LockBit 2.0 RaaS—previously known as ABCD ransomware—has been operating for three years now. This June, the gang had posted ads about recruiting affiliates. Now, activity shows that the recruitment was indeed successful. 

What’s going on?

LockBit 2.0 activities had trickled down a while back due to increased pressure from law enforcement. However, with successful recruitments came infrastructural changes and enhanced payloads. Activity on the group’s website shows that LockBit is six times more active than its contemporaries.

What’s new?

LockBit’s data leak and support sites can be viewed on both surface and dark websites. Researchers spotted newly registered infrastructure for both these sites.
  • More than a dozen new samples were submitted to VirusTotal since LockBit 2.0 was launched. While most functionalities are same in this version, updates include renaming the registry key, wherein the RSA key is stored and creating a mutex during the encryption process.
  • The new deployment technique is a significant improvement in this version. The payload can automatically deploy itself to Microsoft Active Directory clients through Group Policy Objects.

Victim distribution

  • Manufacturing and finance sectors accounted for the lion’s share of attacks at 20.8% each followed by the wholesale sector at 14.6%, and construction and professional services sectors at 4.2% each.
  • Most victims (22.9%) are located in North America and Europe. Others hail from South America, Asia, ANZ, and Africa. However, no specific targeting patterns have yet been identified.

Stay safe

LockBit has shown no signs of stopping or slowing down. Leaks are being published on the gang’s leak site on a regular basis. Organizations should start prioritizing their network security and establishing an incident response team. Also, enforcing multifactor authentication is a must.

Cyware Publisher