The LockBit group is using native IT management software to live off the land, planting and then spreading itself before deploying its ransomware.

3 Min Read
Art on a wall depicting someone breaking open a lock
Source: Axel Jass

The LockBit ransomware group is taking advantage of remote monitoring and management (RMM) software to spread its foothold in targeted networks.

Three recent attacks described in a report published Sept. 18 by Canada-based eSentire follow a similar trajectory: a LockBit affiliate either took advantage of exposed RMM instances, or brought their own RMM to the party, living off the land (LotL) in order to cement its footing in victim networks. Two of these cases affected manufacturers, and one struck a managed service provider (MSP), enabling the group to further compromise some of its downstream customers.

"There's a general trend towards living off the land, where they're just avoiding malware. Period. Even for initial access," explains Keegan Keplinger, senior threat intelligence researcher with eSentire's Threat Response Unit. "They want to get valid credentials, and use those legitimate credentials to get in."

How LockBit Uses RMMs

In June, the Cybersecurity & Infrastructure Security Agency (CISA) published a cybersecurity advisory about LockBit, and for good reason. Arguably no cybercriminal outfit — in the ransomware-as-a-service game or otherwise — has been as prolific in 2023, with attacks seemingly targeting just about every possible sector, and every type of device, often yielding big money payouts.

The advisory details the group's favored tactics, techniques, and procedures (TTPs), including its penchant for taking advantage of RMMs.

In a February 2022 attack against a home decor manufacturer, for example, eSentire's threat researchers discovered a LockBit affiliate with admin access in an unprotected machine, attempting to establish persistence and spread to other computers via the RMM AnyDesk.

"Especially in the last year, threat actors have been pivoting to not using malware," Keplinger explains, referring to how hackers establish persistence, and spread between and inside of networks. "Malware is often detected by antivirus, and if not, advanced endpoint technology. So anytime you can use either software that's already in the environment, or software that could be conceivably legitimate, some people may not even recognize that as malicious right away."

LockBit was counting on this in a June attack against a storage materials manufacturer, which counted itself a customer of the RMM ConnectWise. In this case, the researchers speculated that the threat actor was not able to steal credentials necessary to log into the company's ConnectWise environment. So, instead, it installed its own, second instance of ConnectWise in the network.

"It's pretty brilliant, because they said: 'We already know ConnectWise is in this particular target organization. So, we'll bring our own and nobody will really notice there's another instance.'"

The Extent of the LockBit Threat

Organizations that enjoy the benefits of RMMs, without applying proper security controls to prevent their abuse, may expose not only themselves but also partners and customers, as LockBit's MSP breach this February demonstrates.

The MSP in question had left its ConnectWise login panel exposed to the open Internet. The justification, the researchers speculated, was to make it easier for its customers' IT administrators to access the service. But with brute force, or simply by purchasing them from the Dark Web, the attackers gained the necessary credentials to break through. Within five minutes of the intrusion, LockBit began dropping its ransomware binaries on multiple endpoints.

"They pretty much can go in unfettered when they get into those tools, and they get admin credentials," Keplinger laments. Indeed, before it was stopped, the group had used the RMM's remote access capabilities to reach customers in manufacturing, business services, hospitality, and transportation.

Companies can harden themselves against this kind of abuse by applying multi-factor authentication and strict access controls to these powerful tools. And, Keplinger adds, "endpoint monitoring is probably the biggest differentiator that's stopping and preventing these attacks."

"They're very successful," he warns of LockBit, for those not yet convinced. "Very pervasive, and very destructive."

About the Author(s)

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights