LockBit: The New “It Girl” of Ransomware
In 2019, the following ransomware strains were dominant in the U.S. according to safetydetectives.com: CryptoLocker, WannaCry, and CryptoWall. In Louisiana, Ryuk wreaked most of the havoc on the state’s networks in 2019. Today, there is a new, stealthier ransomware strain threatening business and government entities: LockBit.
In an April 30, 2020 collaborative report between McAfee and Northwave, LockBit is described as capable of neutralizing files trained to detect intrusions, automatically maneuvering and stealing credentials, and downloading stolen data. On the dark web, LockBit is the new “It girl” of ransomware. The product even requires a bitcoin deposit from customers seeking to deploy the code onto unsuspecting victims; the sellers of LockBit have that much confidence in the product.
Below are some interesting (and understandable) facts about LockBit for business owners and managers:
It targets the U.S., Europe, and certain Asian countries – excepting Russia (likely because it was born in Russia).
It gains access to networks through brute force password spraying (using the same weak password against several accounts to avoid lockouts) on an older VPN service and eventually finding an “administrator account” that provides LockBit all necessary network permissions.
Different from other ransomware, LockBit is not reliant on human errors from phishing or spear phishing.
With the “administrator account,” a LockBit hacker releases the ransomware code, which then spreads itself without the hacker remaining actively logged into the system. And, because operating systems using Microsoft have PowerShell, which is designed to allow network administrators manage an entire operating system without duplicating their own keystrokes, PowerShell will rapidly automate tasks across the operating system from the network administrator. In other words, LockBit uses PowerShell to become the “Simon says” of the entire network.
The malicious file downloaded from LockBit is a PNG file, which normally is an image. PNG files are not traditional red flags for ransomware. However, LockBit disguises its execution file as a PNG image to evade detection. Also, hidden by the PNG file is code intended to stop the following services: Symantex Antivirus, Norton Antivirus Event Manager, Apache Tomcat, Qihoo’s 360 Security product, and certain QuickBooks programs.
LockBit will actively look to spread to other networks using Server Message Block vulnerabilities.
LockBit assigns distinct key tags to each victim, the data stored in these keys belongs to the infected victim to identify it in the future.
LockBit’s ransomware notes and instructions are standardized. LockBit further provides a single-file warranty to the victim to demonstrate that if ransom is paid, a correct decryption key will be provided.
A “Help Desk” chat room through a Tor browser allows victims to communicate with the bad actors in real time during the decryption process.
In addition to LockBit’s technical agility, it also adds a layer of legal complexity. In past ransomware cases, a data breach was not presumed. Regardless of whether the ransom demand was paid, evidence that the encrypted data was copied, downloaded, or sold elsewhere by bad actors was often unavailable. And, without a reasonable suspicion of an actual breach, certain breach notification laws throughout the 54 states and territories in the U.S. were not triggered.
However, LockBit does copy victim data, individually label it, and if ransom is not paid, LockBit enables its user to sell or otherwise make the data available. According to ArsTechnica, other ransomware strains, namely Maze, Sodinokibi, Nemty, and DoppelPaymer are following suit. From a sinister business perspective, this makes sense. Breach notifications are expensive for businesses, in that breaches diminish public trust and goodwill, create potential liability for the business, and/or force the company to provide credit monitoring services to the victims (depending upon state law). This gives hackers leverage if they can properly quantify a ransom that is less than the likely costs and fees attributable to a breach.
Retaining a cybersecurity attorney with the technical knowledge of the various ransomware strains will not only assist your business with preventing attacks through lawful defensive and offensive efforts, but also with limiting liability and business interruption costs by carefully analyzing potential reporting obligations.