The operators of LockBit, a ransomware-as-a-service outfit that first surfaced in 2019, have re-emerged with a vengeance, touting an improved version of their malware as well as an aggressive new campaign to recruit affiliates from the Dark Web and — ominously — from within target organizations themselves.
In recent days, several security vendors have reported observing a sharp increase in threat activity involving LockBit by groups likely looking to cash in on the opportunity created by the exit of major ransomware operators such as REvil and DarkSide over the past few months. One of the most notable incidents was last week's attack on consulting giant Accenture that reportedly resulted in the theft of several terabytes worth of data and a subsequent ransom demand of $50 million.
In a report this week, Trend Micro says that between July 1 and Aug. 15, its researchers observed attack attempts involving LockBit that targeted organizations in the UK, Italy, Taiwan, and Chile. The attacks featured a new version of the ransomware, LockBit 2.0, which, among other things, is capable of automatically encrypting devices across Windows domains using Active Directory (AD) group policies. The tactic has made LockBit one of the fastest ransomware strains on the market.
According to Trend Micro's analysis of LockBit 2.0, the malware uses a multithreaded approach to encrypt files on impacted systems. But it also encrypts only 4 kilobytes of data per file. As a ransomware-as-a-service provider, LockBit 2.0 operators have been providing threat actors — or affiliates — using its malware with a tool called StealBit, which they can use to automatically exfiltrate data. Like many other ransomware strains, LockBit is designed to look for and terminate security tools, services, and processes that might interfere with its ability to carry out its encryption mission, Trend Micro says.
"The LockBit gang continues to update their TTPs in order to have successful attack campaigns," says Jon Clay, vice president of threat intelligence at Trend Micro.
While it's possible that the group may have ramped up activity recently in response to the exit of some groups, it's equally likely they were simply ready to start again. In addition to operating on its own, the group has been recruiting affiliates who have expertise targeting specific organizations, Clay says.
Doel Santos, threat intelligence analyst at Palo Alto Networks Unit 42 threat research group, says the group behind LockBit 2.0 has been claiming the malware can encrypt 100 gigabytes of data in just 4 minutes and 28 seconds. That is less than half the time it takes for other widely distributed ransomware strains, such as Conti, REvil, and Ryuk, to achieve the same result, Santos says.
Since the group re-emerged in June with LockBit 2.0, the malware has been used in attacks against organizations in numerous countries, including the US, UK, Argentina, Australia, Austria, Malaysia, Germany, and Italy, he adds. As has become common these days, many recent LockBit attacks have involved dual extortion attempts, where the attackers have stolen sensitive data and used the threat of publicly releasing the data to try and extract money from victims. Santos says LockBit's leak site currently lists 52 victims, which isn't too far behind ransomware leader Cl0p's current count.
LockBit operators have launched a marketing campaign touting the ransomware's speed and offering potentially lucrative returns for individuals at targeted organizations who are willing to help the group in its mission to extort money.
"LockBit installs wallpaper on compromised PCs with a tantalizing offer: millions of dollars in exchange for a cut on any ransomware payments in exchange for providing access to a machine," Santos says. "This is definitely a bold approach. LockBit is the first group I’ve observed pursuing this strategy. It will be interesting to see if others follow suit."
A report that Switzerland-based threat intelligence firm Prodaft published in June based on its investigation of attacks involving LockBit described ransomware operators as using multiple methods to find new targets. These methods include mass vulnerability scanning, credential stuffing, and phishing attacks. The most common tactic, though, is to purchase RDP credentials and other ways to access previously compromised servers from underground forums.
"Such credentials can be purchased for as low as $5, thus making it very lucrative for affiliates considering the demanded ransom amount," the report states.
LockBit was known as ABCD ransomware when it first started activities in September 2019, Santos says. "The name came from the extension that it used to encrypt files," he says. "With time, like other ransomware, it rebranded into [the] LockBit that we know today."
Symantec, another security vendor that has reported a recent surge in LockBit activity, has suggested the increase may have to do with affiliate groups switching to the malware with the exit of the REvil, aka Sodinokibi, ransomware operators. The security vendor says its researchers have seen evidence showing that at least one gang that used REvil/Sodinokibi has switched to LockBit.
Threat actors using LockBit have adopted a variety of tactics and techniques for deploying the malware. They include the use of tools for disabling Windows Defender, scanning infected networks, and stealing credentials from infected systems; for lateral movement; and for retrieving information about services running on a system.
"The numerous password-dumping tools used by these attackers indicates that harvesting credentials is a key part of their attack chain," Symantec said.