[BreachExchange] Security Vendors Sound the Alarm on LockBit Ransomware's Return

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Thu Aug 19 11:27:02 EDT 2021


https://www.darkreading.com/vulnerabilities-threats/security-vendors-sound-the-alarm-on-lockbit-ransomware-s-return

The operators of LockBit, a ransomware-as-a-service outfit that first
surfaced in 2019, have re-emerged with a vengeance, touting an improved
version of their malware as well as an aggressive new campaign to recruit
affiliates from the Dark Web and — ominously — from within target
organizations themselves.

In recent days, several security vendors have reported observing a sharp
increase in threat activity involving LockBit by groups likely looking to
cash in on the opportunity created by the exit of major ransomware
operators such as REvil and DarkSide over the past few months. One of the
most notable incidents was last week's attack on consulting giant Accenture
that reportedly resulted in the theft of several terabytes worth of data
and a subsequent ransom demand of $50 million.

In a report this week, Trend Micro says that between July 1 and Aug. 15,
its researchers observed attack attempts involving LockBit that targeted
organizations in the UK, Italy, Taiwan, and Chile. The attacks featured a
new version of the ransomware, LockBit 2.0, which, among other things, is
capable of automatically encrypting devices across Windows domains using
Active Directory (AD) group policies. The tactic has made LockBit one of
the fastest ransomware strains on the market.

According to Trend Micro's analysis of LockBit 2.0, the malware uses a
multithreaded approach to encrypt files on impacted systems. But it also
encrypts only 4 kilobytes of data per file. As a ransomware-as-a-service
provider, LockBit 2.0 operators have been providing threat actors — or
affiliates — using its malware with a tool called StealBit, which they can
use to automatically exfiltrate data. Like many other ransomware strains,
LockBit is designed to look for and terminate security tools, services, and
processes that might interfere with its ability to carry out its encryption
mission, Trend Micro says.

"The LockBit gang continues to update their TTPs in order to have
successful attack campaigns," says Jon Clay, vice president of threat
intelligence at Trend Micro.

While it's possible that the group may have ramped up activity recently in
response to the exit of some groups, it's equally likely they were simply
ready to start again. In addition to operating on its own, the group has
been recruiting affiliates who have expertise targeting specific
organizations, Clay says.

Doel Santos, threat intelligence analyst at Palo Alto Networks Unit 42
threat research group, says the group behind LockBit 2.0 has been claiming
the malware can encrypt 100 gigabytes of data in just 4 minutes and 28
seconds. That is less than half the time it takes for other widely
distributed ransomware strains, such as Conti, REvil, and Ryuk, to achieve
the same result, Santos says.

Since the group re-emerged in June with LockBit 2.0, the malware has been
used in attacks against organizations in numerous countries, including the
US, UK, Argentina, Australia, Austria, Malaysia, Germany, and Italy, he
adds. As has become common these days, many recent LockBit attacks have
involved dual extortion attempts, where the attackers have stolen sensitive
data and used the threat of publicly releasing the data to try and extract
money from victims. Santos says LockBit's leak site currently lists 52
victims, which isn't too far behind ransomware leader Cl0p's current count.

Marketing Campaign

LockBit operators have launched a marketing campaign touting the
ransomware's speed and offering potentially lucrative returns for
individuals at targeted organizations who are willing to help the group in
its mission to extort money.

"LockBit installs wallpaper on compromised PCs with a tantalizing offer:
millions of dollars in exchange for a cut on any ransomware payments in
exchange for providing access to a machine," Santos says. "This is
definitely a bold approach. LockBit is the first group I’ve observed
pursuing this strategy. It will be interesting to see if others follow
suit."

A report that Switzerland-based threat intelligence firm Prodaft published
in June based on its investigation of attacks involving LockBit described
ransomware operators as using multiple methods to find new targets. These
methods include mass vulnerability scanning, credential stuffing, and
phishing attacks. The most common tactic, though, is to purchase RDP
credentials and other ways to access previously compromised servers from
underground forums.

"Such credentials can be purchased for as low as $5, thus making it very
lucrative for affiliates considering the demanded ransom amount," the
report states.

LockBit was known as ABCD ransomware when it first started activities in
September 2019, Santos says. "The name came from the extension that it used
to encrypt files," he says. "With time, like other ransomware, it rebranded
into [the] LockBit that we know today."

Symantec, another security vendor that has reported a recent surge in
LockBit activity, has suggested the increase may have to do with affiliate
groups switching to the malware with the exit of the REvil, aka Sodinokibi,
ransomware operators. The security vendor says its researchers have seen
evidence showing that at least one gang that used REvil/Sodinokibi has
switched to LockBit.

Threat actors using LockBit have adopted a variety of tactics and
techniques for deploying the malware. They include the use of tools for
disabling Windows Defender, scanning infected networks, and stealing
credentials from infected systems; for lateral movement; and for retrieving
information about services running on a system.

"The numerous password-dumping tools used by these attackers indicates that
harvesting credentials is a key part of their attack chain," Symantec said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210819/0efdd775/attachment.html>


More information about the BreachExchange mailing list