LockBit ransomware is the latest threat posing an increased risk for organizations. The ransomware gang has been making headlines recently, and now has reportedly compromised global consulting giant Accenture.
What Is LockBit?
LockBit is a cybercriminal gang that operates using a ransomware-as-a-service (RaaS) model—similar to DarkSide and REvil. LockBit offers its ransomware platform for other entities or individuals to use based on an affiliate model. Any ransom payments received from using LockBit are divided between the customer directing the attack and the LockBit gang.
LockBit is believed to be related to the LockerGoga and MegaCortex malware families. It shares common tactics, techniques, and procedures (TTPs) with these malicious attacks—particularly the ability to propagate automatically to new targets, being used in targeted attacks rather than just spamming or attacking organizations indiscriminately, and the underlying tools it relies on, such as Windows PowerShell and Server Message Block (SMB).
Once a single host is compromised, LockBit can scan the network to locate and infect other accessible devices. It uses tools and protocols that are native to Windows systems—making it more difficult for endpoint security tools to detect or identify the activity as malicious.
The LockBit ransomware continues to adapt and evolve. More recent variants have adopted the double extortion model—locating and exfiltrating valuable data before encrypting systems. The stolen data provides additional incentive for victims to pay the ransom. Even if they can restore data from backups, refusing to pay the ransom may result in sensitive data being published publicly or sold to competitors.
Rising Threat
The LockBit gang has been making headlines recently. In the wake of DarkSide and REvil both shutting down operations, it seems like LockBit may be working to fill the void.
Lawrence Abrams recently reported that the LockBit ransomware gang is actively recruiting insiders to help them breach and encrypt networks. According to Abrams, this may be a shift from the standard ransomware-as-a-service model to cut out the middleman and keep more of the ransom profit for themselves.
The wallpaper displayed on compromised systems now includes text inviting insiders to help compromise systems—promising payouts of millions of dollars.
LockBit has also reportedly compromised Accenture. The group reportedly revealed the attack on their site on the DarkWeb, noting, ““These people are beyond privacy and security. Hope their services are better than what I have seen inside. If you are interested in purchasing data sets, contact us.”
Protecting against LockBit Ransomware
There is no good option for an organization once a ransomware attack has compromised systems and encrypted data. That is especially true in the case of a double extortion attack. Refusing to pay the ransom means going through a painful process of restoring data from backups and trying to regain control and functionality of your systems while also accepting that your data will likely be exposed. Paying the ransom may allow the victim to be operational quicker and prevent having data published or sold, but research shows that 80% of companies that pay a ransom end up getting attacked again.
It is important to have effective protection in place to prevent the ransomware attack from getting that far in the first place. Organizations need to have an operation-centric view of the attack. The ability to view the entire malicious operation—or MalOp—and recognize indicators of behavior enables Cybereason to detect and block ransomware attacks and protect against threats like LockBit.
