LockBit, The New Ransomware for Hire

upnorth · May 3, 2020

Ransomware has emerged as one of the top threats facing large organizations over the past few years, with researchers reporting a more than a fourfold increase in detections last year. A recent infection by a fairly new strain called LockBit explains why: after it ransacked one company’s poorly secured network in a matter of hours, leaders had no viable choice other than to pay the ransom.

A report published by McAfee documents the effectiveness of this newcomer ransomware. Incident responders with Northwave Intelligent Security Operations aided in the analysis. LockBit is most prevalent in countries including the US, the UK, France, Germany, Ukraine, China, India, and Indonesia.

Attackers started out by researching potential targets with valuable data and the means to make big payouts when faced with the dim prospect of losing access to it. The attackers then used a list of words in hopes of gaining access to one of the accounts. Eventually, they hit the jackpot: an administrative account that had free rein over the entire network. The weak account password, combined with the lack of multifactor authentication protection, gave the attackers all the system rights they needed.

“The interesting part about this piece of ransomware is that it is completely self-spreading,” said Patrick van Looy, a cybersecurity specialist at Northwave, one of the firms that responded to the infection. “Hence, the attacker was only inside the network for a few hours. Normally we see that an attacker is inside the network for days or even weeks and does this reconnaissance of the network manually.”

After getting in, LockBit used a dual method to map out and infect the victimized network. ARP tables, which map local IP addresses to device MAC addresses, helped to locate accessible systems, and server message block, a protocol used for sharing files and folders among networked machines, allowed the infected nodes to connect to uninfected ones. LockBit would then execute a PowerShell script that spread the ransomware to those machines. Using SMB, ARP tables, and PowerShell are an increasingly common way of spreading malware throughout a network, and with good reason. Because almost all networks rely on these tools, it’s hard for antivirus and other network defenses to detect their malicious use. LockBit had another means of staying stealthy. The malicious file the PowerShell script downloaded was disguised as a PNG image. In fact, the downloaded file was a program executable that encrypted the files on the machine.