Date: 18 August 2021

Title:  This ransomware has returned with new techniques to make attacks more effective


This ransomware has returned with new techniques to make attacks more effective | ZDNet

Danny Palmer

LockBit ransomware has been around since 2019, but those behind it are adding new features and aggressively advertising to attract new cyber-criminal affiliates.  Cybersecurity researchers at Trend Micro have detailed an increase in LockBit ransomware campaigns since the start of July. This ransomware-as-a-service first appeared in September 2019 and has been relatively successful but has seen a surge in activity this summer. In advertisements on underground forums, Lock Bit’s authors claim that LockBit 2.0 is one of the fastest file-encrypting ransomware variants in the market today. And those claims have proven attractive to cybercriminals seeking to make money from ransomware.

The attackers often gain entry to networks using compromised Remote Desktop Protocol (RDP) or VPN accounts leaked or stolen; alternatively, LockBit attacks sometimes attempt to recruit insiders to help gain access through legitimate login credentials.

LockBit has also gained success by following the footsteps of prominent ransomware groups using specific tactics, techniques, and procedures (TTP) during attacks. For example, LockBit now uses Ryuk’s Wake-on-LAN feature, sending packets to wake offline devices to help move laterally around networks and compromise as many machines as possible.  LockBit also uses a tool previously deployed by Egregor ransomware, using printers on the network to print out ransom notes.  Like many of the most disruptive ransomware variants, LockBit also adds a double extortion element to attacks, stealing data from the victim and threatening to leak it if the ransom isn’t paid within a set period. 

It’s expected that LockBit ransomware attacks will continue to be a cybersecurity threat for some time, particularly given that the group is actively advertising for additional affiliates. But while ransomware groups are aggressively persistent, there are actions that information security teams can take to help protect networks from attack.

This includes applying the latest security patches and updates to operating systems and software, so cybercriminals can’t exploit known vulnerabilities to help launch attacks. Organizations should also apply multi-factor authentication across the network, making it harder for cybercriminals to use stolen credentials to help facilitate attacks.

What to do?

Ensure your Antivirus and Antimalware software is up to date and operational.

Ensure your firewalls are up to date and operational

Employ multi-factor authentication across the network

Perform routine backups with copies maintained in a safe, “air-gapped” location.

Train employees on Phishing and Phishing techniques

What can you do when this happens to you?

If you are the target of a ransomware attack, immediately shut the network down.

Identify the source of the attack and the files compromised

Notify your local law enforcement cybersecurity unit and the FBI

Search for known ransomware keys

Rebuild the network from a known “Clean Backup.”