In June of this year, LockBit resurfaced with a new version. This new version, LockBit 2.0, was discovered in attempted attacks in Italy, Chile, Taiwan, and the UK. Researchers at Trend Micro Analysis suggest the LockBit ransomware-as-a-service (RaaS) group has increased their targeted attacks using the 2.0 version of their malware. Earlier this week the researchers released a report suggesting an increase in LockBit ransomware campaigns over the summer. The report indicates the newer version of LockBit ransomware incorporates double extortion features influenced by other ransomware, such as Egregor and Ryuk.
Last week, Accenture confirmed being hit by a ransomware cyberattack from LockBit. This recent version of LockBit was responsible for the attack that threatened to leak files stolen from the IT giant. This LockBit ransomware group has claimed to have stolen 6TB of data and demanded a $50 million ransom for its return.
Since they first appeared in 2019, LockBit has been relatively successful in its malware campaigns. The researchers claim the 2.0 version is advanced and probably one of the fastest file-encrypting ransomware types available in the market today. In contrast to its predecessor, this version includes automatic encryption of devices across the entirety of the Windows domain by utilizing methods to compromise Active Directory group policies. This technique makes the ransomware group boast that it is one of the fastest ransomware variants of today. The cybersecurity researchers suggest that the cyberattack also featured an attempt to gain access to internal security tools from within the targeted companies.
LockBit 2.0 attacks were detected from July 1 to August 15 in Italy, Chile, Taiwan, and the UK. The analysis conducted by Trend Micro shows this version not only uses a multithreaded approach in encryption, but it also to some extent encrypts the files. To access the targeted organization’s network, the ransomware group performs intrusions on targets by utilizing remote desktop protocol (RDP) account credentials. When successful, the LockBit 2.0 ransomware scans the network to find the targeted domain controller. It also uses multiple batch files for different purposes including terminating security tools and processes like clearing Windows Event logs, enabling RDP connections, and ensuring MySQL, QuickBooks, and Microsoft Exchange are unavailable. The report also mentions once they make their way into the domain controller, the ransomware creates new group policies and applies them to all devices within the given domain.
LockBit is a notorious ransomware group and cybersecurity experts believe it is going to continue its malicious campaigns for years to come. Given its persistent nature and highly advanced methods of intrusion, there are some practices organizations can follow to mitigate the impact of these attacks. Regular patching and updating are crucial. Conduct regular patching and perform timely vulnerability assessments. Audit all assets and data and identify all authorized and unauthorized software, devices, and employees accessing any systems. Perform security assessments and ensure regular training for all personnel. Companies should also apply multi-factor authentication across the network access points and devices, so cybercriminals cannot easily use compromised credentials to aid in these attacks.
For more news and updates, visit https://blog.excellimatrix.com/
You can also reach us out on Facebook, & LinkedIn or Contact us