One big ransomware threat just disappeared. Now another one has jumped up to fill the gap

REvil was one of the most high-profile forms of ransomware - now it's gone dark, cyber criminals are turning elsewhere.
Written by Danny Palmer, Senior Writer

The sudden disappearance of one of the most prolific ransomware services has forced crooks to switch to other forms of ransomware, and one in particular has seen a big growth in popularity. 

The REvil – also known as Sodinokibi – ransomware gang went dark in July, shortly after finding themselves drawing the attention of the White House following the massive ransomware attack, which affected 1,500 organisations around the world.  

It's still uncertain if REvil has quit for good or if they will return under different branding – but affiliates of the ransomware scheme aren't waiting to find out; they're switching to using other brands of ransomware and, according to analysis by cybersecurity researchers at SymantecLockBit ransomware has become the weapon of choice. 

SEE: A winning strategy for cybersecurity (ZDNet special report) 

LockBit first appeared in September 2019 and those behind it added a ransomware-as-a-service scheme in January 2020, allowing cyber criminals to lease out LockBit to launch ransomware attacks – in exchange for a cut of the profits.

LockBit isn't as high profile as some other forms of ransomware, but those using it have been making money for themselves from ransom payments paid in Bitcoin.  

Now the apparent disappearance of REvil has led to a rise in cyber criminals turning to LockBit to conduct ransomware attacks – aided by the authors of LockBit putting effort into offering an updated version. 

"LockBit has been aggressively advertising for new affiliates in recent weeks. Secondly, they claim to have a new version of their payload with much higher encryption speeds. For an attacker, the faster you can encrypt computers before your attack is uncovered, the more damage you will cause," Dick O'Brien, senior research editor at Symantec, told ZDNet. 

Researchers note that many of those now using LockBit are using the same tactics, tools, and procedures they were previously using in attempts to deliver REvil to victims – they've just switched the payload.  

These methods include exploiting unpatched firewall and VPN vulnerabilities or brute force attacks against remote desktop protocol (RPD) services left exposed to the internet, as well as the use of tools including Mimikatz and Netscan to help establish the access to the network required to install ransomware. 

And like other ransomware groups, LockBit attackers also use double extortion attacks, stealing data from the victim and threatening to publish it if a ransom isn't paid. 

While it has somewhat flown under the radar until now, attackers using LockBit deployed it in an attempted ransomware attack against Accenture – although the company said it had no effect as they were able to restore files from backup.  

LockBit has also caught the attention of national security services; the Australian Cyber Security Centre (ACSC) released an alert about LockBit 2.0 this week, warning about a rise in attacks.  

SEE: This new phishing attack is 'sneakier than usual', Microsoft warns

Ransomware poses a threat to organisations no matter what brand is being used. Just because one high-profile group has seemingly disappeared – for now - it doesn't mean that ransomware is any less of a threat. 

"We consider LockBit a comparable threat. It's not just the ransomware itself, it's the skill of the attackers deploying it. In both cases, the attackers behind the threats are quite adept," said O'Brien. 

"In the short term, we expect to see Lockbit continue to be one of the most frequently used ransomware families in targeted attacks. The longer-term outlook depends on whether some of the recently departed ransomware developers – such as REvil and Darkside – return," he added. 

To help protect against falling victim to ransomware attacks, organisations should ensure that software and services are up to date with the latest patches, so cyber criminals can't exploit known vulnerabilities to gain access to networks. It's also recommended that multi-factor authentication is applied to all user accounts, to help prevent attackers from easily being able to use leaked or stolen passwords. 

Organisations should also regularly back up the network, so in the event of falling victim to a ransomware attack, the network can be restored without paying a ransom.  


Editorial standards