Everything You Need to Know About the LockBit Ransomware Family
If you keep up-to-date on cybersecurity threats, you’re probably aware of how dangerously popular ransomware has become. This kind of malware is a huge threat to individuals and organizations alike, with certain strains now becoming a top choice for malicious actors, including LockBit.
So, what is LockBit, where did it come from, and how can you protect yourself from it?
What Is LockBit Ransomware?
While LockBit began as a single strain of ransomware, it has since evolved multiple times, with the latest version being known as “LockBit 3.0” (which we’ll discuss a little later). LockBit spans a family of ransomware programs, which operate using the Ransomware-as-a-Service (RaaS) model.
Ransomware-as-a-Service is a business model that involves users paying for access to a given kind of ransomware so that they can use it for their own attacks. Through this, the users become affiliates, and their payment can involve a flat fee or a subscription-based service. In short, LockBit’s creators have found a way to further profit from its use by employing this RaaS model, and can even receive a cut of the ransom paid out by victims.
A number of other ransomware programs can be accessed through the RaaS model, including DarkSide and REvil. Alongside these, LockBit is one of the most popular ransomware types used today.
Given that LockBit is a ransomware family, its use involves the encryption of a target’s files. Cybercriminals will infiltrate a victim’s device in one way or another, perhaps through a phishing email or malicious attachment, and will then use LockBit to encrypt all the files on the device so that they are inaccessible to the user.
Once the victim’s files have been encrypted, the attacker will then demand a ransom in return for the decryption key. If the victim does not comply and pay the ransom, it is likely that the attacker will then sell the data on the dark web for profit. Depending on what the data is, this can cause irreversible damage to an individual or organization’s privacy, which can add to the pressure of paying the ransom.
But where did this highly dangerous ransomware come from?
The Origins of LockBit Ransomware
It is not known exactly when LockBit was developed, but its recognized history stretches back to 2019, when it was first found. This discovery came after LockBit’s first wave of attacks, when the ransomware was initially coined “ABCD” in reference to the extension name of the encrypted files exploited during attacks. But when the attackers began using the file extension “.lockbit” instead, the name of the ransomware changed to what it is today.
LockBit’s popularity surged after the development of its second iteration, LockBit 2.0. In late 2021, LockBit 2.0 was increasingly used by affiliates for attacks, and, upon the shutdown of other ransomware gangs, LockBit was able to take advantage of the gap in the market.
In fact, the increased use of LockBit 2.0 solidified its position as “the most impactful and widely deployed ransomware variant we have observed in all ransomware breaches during the first quarter of 2022”, according to a Palo Alto report. On top of this, Palo Alto stated in the same report that LockBit’s operators claim to have the fastest encryption software of any currently active ransomware.
LockBit ransomware has been spotted in multiple nations throughout the world, including China, the US, France, Ukraine, the UK, and India. A number of big organizations have also been targeted using LockBit, including Accenture, an Irish-American professional services company.
Accenture suffered a data breach as a result of LockBit’s use in 2021, with the attackers demanding a mammoth $50 million ransom, with over 6TB of data being encrypted. Accenture did not agree to pay this ransom, though the company claimed that no customers had been affected by the attack.
LockBit 3.0 and Its Risks
As LockBit’s popularity increases, each new iteration is a serious concern. The latest version of LockBit, known as LockBit 3.0, has already become a problem, specifically within Windows operating systems.
In Summer 2022, LockBit 3.0 was used to load harmful Cobalt Strike payloads on targeted devices through the exploitation of Windows Defender. In this wave of attacks, an executable command line file known as MpCmdRun.exe was abused, so that the Cobalt Strike beacons can bypass security detection.
LockBit 3.0 has also been used in the exploitation of a VMWare command line known as VMwareXferlogs.exe to once again deploy Cobalt Strike payloads. It is not known whether these attacks will continue, or evolve into something else entirely.
It is evident that LockBit ransomware is a high risk, as is the case for many ransomware programs. So, how can you keep yourself safe?
How to Protect Yourself From LockBit Ransomware
Given that LockBit ransomware must first be present on your device to encrypt files, you need to try and cut it off at the source and prevent infection altogether. While it’s difficult to guarantee your protection against ransomware, there’s a lot you can do to steer clear as much as possible.
Firstly, its essential that you never download any files or software programs from sites that aren’t totally legitimate. Downloading any kind of unverified file to your device can give a ransomware attacker easy access to your files. Ensure you’re only using trusted and well-reviewed sites for your downloads, or official app stores for software installation.
Another factor to note is that LockBit ransomware is often spread via Remote Desktop Protocol (RDP). If you don’t use this technology, you don’t need to worry about this pointer. However, if you do, it’s important that you secure your RDP network using password protection, VPNs, and deactivating the protocol when it is not directly in use. Ransomware operators often scan the internet for vulnerable RDP connections, so adding extra layers of protection will make your RDP network less susceptible to attack.
Ransomware can also be spread via phishing, an incredibly popular mode of infection and data theft used by malicious actors. Phishing is most commonly deployed via emails, wherein the attacker will attach a malicious link to the email body that they will convince the victim to click on. This link will lead to a malicious website that can facilitate malware infection.
Avoiding phishing can be done in a number of ways, including the use of anti-spam email features, link-checking websites, and antivirus software. You should also verify the sender address of any new email and scan for typos within emails (as scam emails are often littered with spelling and grammatical errors).
LockBit Continues to Be a Global Threat
LockBit continues to evolve and target more and more victims: this ransomware isn’t going anywhere any time soon. To keep yourself safe from LockBit and ransomware in general, consider some of the tips above. While you may think you’ll never become a target, it’s always wise to take the necessary precautions anyway.