It would be safe to state that ransomware is one of the most crucial threats facing global organizations. Ransomware has switched from mass malspam campaigns to artisanal attacks on organizations.
What is LockBit?
- LockBit is a relatively new strain of ransomware that came into the limelight after ransacking a poorly secured network in just a few hours; the company was forced to pay the ransom.
- It is predominant in the U.S, the UK, India, China, Indonesia, Germany, and France.
- It operates in a Ransomware-as-a-Service (RaaS) model.
How it operates
- In the recently reported attack, LockBit only required a few hours to spread to over 200 systems, since it posseses a unique self-propagating capability by using the SMB protocol, unlike most other ransomware strains which require the help of additional exploits to spread.
- Subsequently, LockBit used a dual method to map out and infect the network.
- Then, it executed a PowerShell script to spread the ransomware from the infected nodes to the uninfected ones.
- The victim organization had no recent backup and thus, had to pay the ransom via a Tor site. The decryption key was obtained from the same site.
- The support desk of the ransomware operators assisted the company in resolving the issues faced while rebuilding the network.
As per a report published by Sophos, LockBit has been piling up on new capabilities, including a privilege escalation method that can bypass the User Account Control in Windows systems. Similar to other ransomware such as Maze, Nemty, and Sodinokibi, LockBit holds on to the victim’s data in case of non-payment of ransom so as to extort them by posting it online.
LockBit is a new addition to the underground scene and is here to do serious business. While buying it from underground broker forums, cybercriminals have to deposit a certain amount that can be recovered in case the ransomware does not perform as advertised. This goes to show the confidence of the authors of this ransomware.