LockBit ransomware [1] [2] [3], also known as “LockBit 3.0,” is a dangerous strain of malware that operates using the Ransomware-as-a-Service (RaaS) model. It has evolved multiple times and poses a significant threat to organizations worldwide.
Description
LockBit encrypts a victim’s files and demands a ransom in return for the decryption key [1]. If the ransom is not paid [1], the attacker may sell the data on the dark web [1]. LockBit has been used in attacks against big organizations like Accenture and has recently been exploiting Windows Defender and VMWare command lines to load harmful payloads on Windows devices.
In three separate attacks between February 2022 and June 2023, eSentire [2], a global Managed Detection and Response (MDR) security services provider [2], intercepted and shut down LockBit. The attacks targeted a storage materials manufacturer [2] [4], a home decor manufacturer [2] [4], and a Managed Service Provider (MSP) [2] [4]. The LockBit hackers utilized Remote Monitoring and Management (RMM) software to spread ransomware or push malware to downstream customers [2].
To prevent such attacks [4], researchers recommend enforcing two-factor authentication [4], using strong and unique passwords [4], implementing Access Control Lists (ACLs) for trusted IPs [4], and implementing client SSL certificates [4]. LockBit employs a tactic known as living-off-the-land [4], using legitimate software already present in a company’s IT environment to avoid detection [4]. The group operates as a Ransomware-as-a-Service (RaaS) model [1] [4], recruiting other cybercriminals to conduct attacks [4].
LockBit is considered one of the most pervasive [4], lucrative [4], and destructive ransomware groups [3] [4], having collected around $91 million in ransom payments [2]. Their recent endeavor involved leaking the UK’s MoD data on the dark web [4]. The report by eSentire’s Threat Response Unit (TRU) highlights the potential disruption that could have occurred if the LockBit affiliates had not been detected and neutralized [2].
Conclusion
To protect against LockBit and ransomware in general [1], it is important to only download files from trusted sources [1], secure Remote Desktop Protocol (RDP) networks [1], and be cautious of phishing attempts [1]. The interception and shutdown of LockBit by eSentire demonstrate the importance of proactive security measures and the potential consequences of ransomware attacks. Continued vigilance and implementation of recommended security practices are crucial in mitigating the risks posed by ransomware groups like LockBit.
References
[1] https://www.makeuseof.com/lockbit-ransomware-explained/
[2] https://www.esentire.com/blog/russia-linked-lockbit-ransomware-gang-attacks-an-msp-and-two-manufacturers-using-the-targets-rmm-tools-to-infect-downstream-customers-and-employees-with-ransomware
[3] https://www.darkreading.com/threat-intelligence/lockbit-using-rmms-spread-ransomware
[4] https://techinformed.com/researchers-urge-firms-to-lock-down-rmm-software-after-russia-linked-lockbit-attacks/
