LockBit Ransomware Infection Methods Studied

 

LockBit Ransomware Infection Methods Studied

LockBit ransomware attacks are constantly evolving, employing a variety of infiltration methods and disabling endpoint security software to achieve their goal of extortion.

According to Cybereason security analysts Loc Castel and Gal Romano, "The affiliates that use LockBit's services conduct their attacks according to their preference and use a variety of tools and techniques to achieve their goal." [Cybereason] "The affiliates that use LockBit's services conduct their attacks according to their preference and use different tools and techniques to "The activities from various cases have a tendency to converge to similar activities as the attack progresses further along the kill chain."

LockBit, which like most groups uses a ransomware-as-a-service (RaaS) model, was first observed in September 2019 and has since emerged as the most dominant ransomware strain this year, surpassing other well-known groups such as Conti, Hive, and BlackCat. LockBit was first seen in September 2019 and has since emerged as the most dominant ransomware strain this year.

Affiliates, who execute the attacks in exchange for using the malware authors' tools and infrastructure, can earn as much as 80 percent of each successful ransom payment received from victims as a result of this practice. This is accomplished by the malware authors licensing access to affiliates.

In addition, LockBit makes use of the common practice of double extortion in order to exfiltrate vast amounts of data prior to encrypting the assets of the target. As of May 2022, the cybercriminal syndicate had netted no fewer than 850 victims on its data leak site.

Attack Life Cycle - Case Study 1

LockBit Ransomware Infection Methods Studied

Attack Life Cycle - Case Study 2

LockBit Ransomware Infection Methods Studied


meaning that it is the ransomware strain with the most activity.

Phishing emails, publicly exposed RDP ports, and unpatched server flaws are the three most common entry points used in LockBit ransomware attacks. Other entry points include exploiting publicly exposed RDP ports, relying on phishing emails to download malicious payloads, and leveraging unpatched server flaws. All of these entry points allow the affiliates to gain remote access to the targeted network.

After this step, the actors will engage in activities such as reconnaissance and credential theft, which will allow them to move laterally across the network, establish persistence, escalate privileges, and launch the ransomware. In addition to this, commands are executed to remove backups and circumvent detection by firewalls and antivirus software.



The RaaS scheme has received two significant updates in the three years since LockBit first appeared on the scene. The threat actors debuted LockBit 2.0 in June 2021, and they launched the third installment of the service, LockBit 3.0, last month with support for Zcash cryptocurrency payment options and a bug bounty program — the first of its kind for a ransomware group.



The initiative asserts that it will provide rewards of up to one million dollars for the discovery of security flaws in its website and locker software, the submission of brilliant ideas, the doxing of the head of the gang's affiliate program, or the identification of ways that could expose the Internet Protocol address of the server that is hosting the website on the TOR network.



The bug bounty program is yet another indication that hacker groups are increasingly functioning as legitimate information technology businesses. These hacker groups now have HR departments, regular feature releases, and even bonuses for successfully resolving difficult issues.



However, there is evidence to suggest that LockBit 3.0, which is also known as LockBit Black, was inspired by another ransomware family known as BlackMatter. BlackMatter was a rebranded version of DarkSide, which ceased operations in November 2021.



A researcher working for Emsisoft named Fabian Wosar stated in a tweet earlier this week that "large portions of the code are ripped straight from BlackMatter/Darkside." "I guess it is pretty obvious that LockBit got their greasy hands on the code that belonged to another group."


0 Comments

Your suggestions and comments are welcome

Post a Comment

Your suggestions and comments are welcome

Post a Comment (0)

Previous Post Next Post