks and there is no magic bullet to prevent this type of ransomware. This threat shows the importance of maintaining security in depth. No one single tool can stop unauthorized access and don’t expect traditional anti-virus alone to protect your infrastructure. Once the Threat Actor has obtained access and began exfiltrating, there is only one that can be done to stop them from posting that data, pay.
Our proprietary tool, ShadowSpear® and elite cybersecurity engineers work around the clock for you, and stop attacks immediately before destroying your environment. Learn more about ShadowSpear® before becoming a victim of a cyberattack.