LockBit ransomware is malicious software designed to block user access to computer systems in exchange for a ransom payment. LockBit will automatically vet for valuable targets, spread the infection, and encrypt all accessible computer systems on a network. This ransomware is used for highly targeted attacks against enterprises and other organizations. As a self-piloted cyberattack, LockBit attackers have made a mark by threatening organizations globally with some of the following threats:
LockBit is a new ransomware attack in a long line of extortion cyberattacks. Formerly known as “ABCD” ransomware, it has since grown into a unique threat within the scope of these extortion tools. LockBit is a subclass of ransomware known as a ‘crypto virus’ due to forming its ransom requests around financial payment in exchange for decryption. It focuses mostly on enterprises and government organizations rather than individuals.
Attacks using LockBit originally began in September 2019, when it was dubbed the “.abcd virus.” The moniker was in reference to the file extension name used when encrypting a victim’s files. Notable past targets include organizations in the United States, China, India, Indonesia, Ukraine. Additionally, various countries throughout Europe (France, UK, Germany) have seen attacks.
Viable targets are ones that will feel hindered enough by the disruption to pay a heavy sum — and have the funds to do so. As such, this can result in sprawling attacks against large enterprises from healthcare to financial institutions. In its automated vetting process, it seems to also intentionally avoid attacking systems local to Russia or any other countries within the Commonwealth of Independent States. Presumably, this is to avoid prosecution in those areas.
LockBit functions as ransomware-as-a-service (RaaS). Willing parties put a deposit down for the use of custom for-hire attacks, and profit under an affiliate framework. Ransom payments are divided between the LockBit developer team and the attacking affiliates, who receive up to ¾ of the ransom funds.
LockBit ransomware is considered by many authorities to be part of the “LockerGoga & MegaCortex” malware family. This simply means that it shares behaviors with these established forms of targeted ransomware. As a quick explanation, we understand that these attacks are:
Most significant is its ability to self-propagate, meaning it spreads on its own. In its programming, LockBit is directed by pre-designed automated processes. This makes it unique from many other ransomware attacks that are driven by manually living in the network — sometimes for weeks — to complete recon and surveillance.
After the attacker has manually infected a single host, it can find other accessible hosts, connect them to infected ones, and share the infection using a script. This is completed and repeated entirely without human intervention.
Furthermore, it uses tools in patterns that are native to nearly all Windows computer systems. Endpoint security systems have a hard time flagging malicious activity. It also hides the executable encrypting file by disguising it as the common .PNG image file format, further deceiving system defenses.
LockBit attacks can be understood in roughly three stages:
Stage 1: Exploit weaknesses in a network. The initial breach looks much like other malicious attacks. An organization may be exploited by social engineering tactics like phishing, in which attackers impersonate trusted personnel or authorities to request access credentials. Equally viable is the use of brute force attacks on an organization’s intranet servers and network systems. Without proper network configuration, attack probes may only take a few days to complete.
Once LockBit has made it into a network, the ransomware prepares the system to release its encrypting payload across every device it can. However, an attacker may have to ensure a few additional steps are completed before they can make their final move.
Stage 2: Infiltrate deeper to complete attack setup if needed. From this point forward, the LockBit program directs all activity independently. It is programmed to use what are known as “post-exploitation” tools to get escalate privileges to achieve an attack-ready level of access. It also roots through access already available via lateral movement to vet for target viability.
It is at this stage that LockBit will take any preparative actions before deploying the encryption portion of the ransomware. This includes disabling security programs and any other infrastructure that could permit system recovery.
The goal of infiltration is to make unassisted recovery impossible, or slow enough that succumbing to the attacker’s ransom is the only practical solution. When the victim is desperate to get operations back to normal, this is when they will pay the ransom fee.
Stage 3: Deploy the encryption payload. Once the network has been prepared for LockBit to be fully mobilized, the ransomware will begin its propagation across any machine it can touch. As stated previously, LockBit doesn’t need much to complete this stage. A single system unit with high access can issue commands to other network units to download LockBit and run it.
The encryption portion will place a “lock” on all the system files. Victims can only unlock their systems via a custom key created by LockBit’s proprietary decryption tool. The process also leaves copies of a simple ransom note text file in every system folder. It provides the victim with instructions to restore their system and has even included threatening blackmail in some LockBit versions.
With all the stages completed, the next steps are left up to the victim. They may decide to contact LockBit’s support desk and pay the ransom. However, following their demands is not advised. Victims have no guarantee that the attackers will follow through on their end of the bargain.
As the latest ransomware attack, the LockBit threat can be a significant concern. We cannot rule out the possibility that it can take hold across many industries and organizations, especially with a recent increase in remote working. Spotting LockBit’s variants can help with identifying exactly what you’re dealing with.
LockBit’s original version renames files with the “.abcd” extension name. Additionally, it includes a ransom note with demands and instructions for alleged restorations in the “Restore-My-Files.txt” file, which has been inserted into every folder.
The second known version of this ransomware adopted the “.LockBit” file extension, giving it the current moniker. However, victims will find that other traits of this version appear mostly identical despite some backend revisions.
The next identifiable version of LockBit no longer requires downloading the Tor browser in its ransom instructions. Instead, it sends victims to an alternate website via traditional internet access.
Recently, LockBit has been enhanced with more nefarious features such as negating administrative permission checkpoints. LockBit now disables the safety prompts that users may see when an application attempts to run as an administrator.
Also, the malware now is set up to steal copies of server data and includes additional lines of blackmail included in the ransom note. In case the victim does not follow instructions, LockBit now threatens the public release of the victim’s private data.
With all the trouble that LockBit can cause, endpoint devices need thorough protection standards across your entire organization. This first step is to have a comprehensive endpoint security solution, such as Kaspersky Integrated Endpoint Security.
If your organization is already infected, the removal of LockBit ransomware alone doesn’t give you access to your files. You will still require a tool to restore your system, as encryption requires a “key” to unlock. Alternatively, you may be able to restore your systems by reimaging them if you’ve got pre-infection backup images already created.
Ultimately, you’ll have to set up protective measures to ensure your organization is resilient against any ransomware or malicious attacks from the offset. Here are a few practices that can help you prepare: