The Dangers of LockBit
Lockbit has entered the fray of ransomware to remain aware of. Unfortunately, there’s something maliciously personal about this form of malware too. Attackers create a direct line with their victims, forcing said victims to cooperate. It’s a humiliating, infuriating process, and every story about ransomware devastating company networks adds another layer of frustration.
It’s a shame we don’t get to deliver entries about huge ransomware networks getting busted. Instead, we’re providing another cautionary tale. This one is about a juvenile but growing ransomware threat – LockBit.
As an attacker, LockBit followed traditional patterns of its contemporaries by targeting networks. Afterward, it encrypted the network and demanded a ransom. The methods they used were also typical: a machine-gun approach at attempting login guesses until they landed on something usable. Unfortunately for one company, LockBit was successful.
However, here’s where LockBit broke off as its own brand of dangerous ransomware: Lockbot uses an automated approach. Traditionally, ransomware attackers infect a network and remain there for days to weeks in order to spread the malware and gain information. Once infected, though, LockBit is capable of self-spreading. It accomplishes this with a dual infection method, utilizing ARP tables to locate potential weak systems proceeded by exploiting server message block. Server message block allows the malware to connect to uninfected nodes by executing a PowerShell script, thus deploying its automated strategy.
How it reaches success
It’s effective because companies rely on these tools to accomplish business tasks. It’s also one of the primary reasons detecting these malware intrusions is so difficult. LockBit takes it a step further by disguising their PowerShell executable as a PNG image. Once downloaded, it would begin encrypting files immediately. To avoid persecution, the ransomware would also determine the IP address of the targeted system with an attacker-controlled server. If it came from a tree of IP addresses such as Russia, it would disconnect.
The company hit wit LockBit, unfortunately, had no backup. With no means to recover their data, they were forced to pay the demanded ransom on the malicious actor’s terms, which required a process of downloading a TOR browser and following a given link.
The ransomware continues to add additional capabilities, making it more dangerous to infected systems. The third-parties responsible for it have also adopted the strategy of downloaded critical financial data, customer info, and addresses, threatening to post the data online if the ransom isn’t paid.
LockBit is another entry in the malicious field of ransomware, a cautionary tale for any business. It’s a harrowing example of why backups are so critical, along with robust cybersecurity infrastructure. The affected company suffered primarily for two reasons: they had no backups in place, and they lacked strong passwords/two-factor authentication.
When dealing with modern threats, it’s important to have numerous security steps in place, along with layered networks and intricate backups. If you want additional cybersecurity assistance, you can contact Bytagig for more information.
