LockBit is a Ransomware-as-a-Service (RaaS) that was first discovered in September 2019, under the name of .ABCD virus. Since then, it has been updated with several new features.
Recently, the attackers behind this ransomware launched a new data leak website and started using a double extortion tactic to scare victims into paying a ransom.
According to McAfee, LockBit mostly targets organizations located in the U.S., the U.K, France, Ukraine, Germany, India, China, and Indonesia.
- Last month, the ransomware gang was spotted actively targeting American medium-sized companies.
- In June, LockBit had targeted the international architectural firm SmithGroup, whose data was posted on Maze group’s data leak website.
- In May, hackers affiliated with the LockBit ransomware targeted a corporate network and encrypted approximately 25 servers and 225 workstations.
The ransomware group first gains unauthorized access to the targeted network and seeks weak account passwords lacking multi-factor authentication protection. Let's have a look into their attack techniques:
- To gain network access, the group targets an administrator account by brute-forcing the outdated VPN service.
- Subsequently, it uses SMB, ARP tables, and PowerShell to propagate their malware throughout a network.
- Furthermore, LockBit is known to have self-propagation features and it can breach a corporate network, along with encrypting hundreds of devices in just a few hours.
Collaboration with Maze ransomware group
In June, the Maze ransomware gang hosted the data stolen by the LockBit ransomware group on its data leak website. This suggests a collaboration between the two cybercrime groups.
LockBit will exploit any weakness in a network; therefore, researchers advise that organizations should fortify their network with adequate security defenses. In addition to this, it is advisable to always take a backup of important data and store the backups separately that cannot be accessed from a network, experts say.