Security
Headlines
HeadlinesLatestCVEs

Headline

Everything You Need to Know About LockBit

While the ransomware-for-hire group works to create ever more efficient exploits, companies can protect themselves with structured vulnerability management processes. Prioritize threats based on severity and risk.

DARKReading
#vulnerability#windows#linux#dos#auth

LockBit ransomware is in the minority group of ransomware families that leverage auto-propagating malware and double encryption methods. After its breaches into security behemoth Entrust and the Italian Revenue Agency earlier this summer, LockBit has continued to gain notoriety while on the lookout for its next victim.

LockBit ransomware began its spree of high-profile attacks as early as September 2019 and has remained one of the most prolific groups to date. Motivated by large payouts, the group doesn’t fear targeting larger corporations and enterprises.

The ransomware group is known for its particular qualities of a triple-extortion method, sophisticated technology, high-severity cyberattacks, and heavy marketing to affiliates. LockBit’s presence is felt globally, and industries are afforded only short moments of respite when the group retreats to develop more devastating upgrades to their toolkit. Its attack frequency and strategy make the group a force to beware of in the cybersecurity world, demonstrating its determination to cause harm.

LockBit: The Brief

  • LockBit markets itself as ransomware-as-a-service (RaaS). It works in conjunction with other bad actors who perform attacks for hire, and then split the funds between the LockBit developer team and other accomplices.
  • The LockBit family targets both CVE-2021-22986 and CVE-2018-13379.
  • The Russian threat actor group, TA505 (also known as Hive0065) has been observed using the LockBit ransomware payload in its attacks.

New Variants

LockBit’s origins began as an ABCD cryptovirus in 2019. Its main targets were government organizations in North America, Europe, and APAC regions and included private companies as well, with crypto as their form of ransom payment.

Early targets of LockBit in 2019 and 2020 included Windows systems within financial and healthcare institutions. The ransomware group then took a hiatus to improve its malware kit and operation strategy. To date, two LockBit versions in addition to the initial version have been released, with each subsequent release possessing increased attack capabilities.

LockBit 2.0

LockBit 2.0 was introduced in June 2021 and was documented in attacks in Taiwan, Chile, and the UK. In the 2.0 version, LockBit added the double-extortion technique and auto-encryption of hardware across Windows domains for which it became known. Later in the fall of 2021, the group began branching out into Linux servers, too, specifically attacking ESXi servers.

LockBit 3.0, Also Known as LockBit Black

After another brief hiatus, LockBit returned in June 2022 with the release of another improved version of the ransomware, including a bug bounty program that financially incentivizes researchers to share bug reports. In addition to the program, version 3.0 includes Zcash payments and developed new extortion tactics. Building on top of architecture found in BlackMatter and DarkSide, LockBit now has refined its evasion practices, passwordless execution, and implemented command-line features.

The updated LockBit ransomware was used to attack and steal data from the Italian Revenue Agency and a county office in Ontario, Canada. On top of encryption and the threat of data leaks, the ransomware group has included denial-of-service attacks to increase the pressure on victims.

In a surprising turn of events, an alleged LockBit developer leaked the group’s builder used to design the 3.0 version on Twitter, citing frustration with the group’s leadership as their motivation for the leak. A blow to the group but a potential risk to the cybersecurity field as the leaked information can equip new individuals with the necessary tools to start their own ransomware kit. In no more than a week after the leak, a new ransomware group was observed using the builder to target companies.

How Dangerous Is LockBit?

LockBit has a diverse arsenal of technologies and techniques to go after the largest organizations, regardless of industry. Here is a snapshot of the tools, tactics, and methods that make LockBit so dangerous:

  • StealBit, a malware tool first found in the 2.0 version, was designed for encryption and is believed to be the most efficient and quickest encryption tool.
  • StealBit automatically spreads to other connected devices along a network by taking advantage of Windows PowerShell and Server Message Block.
  • LockBit’s malware can now infect both Windows and Linux systems when initially it could only exploit Windows systems.
  • The creation of the bug bounty program is the group’s attempt at establishing itself as a professional group of hackers while simultaneously improving its defenses.
  • LockBit 3.0 introduced Zcash payment options for ransom collection and to avoid interference from law enforcement agencies.

How to Prevent a LockBit Attack

  • Curb unnecessary permissions: More restrictions on permissions are not a bad practice to get in the habit of applying, as more levels of authentication make it difficult for remote hackers to escalate permissions and gain greater access. Pay close attention to users with IT and admin-level permissions.

  • Monitor your attack surface: Incorporate a solution that scans your entire attack surface for potential entry points for attackers. Routinely monitor existing and newly added assets to your organization’s network.

Security leadership can keep attackers away by cultivating a culture of vigilance with structured vulnerability management processes that prioritize threats based on severity and risk. Despite LockBit’s capabilities, organizations do have options when it comes to protecting their organization and partners.

Related news

Inside the ransomware playbook: Analyzing attack chains and mapping common TTPs

Based on a comprehensive review of more than a dozen prominent ransomware groups, we identified several commonalities in TTPs, along with several notable differences and outliers.

Double-Extortion Play Ransomware Strikes 300 Organizations Worldwide

The threat actors behind the Play ransomware are estimated to have impacted approximately 300 entities as of October 2023, according to a new joint cybersecurity advisory from Australia and the U.S. "Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data and have impacted a wide range of businesses and critical infrastructure organizations in North

CISA Urges Manufacturers Eliminate Default Passwords to Thwart Cyber Threats

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging manufacturers to get rid of default passwords on internet-exposed systems altogether, citing severe risks that could be exploited by malicious actors to gain initial access to, and move laterally within, organizations. In an alert published last week, the agency called out Iranian threat actors affiliated with

Microsoft patches 12 critical vulnerabilities, nine of which are in Layer 2 Tunneling Protocol

Two other vulnerabilities that Microsoft is fixing Tuesday — CVE-2023-36563 in Microsoft WordPad and CVE-2023-41763 in the Skype communication platform — have already been publicly exploited in the wild and have proof-of-concept code available.

2022's most routinely exploited vulnerabilities—history repeats

Categories: Exploits and vulnerabilities Categories: News Tags: Zoho ManageEngine Tags: CVE-2021-40539 Tags: Log4Shell Tags: CVE-2021-44228 Tags: CVE-2021-13379 Tags: ProxyShell Tags: CVE-2021-34473 Tags: CVE-2021-31207 Tags: CVE-2021-34523 Tags: CVE-2021-26084 Tags: Atlassian Tags: CVE-2022-22954 Tags: CVE-2022-22960 Tags: CVE-2022-26134 Tags: CVE-2022-1388 Tags: CVE-2022-30190 Tags: Follina What can the routinely exploited vulnerabilities of 2022 tell us, and what do we think will make it on to next year's list? (Read more...) The post 2022's most routinely exploited vulnerabilities—history repeats appeared first on Malwarebytes Labs.

Major Cybersecurity Agencies Collaborate to Unveil 2022's Most Exploited Vulnerabilities

A four-year-old critical security flaw impacting Fortinet FortiOS SSL has emerged as one of the most routinely and frequently exploited vulnerabilities in 2022. "In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems," cybersecurity and intelligence agencies from the Five

Cyberattackers Selling Access to Networks Compromised via Recent Fortinet Flaw

The vulnerability, disclosed In October, gives an unauthenticated attacker a way to take control of an affected product.

Concerns Over Fortinet Flaw Mount; PoC Released, Exploit Activity Grows

The authentication bypass flaw in FortiOS, FortiProxy and FortiSwitchManager is easy to find and exploit, security experts say.

U.S. Charges 3 Iranian Hackers and Sanctions Several Others Over Ransomware Attacks

The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Wednesday announced sweeping sanctions against ten individuals and two entities backed by Iran's Islamic Revolutionary Guard Corps (IRGC) for their involvement in ransomware attacks at least since October 2020. The agency said the cyber activity mounted by the individuals is partially attributable to intrusion sets tracked

Microsoft Disables Iran-Linked Lebanese Hacking Group Polonium

The attack on Israeli organizations is the latest in a long line of attempts to compromise supply chains, as the APT looks to leverage that access to target a multitude of potential victims.

Microsoft Blocks Iran-linked Lebanese Hackers Targeting Israeli Companies

Microsoft on Thursday said it took steps to disable malicious activity stemming from abuse of OneDrive by a previously undocumented threat actor it tracks under the chemical element-themed moniker Polonium. In addition to removing the offending accounts created by the Lebanon-based activity group, the tech giant's Threat Intelligence Center (MSTIC) said it suspended over 20 malicious OneDrive

Iran’s COBALT MIRAGE Threat Group Behind Ransomware Attacks in US

By Deeba Ahmed Cobalt Mirage is an Irani threat group believed to be linked to the Iranian Cobalt Illusion threat group,… This is a post from HackRead.com Read the original post: Iran’s COBALT MIRAGE Threat Group Behind Ransomware Attacks in US

DARKReading: Latest News

US Ban on TP-Link Routers More About Politics Than Exploitation Risk