The cyber threat landscape is increasing drastically as black hat hackers become more robust and innovative when deploying cyber attacks. Just over the period month of July 2021, the Qualys Vulnerability Research Team published 17 bulletins reporting 115 vulnerabilities for which exploits are actively available.
Ransomware is a form of malware deployed by cybercriminals to encrypt a victim's data, in such a manner that the victim does not have access to their data. Ransomware attacks are usually followed by ransom notes, sent by the criminal seeking a ransom amount to decrypt data, so victims can regain access to data.
A unique growing trend in the cyber threat landscape is organized hacking entities offering ransomware-as-a-service to nation-states, espionage agencies, and black hat hackers. LockBit is one such notorious entity offering ransomware services. LockBit 2.0 is their latest updated malware used to launch ransomware attacks. LockBit 2.0 prides itself on having one of the fastest and most efficient encryption methods in today's ransomware landscape.
LockBit 2.0 Infection Process
To gain access to a targeted business network, the LockBit gang recruits internal threats through employees or service providers. The malware infection routine starts by changing the wallpaper of the victim's device, to essentially an advertisement with information on how business insiders can be part of the ‘affiliate recruitment’ with guaranteed money payouts and anonymity, in exchange for credentials and access.
Recruited affiliates are given a StealBit trojan to infect the business network via USB or other removable devices. Once LockBit 2.0 is in the system, a network scanner takes stock of the network structure and identifies target domain controllers. Multiple batch files coded in the malware disable security tools, enable RDP connections, clear Windows Event Logs, and further disable crucial processes like Microsoft Exchange and MySQL.
Once in the domain controller, the ransomware creates new group policies and sends them to every device on the network, these policies disable Windows Defender, distribute and executes the ransomware binary to each windows machine.
Evolution of Ransomware Gangs
The Maze ransomware gang worked closely with the LockBit gang. The Maze gang pioneered the double-extortion technique, which gained prominence around November 2019. In 2020, The Maze joined forces with other ransomware gangs to create a cybercrime cartel sharing codes, ideas, and resources.
In late 2020, the Maze gang shut down its operations, rumors are amok that they joined the Egregor ransomware gang. After Maze shut down its operations, The LockBit gang then went ahead to establish its own leak site. The establishment of the leak site led to the development of LockBit 1.0. The initial version used the double extortion technique, encrypting files, stealing data, and leaking stolen data even when the ransom was paid.
Ransomware Prevention Tips
- Minimize use of foreign USB’s and removable devices
- Download data from reputable sources
- Use VPN on public Wi-Fi connections
- Update security applications
- Avoid disclosing passwords and personal information
Share this via: