rThreat Adversary Spotlight: Lockbit 2.0
rThreat Adversary Spotlight: Lockbit 2.0 – Welcome to rThreat’s Adversary Spotlight series. In these articles we break down the latest APT attack methodologies that are impacting the globe. In this special iteration for the third edition of Observatory GCC, we will be focusing on Lockbit ransomware and its successor, Lockbit 2.0.
This Spotlight will detail how this type of ransomware works, ways your organization can prevent a Lockbit attack, and how rThreat can help you proactively test your cyber defenses utilizing live Lockbit 2.0 variants.
What is Lockbit ransomware?
Firstly, like many other pieces of ransomware, Lockbit gets its name from the threat actor group that created it. The Lockbit Ransomware itself is designed to block user access to their computer and network and restore access in exchange for a ransom payment. Lockbit is designed to look for valuable targets, spread to other machines, and encrypt all computer systems on the compromised network. Lockbit originally appeared in September 2019 and targeted organizations in the United States, China, India, Indonesia, and Ukraine.
Notably, it avoids attacking systems local to Russia or any countries found in the Commonwealth of Independent States. It also functions as a Ransomware-as-a-Service (RaaS), where parties can put down a deposit for the use of custom for-hire attacks. Typically, the development team takes 25% of the profits and gives their affiliates up to 75% of the total ransom profits.
What does it look like when a user is infected with Lockbit?
Once the victim’s data is encrypted, the following screenshot details what appears on the victim’s screen. The user then needs to input their ID (which is found in the ransom note) to contact the threat group and pay the requested ransom.
In addition to the ransom note and the portal that requests the user’s ID, the malware also sends a file to be printed on all printers connected to the network with the ransom note instructions as well.
Once the victim inputs their ID, they are taken to the following page where they need to move forward with paying the ransom. The threat group offers to decrypt one file as proof that the decryptor will work once the payment is sent.
The following images show the timer that initiates as soon as the targeted endpoint is encrypted with Lockbit ransomware. The operator demands that the organization either pays the ransom or risks having their files leaked, a popular technique that RaaS operators use known as double extortion. As you can see in this example, as the timer progresses more files are leaked on the Lockbit onion site located on the dark web.
How is Lockbit 2.0 ransomware different?
In June 2021, Lockbit 2.0 ransomware surfaced with reports indicating an increased number of targeted companies and new extortion features. This version of Lockbit includes automatic encryption of devices across Windows domains by compromising Active Directory group policies.
The threat actor group behind this ransomware has also launched a new marketing campaign to recruit new affiliates from inside the targeted companies to enable faster attacks by incorporating valid credentials to access the networks. In return, the insiders would get a share of the profits from the attack.
According to researchers at Trend Micro, “Once in a system, LockBit 2.0 uses a network scanner to identify the network structure and to find the target domain controller. It also uses multiple batch files that can be used to terminate processes, services, and security tools. There are also batch files for enabling RDP connections on the infected machine.
LockBit 2.0 also abuses legitimate tools such as Process Hacker and PC Hunter to terminate processes and services in the victim system. Once in the domain controller, the ransomware creates new group policies and sends them to every device on the network. These policies disable Windows Defender and distribute and execute the ransomware binary to each Windows machine.”
How to defend against Lockbit 2.0
Implementing basic cyber hygiene across your entire organization is the first step towards preventing a Lockbit 2.0 attack. The following mitigation techniques for this piece of ransomware are highly recommended. Since Lockbit doesn’t just take advantage of any one vulnerability, it’s not as simple as just applying a series of patches. This is why it is important that you implement multiple layers of security and adopt a holistic approach to preventing ransomware attacks:
- Implement strong passwords and mandate regular password updates
- Enable multi-factor authentication across all devices
- Limit user account permissions so they only have access to the information necessary for day-to-day operations
- If an employee leaves your organization, ensure they no longer have access to your network or other company accounts
- Ensure proper system hardening and configuration management is being implemented across the entire organization
- Have regular system backups and local machine images ready
- Be sure your organization is constantly updating and testing deployed cybersecurity controls
- Train your employees on a regular basis so they’re aware of security best practices, social engineering tactics, and phishing emails
How rThreat can help prevent a Lockbit 2.0 ransomware attack
If you want to ensure your organization is protected from Lockbit 2.0 and other emerging cyber threats, it is imperative that you test the effectiveness of your organization’s cyber defenses on a regular basis before threat actors get a chance to strike. Technology solutions such as breach and attack emulation allow organizations to proactively validate their security technology, people, and processes on a continuous basis. This empowers organizations to identify and remediate gaps before they’re exploited in a low impact, cost-effective manner so organizations can improve their security programs on a regular basis utilizing the latest cyber threats.
rThreat’s breach and attack emulation platform allows organizations to test their defenses using different live Lockbit ransomware variants in a secure environment. Our solution keeps a library of newly released malware that can be used to test your company’s environment and ensure you are protected before you are targeted by this type of ransomware in the wild. Our platform not only validates the effectiveness of security tools and processes, but can also be used to run drills with your security team so they are trained on how to rapidly detect and respond to this type of ransomware attack in a real scenario. Our automated and on-demand assessments allow security teams to fix technology misconfigurations, demonstrate security ROI, and present assessment reports to leadership teams so stakeholders can answer the perpetual question: Are we secure?
So don’t wait for the bad guys to strike. If you would like to experience rThreat in action using Lockbit 2.0 ransomware, contact our team here.
If you enjoyed this special edition of the rThreat Spotlight series, visit our blog to view our other weekly Spotlights and learn more about how rThreat can help your organization defend forward.
rThreat Adversary Spotlight: Lockbit 2.0