The cyber threat landscape is increasing drastically as black hat hackers become more robust and innovative when deploying cyber attacks. Just over the period month of July 2021, the Qualys Vulnerability Research Team published 17 bulletins reporting 115 vulnerabilities for which exploits are actively available.

Ransomware is a form of malware deployed by cybercriminals to encrypt a victim's data, in such a manner that the victim does not have access to their data. Ransomware attacks are usually followed by ransom notes, sent by the criminal seeking a ransom amount to decrypt data, so victims can regain access to data.

Fortinet Global Threat Landscape Report, August 2021, identified two families of malware variants that gained popularity in cyberattacks this year. First, malware in the form of 32-bit Windows executables, malicious Office or Visual Basics files, and the use of . NET or Microsoft Intermediate Language packers. Second, malware exploiting web browsers, often assigned HTML or Javascript prefixes. This results in malware-laced phishing lures and scripts that inject code or redirect users to malicious sites.

A unique growing trend in the cyber threat landscape is organized hacking entities offering ransomware-as-a-service to nation-states, espionage agencies, and black hat hackers. LockBit is one such notorious entity offering ransomware services. LockBit 2.0 is their latest updated malware used to launch ransomware attacks. LockBit 2.0 prides itself on having one of the fastest and most efficient encryption methods in today's ransomware landscape.

LockBit 2.0 Infection Process

To gain access to a targeted business network, the LockBit gang recruits internal threats through employees or service providers. The malware infection routine starts by changing the wallpaper of the victim's device, to essentially an advertisement with information on how business insiders can be part of the โ€˜affiliate recruitmentโ€™ with guaranteed money payouts and anonymity, in exchange for credentials and access.

Recruited affiliates are given a StealBit trojan to infect the business network via USB or other removable devices. Once LockBit 2.0 is in the system, a network scanner takes stock of the network structure and identifies target domain controllers. Multiple batch files coded in the malware disable security tools, enable RDP connections, clear Windows Event Logs, and further disable crucial processes like Microsoft Exchange and MySQL.

Once in the domain controller, the ransomware creates new group policies and sends them to every device on the network, these policies disable Windows Defender, distribute and executes the ransomware binary to each windows machine.

Evolution of Ransomware Gangs

The Maze ransomware gang worked closely with the LockBit gang. The Maze gang pioneered the double-extortion technique, which gained prominence around November 2019. In 2020, The Maze joined forces with other ransomware gangs to create a cybercrime cartel sharing codes, ideas, and resources.

In late 2020, the Maze gang shut down its operations, rumors are amok that they joined the Egregor ransomware gang. After Maze shut down its operations, The LockBit gang then went ahead to establish its own leak site. The establishment of the leak site led to the development of LockBit 1.0. The initial version used the double extortion technique, encrypting files, stealing data, and leaking stolen data even when the ransom was paid.

Ransomware Prevention Tips

  • Minimize use of foreign USBโ€™s and removable devices
  • Download data from reputable sources
  • Use VPN on public Wi-Fi connections
  • Update security applications
  • Avoid disclosing passwords and personal information

Share this via: