After penetrating the network, the attackers take several steps to ensure that the Ransomware attack is successful. They want to infect as many systems as possible, stop business processes and urge victims to pay ransom. The Ransomware is executed by means of UAC bypass, which runs in the background while the device is encrypted.
Ransomware attackers love to force their victims to pay by bank transfer or cryptocurrency as money transfers are harder for law enforcement to track. Ransomware operators use malware that encrypts and locks systems to steal sensitive data during an attack. If you lose money or the second system fails to respond, the affected company is attacked with a second volley designed to put pressure on you.
Interesting in this case is that there is its own host, which downloads the Ransomware itself. The attacker only needs access to a system account and has enough permissions to download other computers in the network and run the ransomware.
Many large ransomware gangs’ online presence tends to be limited to things like affiliate recruitment and their own private networks. Over the years, Lockbit ransomware operations have been active online, with gang representatives promoting the operation and providing support in hacker forums. Like most Ransomware, the Lockbit Group maintains forums on topics that are known as underground web boards to advertise their products.
What is LockBit ransomware?
Lockbit is a new family of ransomware that exploits widely available protocols and tools such as SMB and PowerShell. Lockbit Ransomware Services operations were launched in September 2019, and Lockbit Ransomware is recruited by penetrating networks of encrypted devices. In these operations, ransomware services threaten actors to be recruited by breaking through networks of encryption devices.
The Lockbit ransomware is a malicious software developed to deny users access to computers in exchange for a ransom payment. It is considered by many authorities as part of the Lockergoga and Megacortex malware families. Lockbit examines valuable targets before it spreads the infection by encrypting all publicly accessible computer systems on the network.
The new variant of Lockbit 2.0 Ransomware is able to encrypt Windows domains with Active Directory Group Policy policies. Researchers from MalwareHunterTeam, Bleepingcomputer and malware expert Vitali Kremez report that they have discovered a new version of the worm known as Lockbit 2.0.
The new version of Lockbit 2.0 Ransomware automates the interaction and subsequent encryption of Windows domains with Active Directory group policies. It adds a novel approach to interact with Active Directory to spread rogue malware to local domains by creating an updated global policy that disables antivirus, making it easier for new malware operators to engage in operations. The Lockbit 2.0 has some interesting features that can be used in an Egregor Ransomware operation.
How LockBit Operates?
Lockbit, which was first spotted in late 2019 under the name ABCD Virus, is more of an overhaul and evolution than previous attacks. Researchers are taking a closer look at Lockbit, one of the latest ransomware groups to work in the field. Lockbit operates in a RaaS structure, providing a central control panel for affiliated groups to create new Lockbit samples, manage their victims, post blog posts, and compile statistics about the success and failure of their attacks.
Once an initial foothold is established, it can come to compromises in administrative references, internal reconnaissance and lateral movement of encryption files, whereby the Lockbit Ransomware can steam through digital systems in just a few hours. This identification serves as a last reminder that ransomware campaigns can move at a speed through organizations that exceed the human response, demonstrating the need for automatic responses at machine speed to contain the threat before the damage is done.
Research has shown that Lockbit partners gain Remote Desktop Protocol (RDP) access to their servers as the first vector of attack using common phishing and credentialing techniques. These exploits are used to compromise vulnerable systems, such as Fortinet VPN vulnerabilities, which have not been patched on the target machines. According to forensic investigations, the machines attacked by Lockbit-linked threat groups are trying to identify mission-critical systems such as NAS devices, backup servers, and domain controllers.
The actions of the Himalayas and Lockbit are indicative of the things to come as the ransomware threat continues its explosive growth trend and criminals are able to escape arrest and prosecution.
The list of processes that LockBit will check are:
What can be done against Lockbit?
Furthermore, you’ll need to put in place countermeasures to guarantee that your business is resistant to ransomware or malicious assaults from the start. Here are some techniques to defend:
- Strong passwords should be implemented.
- Activate multi-factor authentication.
- Reassess user account permissions.
- Clean out outdated and unused user accounts.
- Ensure system configurations are following all security procedures.
- Always have system-wide backups and clean local machine images prepared.
- Be sure to have a comprehensive enterprise cyber security solution in place.
Technique ID Technique Description
T1107 File Deletion
T1055 Process Injection
T1112 Modify Registry
T1215 Kernel Modules and Extensions
T1060 Registry Run Keys / Start Folder
T1055 Process Injection
T1124 System Time Discovery
T1046 Network Service Scanning
T1083 File and Directory Discovery
T1016 System Network Configuration Discovery
T1012 Query Registry
T1082 System Information Discovery
T1057 Process Discovery
T1063 Security Software Discovery
T1047 Windows Management Instrumentation
T1035 Service Execution
T1075 Pass the Hash
SHA256 Compile TimeStamp
With SOCRadar® Free Edition, you’ll be able to:
- Discover your unknown hacker-exposed assets
- Check if your IP addresses tagged as malicious
- Monitor your domain name on hacked websites and phishing databases
- Get notified when a critical zero-day vulnerability is disclosed
Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets. Try for free