What is LockBit Ransomware anyway?
While LockBit started out as a single pdotype of ransomware, it has evolved multiple times since then, and the latest version is known as “LockBit 3.0,” which we’ll talk about a little later. LockBit encompasses a family of ransomware programs that operate using the Ransomware-as-a-Service (RaaS) model.
Ransomware-as-a-Service is a business model that involves paying users to access a particular type of ransomware, so that they can use it for their own attacks. In this way, users become affiliate partners, and their payment may include a flat fee or a subscription-based service. In short, the creators of LockBit have found a way to further profit from its use by using this RaaS model and may even receive a portion of the ransom paid by the victims.
A number of other ransomware programs can be accessed via the RaaS model, including DarkSide and REvil. Along with them, LockBit is one of the most popular types of ransomware in use today. Since LockBit is a ransomware family, its use involves encrypting target files. Cybercriminals will infiltrate a victim’s device in one way or another, perhaps through a phishing email or malicious attachment, and then use LockBit to encrypt all files on the device, making them inaccessible to the user.
Once the victim’s files are locked, the attacker will demand a ransom in exchange for a decryption key. If the victim does not obey and pay the ransom, it is very likely that the attacker will sell the data on the dark web for profit. Depending on what the data is, this can cause irreparable damage to the privacy of an individual or organization, which can increase the pressure to pay the ransom.
Where does this very dangerous ransomware originate from?
The origin of LockBit Ransomware
It is not known exactly when LockBit was developed, but its acknowledged history goes back to 2019, when it was first found. This discovery came after the first wave of LockBit attacks, when the ransomware was initially coined “ABCD” in reference to the name of the encrypted file extension exploited during the attack. But when attackers started using the “.lockbit” file extension instead, the name of the ransomware changed to what it is today. LockBit’s popularity increased after the development of its second iteration, LockBit 2.0. In late 2021, affiliates increasingly used LockBit 2.0 for attacks, and after other ransomware groups were shut down, LockBit was able to exploit a gap in the market.
In fact, the increased use of LockBit 2.0 cemented its position as “the most influential and widespread ransomware variant we observed in all ransomware breaches during the first quarter of 2022,” according to the Palo Alto report. Additionally, Palo Alto noted in the same report that LockBit’s operators claim to have the fastest encryption software of any currently active ransomware.
LockBit ransomware has been spotted in multiple countries around the world, including China, the US, France, Ukraine, the UK, and India. A number of large organizations have also been targeted using LockBit, including Accenture, an Irish-American professional services company. Accenture suffered a data breach as a result of using LockBit in 2021, with the attackers demanding a whopping $50 million ransom, with more than 6 TB of data encrypted. Accenture did not agree to pay this ransom, although the company claimed that no customers were affected by the attack.
LockBit 3.0 and the risks that come with it
As LockBit grows in popularity, each new iteration poses a serious problem. The latest version of LockBit, known as LockBit 3.0, has already become a problem, especially within Windows operating systems. In the summer of this year, LockBit 3.0 was used to upload malicious Cobalt Strike payloads to targeted devices via a Windows Defender exploit.
In this wave of attacks, a command-line executable known as MpCmdRun.exe was exploited so that Cobalt Strike beacons could bypass security detection. LockBit 3.0 was also used in a VMWare command line exploit known as VMwareXferlogs.exe to re-install Cobalt Strike payloads. It is not known if these attacks will continue or if they will turn into something completely different. Obviously, LockBit ransomware is high risk, as is the case with many ransomware programs. But what can we do to protect ourselves?
How to best protect yourself from LockBit Ransomware?
Since LockBit ransomware must first be present on your device to encrypt files, you must try to remove it right at the root to completely prevent the possibility of spreading and infecting your computer. Although it is difficult to guarantee a percentage of protection against ransomware, there is much that you as a user can do to protect yourself from this threat as much as possible.
First of all, it is important that you never download files or software programs from websites that are not completely legitimate. Downloading any unverified file to your device can give a ransomware attacker easy access to your files. Make sure you only use trusted and well-reviewed sites for your downloads or official app stores to install software. Another factor to note is that LockBit ransomware is often spread via Remote Desktop Protocol (RDP). If you don’t use this technology, you don’t have to worry about this. However, if you do, it’s important to protect your RDP network with password protection, VPNs, and deactivating the protocol when not in direct use.
Ransomware operators often scan the Internet for vulnerable RDP connections, so adding additional layers of protection will make your RDP network less vulnerable to attack. Ransomware can also be spread through phishing, an incredibly popular method of infection and data theft used by malicious actors. Phishing is most often done via email, where the attacker will attach a malicious link to the body of the email in a link that will convince the potential victim to click on it. This link leads to a malicious website, which may allow a computer or multiple computer systems to be infected with malicious software.
Avoiding identity theft can be done in a number of ways, including using anti-spam features, checking websites for links, and anti-virus software. You should also check the sender address of each new email and scan the emails for typos, as emails containing a malicious link or any malicious content are often full of spelling and grammar errors.
LockBit is still a very dangerous threat
LockBit continues to evolve and target more and more victims. It is clear that this ransomware will unfortunately not disappear just like that. To protect yourself from LockBit and ransomware in general, consider the tips written above. While you may think you’ll never become a target, it’s always a good and smart idea to take precautions.