LockBit is a Ransomware-as-a-Service (RaaS) that was first discovered in September 2019, under the name of .ABCD virus. Since then, it has been updated with several new features.
What happened?
Recently, the attackers behind this ransomware launched a new data leak website and started using a double extortion tactic to scare victims into paying a ransom.
Top targets
According to McAfee, LockBit mostly targets organizations located in the U.S., the U.K, France, Ukraine, Germany, India, China, and Indonesia.
In June, LockBit had targeted the international architectural firm SmithGroup, whose data was posted on Maze group’s data leak website.
In May, hackers affiliated with the LockBit ransomware targeted a corporate network and encrypted approximately 25 servers and 225 workstations.
Attack characteristics
The ransomware group first gains unauthorized access to the targeted network and seeks weak account passwords lacking multi-factor authentication protection. Let's have a look into their attack techniques:
To gain network access, the group targets an administrator account by brute-forcing the outdated VPN service.
Furthermore, LockBit is known to have self-propagation features and it can breach a corporate network, along with encrypting hundreds of devices in just a few hours.
Collaboration with Maze ransomware group
In June, the Maze ransomware gang hosted the data stolen by the LockBit ransomware group on its data leak website. This suggests a collaboration between the two cybercrime groups.
Conclusion
LockBit will exploit any weakness in a network; therefore, researchers advise that organizations should fortify their network with adequate security defenses. In addition to this, it is advisable to always take a backup of important data and store the backups separately that cannot be accessed from a network, experts say.