Lending reports

New Variant of LockBit Ransomware: What We Know So Far

There is a new variant of cyberattacks. It is known as LockBit. He is gaining notoriety for his stealth abilities. This is no ordinary “ransomware”.

It belongs to the latest generation of “self-driving” malware, automatically blocking access to computer networks – until a sum of money is paid.

What is that?

In the cybersecurity community, it is known as LockBit 2.0.

Who is behind?

LockBit is the gang of cybercriminals behind this malware and is known to have close ties to a “family” of malware including LockerGoga and MegaCortex, according to cybersecurity firm Kaspersky.

It shares common tactics, techniques, and procedures (TTPs) with these malicious attacks.

What does the FBI say?

In a “flash report” from the US Federal Bureau of Investigation (FBI) published on February 4, 2022, the agency explains: “LockBit 2.0 is best described as a heavily obfuscated ransomware application leveraging bitwise operations to decode the strings and load the required modules to evade detection.”

What does it mean?

LockBit is inherently designed to evade detection. It has the ability to target specific victims, instead of networks or random users. This ability to automatically spread to new targets allows it to be used in targeted attacks – instead of just “spamming” or attacking random users or organizations.

A screenshot indicating that a victimized network or user has been attacked by LockBit 2.0 ransomware.
Image Credit: “Flash Report” / FBI

What is the underlying tool behind this? Does this also affect Mac networks?

It mainly attacks Windows based system – using native tools and protocols of Windows environment.

Some of the known underlying tools it relies on, such as Windows PowerShell and Server Message Block (SMB), allow it to lock down (encrypt) target networks.

Ransomware as a service

Ransomware as a Service (RaaS) is a “business” model between ransomware operators and affiliates in which affiliates pay to launch ransomware attacks developed by the operators. It is a variation of the Software as a Service (SaaS) business model, but with nefarious intent.

Why is it dangerous?

One reason is that LockBit 2.0 has become the malware of choice for many “Dark Web” attack groups in recent months. It has grown in popularity, due to its “service” nature, a new way for the hacker community to earn money.

It works a bit like this: when a host is compromised, LockBit then “scans” the network, and finds and infects other accessible devices. This makes it harder for a set of security tools known as “endpoint security” to detect or identify the activity as malicious.

It works a bit like this: when a host is compromised, LockBit then “scans” the network, and finds and infects other accessible devices. This makes it harder for a set of security tools known as “endpoint security” to detect or identify the activity as malicious.

What are cybersecurity companies saying?

According to Kaspersky, the gang behind LockBit 2.0 follows the “Ransomware-as-a-Service” (RaaS) “business model”, which allows other groups to use the “tool” to encrypt and attack Internet networks. target company as they wish.

How many known LockBit victims are there?

As of October 2021, the malware had at least 203 known victims, according to a list on its data leak site. In terms of number of claimed victims, Conti ransomware is the second highest, with 71 victims listed, according to cybernews.com, which tracks the cybersecurity community.

203

Known victims of LockBit 2.0 as of October 2021

What happens when a network is affected by LockBit 2.0?

LockBit 2.0 is similar to DarkSide, BlackMatter and REvil. The result of an attack is similar. As such, LockBit is programmed to search and scan for valuable targets, spread infection and encrypt all accessible computer systems on a network (user/data owner is denied access).

What does a “self-piloted” cyberattack mean?

As a “self-piloted cyberattack”, LockBit attackers distinguished themselves by threatening businesses and organizations – all over the world – with some of the following threats:

  • > Disruption of operations, with key business processes coming to a sudden halt.
  • > Extortion, with the aim of financial gain for the pirate.
  • > Blackmail by illegal publication of sensitive information and data theft.

In a blog post, Cybereason’s Tom Bradley states that LockBit “continues to adapt and evolve”, much like a virus programmed by its developers to “mutate” or develop variants, for use in targeted attacks.

Should we expect more LockBit attacks?

In its “flash report” published on the government website ic3.gov, the FBI detailed the “indicators of compromise” (IOCs) associated with attacks using LockBit 2.0. The agency says the malware “uses a wide variety of tactics, techniques, and procedures, creating significant challenges for defense and mitigation.”

Are there other “variants”?

Yes. More recent “variants” of LockBit have adopted the “double extortion” model: locating and “exfiltrating” valuable data before encrypting the systems.

In this way, the stolen data provides an additional incentive to victims with an interest in the stolen data, forcing them to pay the ransom.

When owners of a victim network capable of restoring data from backups refuse to pay – this could lead to sensitive corporate data being publicly released or sold to competitors or others interested in the “Dark Web”, the hidden collective of Internet sites only accessible by a specialized web browser used to maintain anonymity on the Internet.

What about steps to reduce the risk of ransomware attack?

There are key steps recommended by the FBI to limit exposure to ransomware attacks. Some specific steps organizations can take to minimize their vulnerability to a ransomware attack, including common core defenses:

  • Use multi-factor and strong authentication
  • Update software
  • Using Network Segmentation
  • Restrict user privileges to administrator accounts
  • Running a host-based firewall that restricts connections to administrative shares
  • Provide offline data backups
  • Other “good practices”.

Top 10 most notorious ransomware strains

  • naughty bunny
  • Cryptolocker
  • golden eye
  • Jigsaw
  • locky
  • Labyrinth
  • NotPetya
  • Petya
  • Ryuk
  • want to cry