In the ever-evolving landscape of cyber threats, ransomware continues to pose significant risks to organisations worldwide. One of the most notorious ransomware strains is LockBit, particularly notable for its recent headline-making attack on Indonesia’s National Cyber and Encryption Agency, which led to a USD $8 million ransom demand.
What is LockBit Ransomware?
LockBit ransomware is a highly sophisticated malware strain designed to encrypt files on infected systems and demand a ransom in exchange for the decryption key. It is a part of the Ransomware-as-a-Service (RaaS) model, allowing cybercriminals to purchase and deploy the malware with ease. LockBit is known for its speed and efficiency, often encrypting entire networks within minutes of infection.
LockBit utilises a robust encryption algorithm, typically AES-256, sometimes combined with RSA-2048, to render the victim's files inaccessible. Once infected, the malware establishes communication with its command-and-control server, often hidden on the dark web, to receive instructions and upload stolen data. LockBit operators are known to exploit vulnerabilities in Remote Desktop Protocols (RDP) and unpatched software to gain initial access to target systems. They also employ phishing campaigns with cleverly disguised emails to trick users into clicking malicious links or downloading infected attachments.
LockBit also employs advanced evasion techniques to avoid detection by anti-virus software and security protocols. It can disable security features, delete backup files, and spread laterally across networks, making it particularly challenging to contain.
Variants of LockBit ransomware have been developed in recent years, each with enhanced effects and stronger resistance towards security protocols. Below are the variants that have been identified so far:
- .abcd Extension: One of the earlier versions of LockBit ransomware deploys the “.abcd” extension to encrypted files. This variant quickly gained notoriety for its rapid encryption process and the significant impact it had on infected systems.
- .lockbit Extension: As LockBit evolved, it began using the “.lockbit” extension for encrypted files. This version introduced improvements in evasion techniques, such as code obfuscation and disabling security features from various anti-virus systems.
- LockBit 2.0: This variant introduced significant enhancements in encryption speed and evasion techniques. It can disable various security measures, spread laterally across networks, and delete shadow copies to hinder data recovery efforts.
- LockBit 3.0: The latest version of LockBit ransomware comes with additional features, including improved data exfiltration capabilities. It not only encrypts files but also steals sensitive data, threatening to publish or sell it if the ransom is not paid.
Protecting Against the LockBit
To safeguard against LockBit ransomware, organisations should implement robust cybersecurity measures, such as:
- Regular Backups: Maintain up-to-date backups of critical data and ensure they are stored offline or in a secure, isolated environment.
- Email Security: Implement advanced security email filtering to detect and block phishing attempts and malicious attachments.
- Endpoint Protection: Use comprehensive endpoint security solutions to detect and prevent malware infections.
- Employee Training: Educate employees about the dangers of phishing and the importance of following best practices.
- Incident Response Plan: Develop and regularly update an incident response plan to quickly address ransomware infections and minimise damage.
Cybersecurity Asia (CSA) has covered more detailed insights on how to combat ransomware threats and bolster your cybersecurity resilience in threats, including LockBit. You may read the article here.
