LOCKBIT

1. Context

2. What is LockBit Ransomware?

• First reported in September 2019 and dubbed the “abcd” virus, due to the file extension used when encrypting victims’ files, the LockBit ransomware is designed to infiltrate victims’ systems and encrypt important files.
• The virus is categorized as a “cryptovirus” due to its requests for payment in cryptocurrency to decrypt files on the victim’s device.
• The ransomware is therefore typically deployed against victims who feel hindered enough by the disruption to pay heavy sums in exchange for access to the files and can afford to do so.
• The gang behind the LockBit ransomware reportedly maintains a dark web portal to recruit members and release data of victims who refuse to meet their demands, as part of their business model.
• In the past, LockBit ransomware has been used to target enterprises and organizations in the U.S., China, India, Ukraine, and Indonesia. Attacks have also been recorded throughout Europe, including France, Germany, and the U.K.

3. Working of Lockbit Ransomware

• It works as a self-­spreading malware, not requiring additional instructions once it has successfully infiltrated a single device with access to an organizational intranet.
• It is also known to hide executable encryption files by disguising them in the .png format, thereby avoiding detection by system defenses.
• Attackers use phishing tactics and other social engineering methods to impersonate trusted personnel or authorities to lure victims into sharing credentials.
• Sometimes, the ransomware has also used brute force to gain access to the intranet server and network of an organization.
• Once it has gained access, the ransomware prepares the system to release its encryption payload across as many devices as possible.
• It then disables security programs and other infrastructures that could permit system data recovery.
• The goal is to ensure that data recovery without assistance from the LockBit gang is impossible.
• After this is ensured, the ransomware places an encryption lock on all system files, which can only be unlocked via a custom key created by the LockBit gang.
• The process leaves behind a ransom note, with instructions to restore the system, and has reportedly also included threatening blackmail messages.
• Victims are then left with no choice but to contact the LockBit gang and pay up for the data, which the gang may sell on the dark web whether the ransom is paid or not.

4. Why is LockBit targeting macOS?

• Historically, ransomware has targeted Windows, Linux, and VMware ESXi servers. However, LockBit is now working to create encryptors targeting Macs for the first time, a report from Bleeping Computer said.
• Analysis of the encryptors revealed they were put together as a test, rather than an actual ready­to­use ransomware.
• Experts believe that, after launching multiple attacks across Europe and Asia, the gang is developing tools to target macOS and further increase the scope of attacks to bring in more financial gains for the operation.

5. What actions authorities have taken?

• Due to its ransomware­as­a­service model, the LockBit gang has been on the authorities’ radar for some time now.
• In November 2022, a dual Russian and Canadian national with suspected links to the gang was arrested, in Ontario, Canada for his alleged involvement in attacks targeting critical infrastructure and large organizations.
• The arrest came after similar action was taken in Ukraine, in October 2021, a report from TechCrunch said.
• A press release from the U.S. Department of Justice notes that LockBit has claimed at least 1,000 victims in the U.S., extracting millions of dollars in the process.

6. Measures to protect systems against the LockBit ransomware

• While there are no fool­proof ways of protecting against ransomware attacks, organizations and individuals can take certain steps to increase resilience against such cyber threats.
• The use of strong passwords, with strong variations of special characters which are not easy to guess along with multi­factor authentication should be implemented.
• This ensures the use of brute force will not be enough to compromise systems.
• Organizations can also undertake training exercises to educate employees on the use of phishing attacks and their identification.
• Old and unused user accounts should be deactivated and closed as they can become weak links in the security apparatus.
• Additionally, organizations and individuals should have an understanding of cybersecurity threats and vulnerable points that may be exploited by cybercriminals.