HomesecurityResearchers analyze the "business" of LockBit ransomware

Researchers analyze the "business" of LockBit ransomware

Researchers analyze in depth how his "business" operates LockBit, one from the newest ransomware groups in the landscape of threats. Ransomware has evolved into one of the top forms of cyber attack this year. It 2017 was the first time we saw the serious disruption that this malware could cause - with its global outbreak WannaCry - and reaching 2021, does not appear to have changed nothing for the better.

Only this year, we have seen so far the ransomware attack on Colonial pipeline - which caused a temporary shortage of fuel in parts of the US -, problems that the National Health Service of Ireland after ransomware attack, as well as disruption of the systems of the top US meat supplier JBS due to ransomware attack.

Ransomware gangs are growing malicious programs, which can encrypt and "lock" systems, and may also steal confidential data during an attack. Then ask the victims ransom, to provide them with a decryption key. Many gangs, in fact, follow his tactics "Double blackmail", where on the one hand they demand ransom from the victims and on the other hand they threaten them with leakage of the stolen data or by selling them on the dark web.

Read also: G7 to Russia: Deal with ransomware gangs in the country

LockBit ransomware
Researchers analyze the "business" of LockBit ransomware

The cost of ransomware attacks is expected to reach $ 265 billion worldwide by 2031, while payments are usually in the millions of dollars - as in the case of JBS. However, there is no guarantee that decryption keys are suitable for a specific purpose or that paying a ransom once will ensure that an organization will not be "hit" again by hackers.

An investigation of Cybereason released this week, showed that up to 80% of ransomware companies have been attacked a second time, probably by the same malicious agents.

The ransomware threat to businesses and critical utilities has become so serious that the issue was on the agenda of the US president's meeting. Joe Biden, and the Russian President, Vladimir Putin, at the Geneva Summit.

The Prodaft Threat Intelligence group (PTI) has published a report exploring the LockBit gang and its affiliates. According to the report, LockBit, which is believed to have operated in the past under the name ABCD, a structure works RaaS which provides affiliate groups with a central control panel for creating new LockBit samples, managing their victims, posting blog posts, and developing statistics on the success or failure of attack attempts.

See also: JBS: Gave a $ 11 million ransom to the REvil ransomware team

LockBit ransomware
Researchers analyze the "business" of LockBit ransomware

The report also revealed that LockBit gang affiliates often buy Remote Desktop Protocol (RDP) access to servers as the original attacker, although they may also use common techniques Phishing and credential-stuffing.

In addition, they are used exploits for breach of vulnerable systems, including VPN Fortinet bugs that have not been fixed on target machines.

Forensic investigations into machines being attacked by LockBit associates show that threat groups often try to identify "mission-critical" systems first, including NAS devices, backup servers and domain controllers. Then the data removal begins and packets are typically loaded into services, including MEGA's cloud storage platform.

A sample of LockBit is then manually deployed and the files are encrypted with an AES key. The backups are deleted and the system wallpaper is changed, displaying a ransom note with a link to a site address .onion, to purchase decryption software.

The site also offers a "test" encryption, in which a file - less than 256 KB in size - can be decrypted for free. However, this is not done just to show that decryption is possible. An encrypted file must be submitted to associates in order to create an encryptor for that victim.

LockBit ransomware
Researchers analyze the "business" of LockBit ransomware

Proposal: Colonial Pipeline: Most of the ransom paid to DarkSide has been recovered

If the victims agree to negotiate with the attackers, the latter can open a chat window in LockBit panel to talk to them. Conversations often start with ransom demand, deadlines and payment methods - usually in Bitcoin - and instructions on how to buy cryptocurrencies.

Η Prodaft was able to access the LockBit panel, revealing gang associate usernames, victim numbers, registration dates and contact details.
According to the researchers, data from the names and addresses of the collaborators suggest that some of them may also be associated with the gangs of Babuk and REvil, two other RaaS groups - however, the investigation is ongoing.

The associates of the LockBit gang claim, on average, about $ 85.000 from each victim, 10-30% of which goes to RaaS operators. In addition, this ransomware has "infected" thousands of devices around the world. More than 20% of its victims are active in the field of software and services.

Right now, the data leak site the LockBit gang not available. After infiltrating LockBit systems, the researchers decrypted the data of all the victims on the platform.

Source of information:

Every accomplishment starts with the decision to try.