This ransomware has returned with new techniques to make attacks more effective

LockBit ransomware has been around since 2019, but those behind it are adding new features and aggressively advertising to attract new cyber-criminal affiliates.
Written by Danny Palmer, Senior Writer

There's been a rise in cyberattacks using a form of ransomware that first appeared almost two years ago. But despite being relatively old, it's still proving successful for cyber criminals. 

Cybersecurity researchers at Trend Micro have detailed an increase in LockBit ransomware campaigns since the start of July. This ransomware-as-a-service first appeared in September 2019 and has been relatively successful, but has seen a surge in activity this summer.  

In adverts on underground forums, LockBit's authors claim that LockBit 2.0 is one of the fastest file-encrypting ransomware variants in the market today. And those claims have proven interesting to cyber criminals seeking to make money from ransomware. 

SEE: A winning strategy for cybersecurity (ZDNet special report)

Trend Micro researchers have seen a number of LockBit ransomware campaigns in recent weeks, predominantly targeting organisations in Chile, but also the UK, Italy and Taiwan. 

While LockBit has remained under the radar for much of this year, it hit the headlines with an attack against professional services firm Accenture. LockBit also appears to have benefited from the apparent disappearance of ransomware gangs including REvil and Darkside, with a significant number of affiliates of those operators turning towards LockBit as their new means of performing ransomware attacks.  

The attackers often gain entry to networks using compromised Remote Desktop Protocol (RDP) or VPN accounts that have been leaked or stolen; alternatively, LockBit attacks sometimes attempt to recruit insiders to help gain access through legitimate login credentials. 

LockBit has also gained success by following in the footsteps of prominent ransomware groups using certain tactics, techniques and procedures (TTPs) during attacks. For example, LockBit now uses Ryuk's Wake-on-LAN feature, sending packets to wake offline devices in order to help move laterally around networks and compromise as many machines as possible.

LockBit also uses a tool previously deployed by Egregor ransomware, using printers on the network to print out ransom notes. 

"They were heavily influenced by the Maze ransomware gang and when they shut down, they appear to have shifted their focus to Ryuk and Egregor ransomware gangs TTPs," Jon Clay, VP of threat intelligence at Trend Micro, told ZDNet. 

"What we can take away from this is many malicious actor gangs likely follow the news of how successful other gangs are and look to model their TTPs themselves. Ransomware has evolved over time in order to continue to be successful for its creators," he added. 

SEE: The Privacy Paradox: How can businesses use personal data while also protecting user privacy?

Like many of the most disruptive ransomware variants, LockBit also adds a double extortion element to attacks, stealing data from the victim and threatening to leak it if the ransom isn't paid within a set period.  

"The LockBit gang has been around for a while now and continue to update their TTPs in order to have successful attack campaigns," said Clay. 

It's expected that LockBit ransomware attacks will continue to be a cybersecurity threat for some time, particularly given that the group is actively advertising for additional affiliates. But while ransomware groups are aggressively persistent, there are actions that information security teams can take to help protect networks from attack. 

This includes applying the latest security patches and updates to operating systems and software, so cyber criminals can't exploit known vulnerabilities to help launch attacks. Organisations should also apply multi-factor authentication across the network, making it harder for cyber criminals to use stolen credentials to help facilitate attacks. 


Editorial standards