Tuesday, November 24, 06:35
Home security LockBit ransomware: Silently but quickly attacks its targets

LockBit ransomware: Silently but quickly attacks its targets

LockBit ransomware takes just five minutes to develop its routine encryption in systems, once it invades a victim's network. LockBit is driven by automated processes for rapid deployment to victims' networks, locating valuable systems and locking them.

LockBit attacks leave few traces that can later be analyzed by security experts, as the malware is loaded into the system memory, with the archives log and backup files to be removed during execution.

After investigating eight attacks on smaller organizations, its security investigators Sophos were able to connect more components to get a clearer picture of how LockBit works. In particular, in one case they found that the attack started by a compromised Internet Information Server running a remote PowerShell script, calling another script embedded in a remote document Google Sheets. This script connected to a command-and-control server (C&C) to install a PowerShell module, with the aim of adding backdoor and achieving persistence in the target system.

To avoid detection and not being seen in the logs, the attacker renamed the PowerShell copies and the application execution binary Microsoft HTML (mshta.exe). So Sophos named this incident PS Rename attack.

The backdoor is responsible for installing attack modules and executing a VBScript that downloads and executes a second backdoor on reboot systems. Sean Gallagher, head of threats at Sophos, said the attack scripts were also trying to bypass the built-in anti-malware interface of Windows 10 [AMSI], applying patches directly to it in memory.

Objects found in attack systems suggest the use of scripts based on PowerShell Empire post-exploitation framework. The attackers 'goal was to gather information about the victims' network, identify valuable systems, and check for available defense security solutions.

Gallagher added that these scripts used regular expressions to search the Windows registry for "very specific types of business software" used for point-of-sale systems or accounting systems.
Malicious code used the LockBit ransomware only if the targets proved to be of high importance, Gallagher said.

According to BleepingComputer, when it detected valuable targets, the LockBit ransomware ran in memory within five minutes using a Windows Management Instrumentation (WMI) command. In these attacks, the original method of breach remains unknown. In a report released in May by security solutions companies McAfee Labs and Northwave, described in detail how LockBit ransomware gained access to the victims' network, brute-force attacks the logins of an administrator for an old service VPN. Within three hours, the malware encrypted about 25 servers and 225 computer systems.


Please enter your comment!
Please enter your name here

Every accomplishment starts with the decision to try.


Details of Spotify users were exposed by hackers

A hacking team has gained unauthorized access to 350.000 Spotify accounts on the music streaming service. To achieve this ...

Black Friday: Tips for Secure Online Shopping

Black Friday and Cyber ​​Monday are two of the busiest days for online shopping. And of course ...

Photoshop: How to restore the old mode of Free Transform

Adobe recently changed the way Free Transform works. But you can restore the old way of working ...

EU: Ready to end end-to-end encryption?

End-to-end encryption is a security tool used by various applications, including Facebook Messenger, WhatsApp and Signal, for further ...

How to disable the "welcome tips" after the Windows 10 update

Windows 10 after an update sometimes opens a window with tips to show you what's new for ...

The Windows 10 KB4586819 update fixes several issues

Microsoft has released the cumulative non-security update KB4586819 preview for Windows 10 versions 1809, 1903 and 1909, with various fixes ...

Drupal websites are vulnerable to double-extension attacks!

The team behind Drupal Content Management System (CMS) released some security updates this week to fix a critical ...

Face recognition can identify bears and cows

Face recognition can be used to identify various animals such as bears and cows!

Google Workspace: How it unlocked the subscription software market

In fact, Google has made it easier for smaller players. A startup that starts in 2020 ...

Black Friday with online offers in COSMOTE and GERMANO

Press Release: Black Friday with online offers at COSMOTE and GERMANO November 23, 2020