Deciphering the complex evolution of LockBit ransomware
Introduction
LockBit is the latest ransomware attack in a long series of extortion strikes. Formerly known as “ABCD” ransomware, it has evolved into a distinct danger within the context of these extortion tools. LockBit is a type of ransomware classified as a ‘crypto virus’ since it bases its ransom requests on financial payments in exchange for decryption. It focuses mostly on businesses and government institutions, rather than individuals.
Operators of the LockBit ransomware have used self-initiated cyberattacks to leave a huge worldwide impact. They use a variety of threats, such as:
- Operations Disruption: bringing essential organizational operations to a sudden stop.
- Extortion for monetary benefit: using coercive methods to obtain financial gains for the hackers.
- Blackmail and Data Theft: carrying out illegal data collection and threatening to release private information if the target doesn’t comply.
The story
Since its September 2019 release as the ABCD ransomware, LockBit has evolved to show off better features with each version. It first appeared in January 2020 on forums dedicated to cybercrime in the Russian language. By June 2021, StealBit had been introduced, and by October 2021, it was targeting Linux and VMware. The Conti ransomware source code was incorporated into LockBit 3.0 (LockBit Black), which surfaced in March 2022, and LockBit Green, which appeared in January 2023. By April 2023, LockBit had expanded to macOS, demonstrating its stability and versatility on a variety of operating systems.
Working
LockBit is distinguished by its distinct autonomous propagation, which is devoid of human involvement. Unlike ransomware that relies on human network penetration, LockBit uses automated procedures that are pre-planned and use natural Windows tool patterns that make it difficult for endpoint security solutions to detect.
- Autonomous Spread: After infecting a host, LockBit connects to other hosts that are reachable on their own without the need for human intervention. This method, which uses PNG-formatted shared executables, complicates security protocols further.
- Exploiting Network flaws: To set up the system for the deployment of an encrypted payload, LockBit uses methods such as social engineering and brute force attacks to exploit flaws in the network. The attacker could go above and beyond to make sure everything is executed perfectly.
- Post-Exploitation Strategies: During the second stage, LockBit uses “post- exploitation” strategies to increase privileges and independently deepen penetration. Before starting the encryption phase, it evaluates the viability of the target and performs preparations, such as turning off security software and impeding system recovery.
- Deployment of Encryption Payload: LockBit distributes its encryption payload amongst accessible machines as soon as the network is ready. A high-access unit uses the least number of resources possible to advise other network units to download and run LockBit, which encrypts system files using a private decryption key. Some variants of this technique leave ransom notes, and it includes placing instructions for restoration and threatening blackmail into system directories.
How is it going
Eleven nations and Europol worked together in the fruitful global operation known as Cronos to take control of darknet sites connected to the LockBit ransomware ring, which has stolen over $91 million in ransomware since 2019. This caused a PHP security vulnerability that affected LockBit’s websites. On February 21, the UK’s NCA took down LockBit, making two arrests, seizing cryptocurrency accounts, and obtaining 1,000 decryption keys. The U.S. State Department highlighted the persistent threat despite defeats by placing a $15 million bounty on LockBit’s executives. On February 26, LockBit reappeared, calling for assaults on the US government and claiming that the seizure of its website was the result of a possible PHP flaw exploit.
