Lockbit 2.0: Ransomware at bargain prices

Ransomware is a type of malware which is often one of an organisation’s worst nightmares. 

If the program is successfully installed on corporate servers by malicious actors, your most important files that are vital to company operations will be encrypted and be held hostage until you pay a ransom that could stretch into the millions in hopes of a decryption key being released to you.

Although, paying a ransom will not always guarantee safe waters. A recent survey has found that around 80 percent of companies that chose to pay criminals for decryption went on to face further cyber-attacks likely from the same threat actors, almost reminiscent of Ethelred the Unready’s experience the many times he tried to pay off the Vikings.

Just like the Vikings, criminals can have a lot of gall and be frighteningly relentless in milking their victims for all they’re worth.

The worst thing about this kind of attack, like other cyber-attacks, is it has rapidly become very common. Between 2019 and 2020, ransomware attacks rose by 62 percent. In North America specifically, it rose by an astounding 152 percent.

And, these attacks also don’t just affect solely the company targeted. In July 2021, the ransomware deployed against Kaseya by Russian hacking group REvil in a supply-chain attack affected up to 1,500 businesses.

A main part of this increase can be attributed to how ransomware isn’t just about targeting businesses, it is a business. What’s become increasingly common is for criminal organisations to not only develop ransomware for their own use but also to sell it on to other criminal enterprises which may not have the resources to develop their own custom software. 

This has ushered in the age of Ransomware-as-a-Service (RaaS) and there are certainly millions to be made. Crime is an enterprise and ransomware, a constantly developing technology, is one of its growth industries.

One notable ransomware variant which has recently been released on the market and is currently being advertised by its RaaS group developers on their data leak site is LockBit 2.0, one the most dangerous ransomwares currently being handed out on the dark web at a steal. 

How does LockBit 2.0 get on corporate servers?

As the latest iteration of the LockBit ransomware, LockBit 2.0’s primary objective is to encrypt Windows domains by leveraging active directory group policies and demand ransom payment in cryptocurrency from victims for the release of those critical assets. In order to do all this, it needs to first gain access to your devices and network.

LockBit 2.0 threat actors can gain access to a victim’s systems by:

• Exploiting unpatched vulnerabilities in internet-facing Fortinet FortiOS and FortiProxy products called CVE-2018-13379.
• Threat actors buying the Remote Desktop Protocol (RDP) to access servers.
• Threat actors using Spear Phishing and credential stuffing via breached usernames and password pairs techniques.

To further facilitate delivery of this malicious software onto corporate servers, LockBit developers have advertised millions of dollars for insiders with access who are willing to compromise networks. 

If successful, all affiliates receive approximately between 70-80 percent of the profits from the ransom payment, while the LockBit developers take what’s leftover as commission. It’s also believed there’s possible collaboration going on between LockBit and two other RaaS groups, REvil and Babuk, although the investigation is still ongoing.

What does LockBit 2.0 do once on a system?

Once the ransomware executes, it creates malicious group policies on the domain controller in order to take control of it. LockBit 2.0 has automated the process of disabling anti-malware and then distributing ransomware across the network when executed on the domain controller, making it easier for their affiliates with an all-in-one approach. 

The group policies are leveraged in a number of ways by LockBit 2.0: 

• It uses them to disable real-time antivirus protection and alerts. 
• It exploits the Windows Active Directory APIs to make LDAP queries on the domain controller to identify a list of devices on the network it can target.
• After it’s copied over the executable onto machines across the network, it schedules a malicious policy update across all devices to activate the ransomware all over.

Previously, threat actors would use third-party software to deploy scripts which would disable antivirus programs and then execute the ransomware to distribute it across devices on the networks, however LockBit 2.0 has completely automated the process via group policies.

Aside from encrypting files to cause major disruption to business operations, LockBit 2.0 also has an in-built data stealing function named StealBit. LockBit threat actors are infamous for double extortion, where they upload stolen, sensitive data to the LockBit site on the dark web and threaten to sell or simply release it if the ransom isn’t paid as a further pressuring technique. 

Who are the victims?

This iteration of ransomware has been recently used to target businesses world-wide. A number of Australian and Italian firms have been hit, although the majority remain unnamed at this moment. The ACSC has noted an especially high rise in the use of this ransomware variant on Australian businesses, as the majority of victims were reported after July 2021.

The LockBit group has a history of using their ransomware frequently to target professional and commercial services along with the transportation sector. Over 20 percent of victims in a list recently recovered from one of their leak sites were from the software and services sectors. Manufacturing, Construction, retail and food companies have also been affected.

Recently, an Italian Energy Firm called ERG SPA suffered from this ransomware variant attack although it maintains that gains were minimal and company operation has not been notably affected. Another company recently revealed to have been affected is Accenture, a business consulting firm whose clients include three quarters of the Fortune Global 500, which is suspected to be the work of a recruited insider putting the ransomware on their system directly.

Regardless, the ransomware gang has already added the Italian company along with multiple others to the list of victims published on its leak site on the dark web. Supposedly, the leaking of the stolen, sensitive data will start on 14th August 2021 for companies who have not already paid the ransom. Accenture had an earlier deadline of the 11th August 2021.

What are the ways to combat this variant?

The ACSC has provided the following recommendations to help mitigate the success of LockBit 2.0 at each stage:

• To prevent access via LockBit 2.0 exploiting public-facing applications, organisations need to check if they’re operating Fortinet devices and patch internet-facing Fortinet devices against CVE-2018-13379, a security vulnerability which is heavily exploited by LockBit to breach networks. 
• To deal with the threat of insiders who may be recruited by the LockBit 2.0’s developers and impede damages from stolen credentials, companies are advised to enable multi-factor authentication (MFA) for all accounts.
• To help prevent LockBit 2.0 threat actors from harvesting and threatening to release sensitive data, companies should encrypt such data at rest to block exfiltration. Also consider additional access controls like MFA and even restrict access to web-based storage services from corporate networks.
• To guard against lateral movement and privilege escalation in your system, it’s also advised to segment corporate networks and restrict admin privileges.
• To mitigate the ransomware’s impact on company operations, it’s important to maintain daily backups that are encrypted and offline in order to reduce a successful attack’s effectiveness in halting company operations.

Follow these steps and an organisation could significantly improve its cybersecurity posture in the face of these threats.