What is LockBit?
Formerly known as “ABCD” ransomware, LockBit is ransomware that requests financial payment in exchange for decrypting files. It primarily focuses on medium to large-scale enterprises and government organizations rather than individuals. The ransom amount is typically based on the size of the organization. Recently they have been in the news by claiming to have hacked Mandiant, a cybersecurity firm that recently published a research paper on the ransomware group.
LockBit was first seen in September 2019, known as the “. abcd virus”. It originally got this name from the file extension used when encrypting a victim’s files. Over the years, it has changed to be known as LockBit, LockBit 2.0, and most recently, LockBit3.
LockBit functions as ransomware-as-a-service (RaaS). Ransom payments are shared between their development team and the threat actors.
How does LockBit work?
LockBit ransomware is a targeted attack, and once on a network, it is self-spreading ransomware that uses tools such as Windows PowerShell and Windows Server Message Block (SMB). The most notable feature is its ability to spread without manual intervention. This differentiates it from other ransomware attacks, which require an extensive manual recon and surveillance period.
After a single host has been infected manually, it is able to find other hosts and spread the infection using a script without human intervention.
In June 2022, the LockBit group announced a second re-brand to their affiliate program, introducing it as LockBit 3.0. After critical bugs were discovered in LockBit 2.0 in March 2022, the new version introduces new features such as an instant search tool to their leak site and accepting ZCash for payments in addition to Monero and Bitcoin. LockBit 3.0 (also referred to as “LockBit Black”), is now active in the wild encrypting files on victim machines and appending them with the extension “HLJkNskOq.”
How to defend against LockBit?
LockBit is a sophisticated form of ransomware that uses state-of-the-art techniques to perform its ransomware operations. Their victims range across various sizes and types of enterprises. Some cybersecurity best practices can create the first line of defense against these threat actors:
Use strong passwords and enforce multi-factor authentication wherever possible
- Turn on the automatic software, and patch update features on your computer, mobile, and other connected devices.
- Use an EDR, MDR, or XDR security software package on your network-connected devices.
- Educate employees with respect to opening untrusted links and email attachments without verifying their authenticity.
- Conduct regular backups and keep those backups offline or in a separate network.
- Perform periodic restore exercises to guarantee the viability of your recovery plans.