Lockbit Ransomware: Malicious Software is Fastest and Worries Experts

Lockbit Ransomware: Malicious Software is Fastest and Worries Experts

The LockBit ransomware is one of the most recent threats, it was seen in 2021 and came back with everything again in the first half of this year haunting organizations around the world, especially in Brazil.

With speeds 86% faster than the average ransomware, this type of attack has already hit major companies in the technology sector, and increasingly reaffirms that it doesn't matter how big an organization is before it can become another victim.

In its recent version, LockBit 2.0 has a number of new features, including a potentially dangerous refinement that aims to encrypt entire Windows domains via group policies.

By causing business disruption, the LockBit attack can create serious damage for organizations. In one of the attacks recorded in Brazil, in August 2021, losses were calculated at more than R$ 200 million for the payment of ransom for files, in addition to new investments for loss control and security efforts, according to ISH Tecnologia monitoring.

So that your company is not next, below we tell you what you need to know to protect your systems and not become another victim of LockBit. Check it out!

What is LockBit ransomware?

LockBit is a cybercriminal gang that operates using a ransomware-as-a-service (RaaS) model - similar to DarkSide and REvil.

LockBit offers its ransomware platform for other entities or individuals to use based on an affiliate model.

Any ransom payments received for using LockBit are split between the client running the attack and the LockBit gang.

LockBit is believed to be related to the LockerGoga and MegaCortex malware families. It shares common tactics, techniques, and procedures (TTPs) with these malicious attacks, particularly the ability to automatically propagate to new targets, being used in targeted attacks rather than just spamming or attacking organizations indiscriminately, and the underlying tools it relies on, such as Windows PowerShell and Server Message Block (SMB).

When a single host is compromised, LockBit can scan the network to locate and infect other accessible devices. It uses tools and protocols native to Windows systems, making it more difficult for endpoint security tools to detect or identify the activity as malicious.

The malicious software is designed to encrypt data. The cyber criminals behind the infection demand payment (ransom) for decryption tools/software. During the encryption process, LockBit retitles files with the extension ".abcd". After this process, a text file - "Restore-My-Files.txt" is dropped in all affected folders.

All ransomware encrypts data and demands payment for decryption. The crucial differences between each are the cryptographic algorithm used (symmetric or asymmetric) and the size of the ransom. The latter generally range between three- and four-digit sums (in US dollars). Digital currencies (mainly cryptocurrencies) are preferred by cybercriminals because their transactions are difficult/impossible to trace.

The LockBit ransomware continues to adapt and evolve. Newer variants have adopted the double extortion model-locating and exfiltrating valuable data before encrypting systems.

The stolen data provides additional incentive for victims to pay the ransom. Even if they can restore data from backups, refusing to pay the ransom could result in sensitive data being released publicly or sold to competitors.

Learn how to protect yourself

There is no good option for an organization when a ransomware attack compromises encrypted systems and data. This is especially true in the case of a double extortion attack.

Refusing to pay the ransom means going through the painful process of restoring data from backups and trying to regain control and functionality of your systems, while accepting that your data is likely to be exposed.

Paying the ransom may allow the victim to quickly resume operations and avoid publishing or selling data, but in contrast, research shows that 80% of companies that pay a ransom end up being attacked again.

First, it is important to have effective protection in place to prevent ransomware attack. Organizations need to have insight into the attack and the ability to visualize the entire malicious operation. Recognizing indicators of behavior enables the enterprise to detect and block ransomware attacks and protect against threats like LockBit.

To do this, they need to invest in an anti-ransomware solution that does not rely solely on Indicators of Compromise (IOCs), because not every ransomware attack chain is known to the security community. 

A multilayered platform that uses Indicators of Behavior (IOBs) is needed so that security teams can detect and shut down a ransomware attack chain, regardless of whether anyone has seen it before. As such, look for a solution that offers the following features:

  • Anti-ransomware prevention and fraud: the solution should use a combination of behavioral detections and proprietary fraud techniques that expose the most complex ransomware threats and shut down the attack before any critical data can be encrypted;

  • Artificial intelligence-based antivirus: it should also block known ransomware variants, leveraging an ever-increasing pool of threat intelligence based on previously detected attacks;

  • Next-Generation Antivirus: a next-generation solution (NGAV) is powered by machine learning and recognizes malicious components in the code to block unknown ransomware variants before execution;

  • Fileless ransomware protection: This enables the solution to stop attacks using ransomware without the file that traditional antivirus tools miss;

  • Endpoint controls: Finally, the solution must protect endpoints from attacks by managing security policies, maintaining device controls, implementing personal firewalls, and applying full-disk encryption across a variety of device types.

In addition to technology, training people within the company is essential. Like other forms of ransomware, LockBit relies on people not recognizing threats when they arrive.

Ensuring that your teams receive regular and up-to-date training on the types of threats that can arise is a substantial defensive measure against LockBit ransomware.

LockBit is a malicious and pervasive threat, and organizations need to be aware of how it differs from other forms of ransomware. But the principles of cybersecurity best practices remain the same, including internal training and using a platform with the latest capabilities to stop the threat.

Did you like to learn more about LockBit ransomware?

Follow our Twitter page and stay on top of all the news published weekly by our cybersecurity intelligence team.

Also feel free to contact our team of experts to learn more about how to protect your organization's data.



Tags: , , , , , ,

Leave a Comment

Your e-mail address will not be published. Required fields are marked with *

Copyright © 2022 ISH Tecnologia, All Rights Reserved.