LockBit Ransomwar
- Operations disruption with essential functions coming to a sudden halt.
- Extortion for the hacker’s financial gain.
- Data theft and illegal publication as blackmail if the victim does not comply.
How does LockBit ransomware work?
Cobalt Strike
Cobalt Strike is a software with flexible features to simulate industrial espionage on one's network, test defenses and increase one's computer security. However, it is also commonly used by real attackers such as APT groups or ransomware gangs, according to Wikipedia.
attacks use an operating system-level program file that already exists to load malicious code. At LockBit, SentinelLabs reported back in April that the group was abusing theVMware Command Line Tool, VMwareXferlogs.exe, to load Cobalt Strike.
Stages of LockBit attacks
LockBit attacks can be understood in roughly three stages:
- Exploit
- Infiltrate
- Deploy
Stage 1: Exploit weaknesses in a network. The initial breach looks much like other malicious attacks. An organization may be exploited by social engineering tactics like phishing, in which attackers impersonate trusted personnel or authorities to request access credentials. Equally viable is the use of brute force attacks on an organization’s intranet servers and network systems. Without proper network configuration, attack probes may only take a few days to complete.
Once LockBit has made it into a network, the ransomware prepares the system to release its encrypting payload across every device it can. However, an attacker may have to ensure a few additional steps are completed before they can make their final move.
Stage 2: Infiltrate deeper to complete attack setup if needed. From this point forward, the LockBit program directs all activity independently. It is programmed to use what are known as “post-exploitation” tools to get escalate privileges to achieve an attack-ready level of access. It also roots through access already available via lateral movement to vet for target viability.
It is at this stage that LockBit will take any preparative actions before deploying the encryption portion of the ransomware. This includes disabling security programs and any other infrastructure that could permit system recovery.
The goal of infiltration is to make unassisted recovery impossible, or slow enough that succumbing to the attacker’s ransom is the only practical solution. When the victim is desperate to get operations back to normal, this is when they will pay the ransom fee.
Stage 3: Deploy the encryption payload. Once the network has been prepared for LockBit to be fully mobilized, the ransomware will begin its propagation across any machine it can touch. As stated previously, LockBit doesn’t need much to complete this stage. A single system unit with high access can issue commands to other network units to download LockBit and run it.
The encryption portion will place a “lock” on all the system files. Victims can only unlock their systems via a custom key created by LockBit’s proprietary decryption tool. The process also leaves copies of a simple ransom note text file in every system folder. It provides the victim with instructions to restore their system and has even included threatening blackmail in some LockBit versions.
With all the stages completed, the next steps are left up to the victim. They may decide to contact LockBit’s support desk and pay the ransom. However, following their demands is not advised. Victims have no guarantee that the attackers will follow through on their end of the bargain.
How to protect against LockBit ransomware
Ultimately, you’ll have to set up protective measures to ensure your organization is resilient against any ransomware or malicious attacks from the offset. Here are a few practices that can help you prepare:
- Strong passwords should be implemented. Many account breaches occur due to easy-to-guess passwords, or those that are simple enough for an algorithm tool to discover within a few days of probing. Male sure you pick secure password, such as choosing longer ones with character variations, and using self-created rules to craft passphrases.
- Activate multi-factor authentication. Deter brute force attacks by adding layers atop your initial password-based logins. Include measures like biometrics or physical USB key authenticators on all your systems when possible.
- Reassess and simplify user account permissions. Limit permissions to more strict levels to limit potential threats from passing undeterred. Pay special attention to those accessed by endpoint users and IT accounts with admin-level permissions. Web domains, collaborative platforms, web meeting services, and enterprise databases should all be secured.
- Clean out outdated and unused user accounts. Some older systems may have accounts from past employees that were never deactivated and closed. Completing a check-up on your systems should include removing these potential weak points.
- Ensure system configurations are following all security procedures. This may take time, but revisiting existing setups may reveal new issues and outdated policies that put your organization at risk of attack. Standard operation procedures must be reassessed periodically to stay current against new cyber threats.
- Always have system-wide backups and clean local machine images prepared. Incidents will happen and the only true safeguard against permanent data loss is an offline copy. Periodically, your organization should be creating backups to keep up-to-date with any important changes to your systems. In case of a backup becoming tainted with a malware infection, consider having multiple rotating backup points for the option to select a clean period.
- Be sure to have a comprehensive enterprise cyber security solution in place. While LockBit can try to disable protections once in a unit, enterprise cyber security protection software would help you catch file downloads across the entire organization with real-time protection. Learn more about Kaspersky Security Solutions for Enterprise to help you protect your business and devices.