How to Reduce the Risk of LockBit Ransomware as Victim List Grows
The LockBit ransomware gang is making headlines again this week. Canadian officials charged one of LockBit’s alleged operators with new cybercrimes as he awaits extradition to the United States. And the number of LockBit victims is expanding, again. This time the threat actor added one of the world’s largest international law firms to the list of corporate “household names” it has breached.
This follows last month’s successful attack against one of the planet’s top manufacturers of commercial jetliners and defense, space, and security systems — potentially affecting customers in more than 150 countries. The aerospace giant publicly confirmed that it was handling a cybersecurity incident involving LockBit.
As this threat actor searches for new victims, how can you reduce the risk of your organization being added to that list? Let’s explore LockBit’s exploit methods and look at practical steps to take.
Russia-Linked LockBit Ransomware Gang
The BlackBerry Threat Research and Intelligence team has extensively tracked and written about LockBit, and we have tested our Cylance® AI-powered cybersecurity products against its exploits, yielding impressive results.
LockBit is a cybercriminal group with Russian ties, which offers “ransomware-as-a-service” (RaaS) using its namesake malware and based on its latest variant, LockBit 3.0. LockBit’s operators maintain the malware and make improvements regularly, as well as handling negotiations and operation of the actual malware once a successful breach happens. LockBit operators typically employ “double extortion” tactics for breached targets. This means that LockBit ransomware not only encrypts the data locally to prevent access by the victim, but it also exfiltrates the data and threatens the victim with a public data leak unless they pay a ransom.
The malware itself is part of the LockerGoga and MegaCortex malware families and is self-spreading. It uses common on-device tools like Windows PowerShell and SMB (server message block, which enables inter-process communication) to encrypt and exfiltrate data, as well as to propagate and spread the attack. After an initial attack has infected a single host device, it automatically surveils surrounding systems to move laterally, quickly infecting and encrypting as it goes. LockBit is particularly adept at using patterns, common file names, and other behaviors designed to deceive behavioral detection engines used by legacy endpoint protection platforms (EPPs).
Main Stages of a LockBit Ransomware Attack
There are many stages to the adversarial attack chain, but dropping ransomware payloads remains the leading way to monetize an attack. LockBit is a common example of a highly motivated, highly skilled adversary leveraging robust extortion tactics.
A LockBit ransomware attack typically follows four stages:
Exploitation: The initial breach looks very similar to most other malicious attacks against organizations. LockBit gains initial access to the target network either through brute-forcing access (usually via weak RDP or VPN passwords), leveraging unpatched known vulnerabilities, or via social engineering. Once access is gained, the ransomware preps the system to launch encrypted payloads across neighboring devices within the network.
Infiltration: Next, LockBit’s automated engineering takes over. The malware directs the attack, using known tools to escalate privileges to gain access and control of the target systems. During this stage, LockBit prepares the system for encryption and exfiltration of data by disabling security applications and other local infrastructure that could allow the system to recover. The goal of this stage is to make data recovery impossible without a LockBit operator’s assistance.
Deployment: Once the device and network have been properly prepared, LockBit hits full mobilization, propagating across any machine it can access. The encryption engine will now place a lock on all data contained within the system, adding a “.lockbit” file extension to processed files. Data recovery requires a custom key generated by LockBit’s operators. Victims find their systems are now unusable, aside from reading LockBit’s ransom note (typically posted as the default device wallpaper) containing contact information and instructions on how to restore their systems.
Negotiation: At this point, the data is both locally isolated and encrypted and exfiltrated. This is when LockBit’s operators will typically employ their infamous “double extortion” tactic. The instructions left on the system will often include a ransom note with demands. The LockBit group will then post on its own site a threat to divulge sensitive data stolen during the breach, ratcheting up the pressure on the victim to pay and minimize follow-on damage the breach could cause.
Reducing the Risk of Ransomware Attacks
There are a number of key steps to preventing a ransomware attack such as that deployed by LockBit, including:
- Use strong passwords and multi-factor authentication. Employing a mix of strong passwords and MFA can mitigate brute-force attacks by LockBit and others.
- Conduct regular user account permission audits and remove unused accounts. Wiping unused accounts, while strictly limiting permissions to levels that have access to more sensitive data, will limit potential threats from moving unfettered in your environment. Critical or sensitive devices and data should get increased scrutiny to ensure access is only granted when necessary.
- Ensure proper configuration, up-to-date patching, and system backups. LockBit and other threat groups often take advantage of poor cyber hygiene. Properly configuring and patching systems eliminates many lateral movement avenues, and can limit the malware’s ability to self-escalate privileges during a breach. System backups are also crucial to ensuring organizations can bounce back and regain business continuity quickly if breached, although this doesn’t prevent exposure of any data that is exfiltrated during an attack. When creating backups, ensure at least one copy is always kept offline and preferably offsite.
- Deploy a comprehensive AI-driven prevention solution. Cylance® AI from BlackBerry is capable of stopping ransomware like LockBit in its tracks. While LockBit can attempt to disable protection on a device, an AI-driven solution like CylanceENDPOINT™ doesn’t even allow LockBit to get to that stage, stopping the malware before it can execute in your environment.
AI-Driven Cybersecurity Is King
BlackBerry’s most recent quarterly Global Threat Intelligence Report revealed a rapid rise in unique malware. Legacy antivirus products that rely on signatures often do an adequate job of stopping known threats, but a threat group as advanced as LockBit that regularly upgrades its ransomware can easily outmaneuver these types of automated defenses. An agile, AI-powered defense is critical to rapidly analyze and block these novel threats, while helping to prevent cybersecurity team burnout. However, not all AI is equal: here is what to look for.
In a recent independent test, Tolly Group — a leading independent test lab and respected provider of third-party validation services for the tech industry — showed that when compared to other leading endpoint protection vendors, the CylanceENDPOINT solution from BlackBerry blocks up to 133% more malware, performs up to 13 times faster, and uses nearly 20 times less system resources. Preventing cyberattacks is the reason most organizations invest in endpoint protection, and Tolly Group’s testing conclusively proves that CylanceENDPOINT is a strong and capable solution for stopping modern attacks, and it’s one that customers love to use.
For emergency assistance, please email us at
DLIR@blackberry.com, or use the
hand-raiser form.
