In recent weeks, the Ransomware-as-a-Service (RaaS) group LockBit has made headlines with its successful attacks. With their current malware LockBit 3.0 – also called LockBit Black – they've now achieved notoriety by topping the list of most dangerous ransomware threats. Security analyses reveal that LockBit is the most powerful extortion gang after the break-up of Conti. But that's not the only thing that makes the extortionists behind the malware so dangerous. The world's also witnessing increasing professionalisation among cyber criminals. For companies, this entails an increased security risk. Read here what the malware is all about and how companies can protect themselves.
The development of LockBit
In March 2022, critical errors were found in the ransomware version LockBit 2.0. The malware developers took this as an opportunity to update their encryption – adding extra functions to the malware. The aim of the new functions was to deceive security experts.
The RaaS group again attracted attention in June with the slogan "Make Ransomware Great Again". This development shows that the gang of extortionists is far more than an association of mere cybercriminals – it actually pursues a sophisticated business model. Besides advertising the updated ransomware version LockBit 3.0, the group also established a bug bounty program. The goal was to find bugs on the website and bugs in the encryption program on behalf of those responsible for the malware. This was accompanied by a general call to contribute ideas on improving the software or website. The search for bugs was thus outsourced for prize money – the developers hoping to optimise their malware.
But potential victims can also expect an "update" from LockBit. In other words, they've refined their leak website – similar to Conti. Victims have the option on the website to extend the time before the hijacked data is published by spending 10,000 US dollars. For just under 875,000 dollars, users can either download the published data for their "own use" or destroy the data.
Functions and procedure of LockBit 3.0 – similarities to other malicious programs
After examining the ransomware more closely, security researchers pointed out that parts of the code behind LockBit 3.0 bear great similarity to that of BlackMatter. This ransomware – originally named DarkSide – encrypted files with an extension consisting of a random string of characters. But traces of other malware can also be detected in the code of LockBit Black.
LockBit Black typically utilises several anti-analysis techniques – similar to BlackMatter. This averts static and dynamic analyses. These include code packing, dynamic resolution of function addresses, activity obfuscation, function trampolines and anti-debugging techniques.
The ransomware payloads are mostly loaded via third-party frameworks, for example, Cobalt Strike. Cobalt Strike is a software devised to simulate industrial espionage in the company's network– thus checking the security. Windows Defender has also been misused to inject malware into company systems. Here, attackers typically exploit a Log4j vulnerability in Windows and launch Power Shell. Once the hackers have gained sufficient rights, they attempt to download and execute payloads.
What's more, the hackers set up several mirror servers for their stolen data and published the URLs of the websites to improve the resilience of Operation Make Ransomware Great Again. The update from LockBit 2.0 to LockBit 3.0 created a great demand – causing numerous victims to be identified by other cybercriminals on the new version of the Leaks site.
This development reveals how RaaS providers have turned to a lucrative business model – to make a high profit from the service model.
But how can companies protect themselves against the current LockBit 3.0 threat?
Protection from LockBit 3.0
Aimed specifically against large companies to make the highest possible profit, attacks with the ransomware LockBit 3.0 are not sent out broadly like phishing spams, for instance. Within a company, the malware then carries out the attack on its own. This does away with the need for manual intervention. Since they use tools like Cobalt Strike or Microsoft Powershell, the hit rate is increased. If a single server or host is infected, the ransomware spreads independently and finds other hosts that can be infected.
To have the greatest possible protection against this malicious attack, we recommended taking the following security measures:
- Passwords – but secure: Always use different and strong passwords for different applications.
- Updating the systems: To keep security gaps in the system especially low, make sure to apply all updates and patches to the systems.
- Improved security with multi-factor authentication (MFA): With the added layer of protection, your password-based login system can become even more secure. Biometric authentication delivers even more security.
- Reassess permissions: To prevent potential threats, pay attention to who has access to the access level of endpoint users and to the IT accounts with administrator rights, and restrict the circle.
- Delete user accounts that are no longer in use: Accounts that are no longer used should also be regularly checked and closed.
- System-wide backups: If damage has occurred, it's extremely helpful if all your data is protected against loss by a backup. An unalterable copy of sensitive data should always be available offline.
If a system's already infected and the data's gone, don't accept the cybercriminals' ransom demands. Ransom payments don't guarantee that you'll get all your encrypted data back or that data won't turn up on the dark web.
How it's done: closing security gaps
System access and data need to be secured to prevent companies from falling victim to ransomware or other cyberattacks. In many cases, though, this leaves a lot to be desired. Alarmingly, the Nevis Security-Barometer 2022 shows that almost 10 per cent of the IT managers surveyed do not take any measures for increased IT security. However, since malware such as LockBit 3.0 constantly evolves, security measures must be continuously adapted and improved.