Because of a new tactic, the LockBit group has been experiencing massive success in their data exfiltration attacks against big-time organisations. Researchers explained that the group’s momentum allowed them to add more victims to their data leak site.
Experts claimed that one of the significant reasons for this threat group’s successful campaigns is a new tactic and technique: bypassing security protections. Recently, the threat group utilised an evasion tradecraft to avoid the Mark of The Web (MOTW) protection feature.
The LockBit group utilised various evasion capabilities in their campaigns in the past few months.
According to investigations, the LockBit group used a combination of bypassing security techniques during their cybercriminal activities between the last months of 2022 and the early days of January 2023.
LockBit operators run their campaign by mounting an [.]img file that includes malicious files, with only one could be visible to their targets. Delivering these malicious image files through containers enables the threat actors to bypass the MOTW protection feature.
Subsequently, the container causes the download of BAT scripts that review the privilege level on the infected system once their target opens the single visible archive.
The group executes a python script via the official Python embed package. However, the only role of these scripts in operation is to alter the targeted system’s settings and passwords without the user’s authorisation.
In addition, the LockBit ransomware stays in a password-protected file which the script executes through BAT as the final payload.
The LockBit group is one of the most active ransomware strains, with successful RaaS and extortion attacks in last year’s second and third quarters. Information from the group’s leaked websites revealed that the operators collected more than 400 victim organisations in six months.
LockBit is a fast-emerging ransomware threat that could launch multiple attacks against various industries and critical infrastructure. Cybersecurity experts believe that the LockBit operators will continue to exploit different obfuscation tactics to bypass security solutions.
They could improve their subsequent attacks by releasing new ransomware variants with additional capabilities.
