The attack method employed by LockBit is concerning due to its ability to generate customised ransomware, making defence a real challenge.
LockBit ransomware has striked again, this time targeting an organisation in West Africa using stolen credentials to attack. This particular variant, known as LockBit 3.0, had its builder leaked back in 2022, and Kaspersky researchers stumbled upon the latest version in March 2024 while responding to the incident in West Africa.
The attack method employed by LockBit is concerning due to its ability to generate customised ransomware, making defence a real challenge. In this instance, the attackers posed as administrators, infecting numerous hosts with malware to infiltrate the victim’s network deeply. The customised ransomware didn’t hold back, disabling Windows Defender, encrypting network shares, and even deleting Windows Event Logs to cover its tracks.
What makes this variant even more alarming is its capability to target specific systems and infect particular file types like .docx or .xlsx. According to Kaspersky’s Cristian Souza, the use of leaked privileged credentials grants attackers full control over the victim’s infrastructure, making detection and mitigation incredibly challenging.
While the organisation in West Africa seems to be the only victim in that region so far, Kaspersky notes that similar incidents have been detected elsewhere. LockBit’s appeal to attackers lies in its versatility and ease of use. Since its leak in 2022, threat actors have been actively utilizing LockBit 3.0 to craft customised ransomware tailored to their needs.
Trend Micro’s recent report sheds light on LockBit’s significant presence in the ransomware landscape, attributing at least 25 per cent of all ransomware attacks in 2023 to the group. What makes LockBit even more attractive is its accessibility; it doesn’t require advanced programming skills, making it appealing to a wide range of threat actors.
Despite efforts by law enforcement, such as the Cronos Group’s takedown of LockBit’s infrastructure in February 2024, the group managed to bounce back within days, demonstrating its resilience.
In light of these developments, Kaspersky advises organisations to take proactive measures to protect themselves against LockBit attacks. These include deploying robust antimalware and endpoint detection solutions, implementing managed detection and response services, conducting regular vulnerability assessments and penetration tests, and ensuring regular backups of critical data.
Additionally, network segmentation, multifactor authentication, application whitelisting, and a well-defined incident response plan are recommended by Souza to bolster defenses against LockBit and similar threats.