In using version 2.0 of LockBit RaaS malware (ransom-as-a-service), cybersecurity researchers say that threat actors could execute more aggressive targeted attacks against several organizations in different countries such as Taiwan, Italy, Chile, and the UK. In addition, the attacks that happened around July and August this year are said to employ the LockBit 2.0 malware equipping its more enhanced features and encrypting techniques.
Data from reports also say that the LockBit version 2.0 is considered to be one of the most efficient and fastest variants of ransomware to this present day’s market landscape, in comparison to its old features back in 2019, due to the version’s enhanced features including automatic encryption of different devices across the Windows domain. Although this malware can use a multithreaded encryption tactic, it can partly encrypt a file with as little as 4KB per file encryption. The malware does it by abusing the AD or the Active Directory group policies.
Furthermore, as researchers have reported, LockBit 2.0’ has a feature of making an effort in recruiting insiders coming directly from their target victim companies. The motive behind this is to obtain highly significant and sensitive credentials and access information from the target firm in exchange for millions of dollars and assured anonymity. What the attackers typically do is change the device’s wallpaper to some kind of recruiting advertisement that includes all the detailed information on how the interested insider could become an affiliate.
They were also the alleged culprit behind the attack against the Accenture company.
How does LockBit 2.0 perform the infection?
As mentioned, the LockBit threat actors initially recruit their target affiliates inside the targeted corporate network. These recruited affiliates or helpers will be the ones to execute the actual attack through the RDP or the remote desktop protocol connection. From the end of LockBit, they will be providing their helpers with a variant of StealBit trojan. This virus is an important tool to gain access and exfiltrate needed data.
Aside from exfiltrating data, the malware also uses many types of batch files intending to terminate a device’s security tools and make crucial processes unavailable, such as stopping MS Exchange, QuickBooks, and MySQL.
After successfully accessing the device’s domain controller, threat actors will establish a batch of new policies and then send it to all devices using the same network. The policies may include disabling the Windows Defender application. They will also be including a ransom note, as a part of the motive, to extort money from victims, or else the stolen credentials would get published. Once this process is done, it is time for the ransomware to attach a “.lockbit” suffix to all compromised and encrypted devices’ files.
As for the last stage of LockBit 2.0’s process, the victim devices will have a change of desktop wallpapers into a recruitment advertisement and as well as for instructions about the victims’ payment process following their asking of ransom.