In today’s digital world, it’s critical to remain updated on cybersecurity threats and how dangerous ransomware has become. Ransomware is a major cyber threat to individuals and companies alike, with strains becoming the prime choice for malicious threat actors, including LockBit. LockBit ransomware has become a global threat utilizing the Ransomware-as-a-Service (RaaS) model. Even though LockBit started as a single strain of ransomware, it eventually evolved numerous times, including the latest version “LockBit 3.0” and spans a family of ransomware programs. The ransomware-as-a-service business model involves users paying for access to any ransomware they can utilize in their own attacks. Users become affiliates using this business model and their payments can either be a flat fee or a subscription-based service.
By employing the RaaS model, LockBit’s developers have discovered a way to profit from its use and can receive a portion of the ransom paid by the victims. The RaaS model allows users to access numerous additional ransomware programs, including DarkSide and REvil, and LockBit is one of the most popular ransomware types used today. Considering that LockBit is a ransomware family, using it involves encrypting targets’ files. Cybercriminals will somehow gain access to victims’ devices, through either phishing emails or malicious attachments, and will use LockBit to encrypt all files on the devices making them inaccessible to users.
It’s unknown when exactly LockBit was created, however, it can be traced back to 2019 when the ransomware was first discovered. The ransomware group was discovered after its first wave of attacks when it was initially named “ABCD” which was referring to the extension name of the encrypted files exploited during attacks. However, when threat operators started using the “.lockbit” file extension instead, the ransomware name changed to what it is today. After its second iteration, LockBit 2.0, was created, its popularity increased as affiliates began using it more frequently for attacks. When other ransomware groups shut down, LockBit took advantage of the gap in the market.
LockBit 2.0’s rising usage has cemented its status as one of the most impactful and widely deployed ransomware variants observed during the first half of 2022. Additionally, LockBit’s operators claim that their encryption software is the fastest of any ransomware that is currently in use. LockBit ransomware has been discovered in numerous countries, including China, the United States, France, Ukraine, the United Kingdom, and India. Numerous large companies, including Accenture, an Irish American professional services company, have been targeted using LockBit. In 2021, Accenture experienced a data breach resulting from LockBit with the threat operator demanding a $50 million ransom, encrypting more than 6TB of data. Even though Accenture claimed that no customers were impacted by the attack, the company refuse to pay the ransom.
With LockBit’s growing popularity, each new version becomes a serious concern. LockBit 3.0, the most recent version of the ransomware, has already caused issues, specifically within Windows operating systems. Through the exploitation of Windows Defender in the summer of 2022, LockBit 3.0 was used to install destructive Cobalt Strike payloads on targeted devices. An executable command line file called MpCmdRun.exe was misused in the wave of attacks allowing the Cobalt Strike beacons to bypass security detection. To re-deploy Cobalt Strike payloads, LockBit 3.0 has been utilized to exploit the VMWare command line, VMwareXferlogs.exe. It’s unknown if the attacks will continue or evolve into something completely different.
Companies need to stop LockBit ransomware at the source and avoid infection because it must be installed on their devices before it can encrypt files. Even though it’s challenging to protect companies against ransomware, there are numerous ways to avoid it. First and foremost, never download any files of software programs from illegitimate websites. Any unverified file users download to their devices can make it easier for ransomware threat operators to access their files. Users need to use trusted and well-reviewed websites for their downloads, or official app stores for software installation.
LockBit ransomware is frequently spread through Remote Desktop Protocol (RDP). It’s critical for companies to protect their RDP network by using virtual private networks (VPNs), password protection, and turning off the protocol when it’s not being used. Adding extra layers of protection can make RDP networks less vulnerable because ransomware operators frequently search the internet for vulnerable RDP connections. Phishing, a common method of infection and data theft used by malicious threat actors, can be used to spread ransomware. Phishing is most frequently deployed using emails, where threat operators will attach a malicious link to the email body and deceive victims into clicking on it which will lead to a malicious website that can spread malware infection. Using anti-spam email features, link-checking websites, and antivirus software are a few methods for avoiding phishing. Additionally, check the email’s sender address and look for typos because scam emails will have spelling and grammatical errors.
With LockBit ransomware continuing to evolve and targeting more victims, it’s always important for companies to remain ahead of the current threat landscape and take the necessary security measures to protect their data networks. At SpearTip, we specialize in incident response capabilities and handling breaches with one of the fastest response times in the industry. Within minutes of engagement, our certified engineers can respond to breaches and reclaim companies’ networks in a matter of hours. Our engineers are continuously working in an investigative cycle at our 24/7/365 Security Operations Center monitoring companies’ networks for potential ransomware threats, including LockBit. Our ShadowSpear Platform, a cutting-edge managed detection and response tool, delivers a cloud-based solution for collecting endpoint logs and detecting potential advanced ransomware threats.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.