Published on August 12, 2021

A New Era of Ransomware and its Affiliates: LockBit 2.0

Following REvil’s sudden disappearance, the empty niche in the RaaS (Ransomware as a Service) ecosystem has quickly been occupied by a new actor: LockBit that recently unveiled their LockBit 2.0 ransomware, capable of impressive encryption speeds – according to their own benchmarks – a full-fledged exfiltration service and a new affiliate program.

Soon after its announcement, the affiliate program has been joined by several parties making LockBit the most active ransomware actor throughout June, July and so far August.Gaining insights into LockBit operations is essential to keeping larger infrastructure secure and understanding their modus operandi also helps to understand the reason for such a sudden success.

New call-to-action

Understanding LockBit 2.0

LockBit operates as a Ransomware as a Service where affiliates, once accepted into the program, are given access to the ransomware and related exfiltration infrastructure. Affiliates take on the burden of gaining (or purchasing) access to the victim’s infrastructure, obtain data of interest and deploy the ransomware and the stealer. In exchange for the access to such services & tools, LockBit’s authors require the payment of a fee.

Lockbit 2.0 touts enhancements in encryption speeds and the added capability of manipulating the configuration of Windows Group Policies. By adjusting these settings, the ransomware reduces the affected system’s security profile, lowering the chance of detection and recovery. As with all other modern ransomware, LockBit2.0 Ransomware often adopts a dual-extortion scheme where cyber criminals exert additional pressure by threatening to release stolen content to the public.

Showcase of LockBit 2.0 features available to affiliates

Following a scheme commonly adopted by regular commercial companies, LockBit 2.0 has started to provide comparative tables against its competitors, emphasizing their ransomware encryption speed and their new stealer service that requires only 1 minute and 59 seconds to steal 10Gb of data. 

Stealer benchmarks showcased on LockBit’s affiliate program page

Through its affiliate program, Lockbit2.0 incentivises other threat actors to leverage their tools to compromise networks and systems. This approach is promoting the emergence of highly specialized threat actors focusing on specific areas: initial access, lateral movement, data exfiltration, data encryption etc. LockBit2.0 has since garnered world-wide attention and gained significant traction.

MSP Compromise

In August 2021 LockBit affiliates were particularly active, targeting large Managed Security Providers and using them as a pivot point to attack their customers. While assisting one of the victims, ReaQta and its partners tracked the initial access to a privileged maintenance account used by the MSP and reused by attackers  to access the victim’s infrastructure and exfiltrate information before encrypting it. The ransomware, upon activation, removed and disabled the system’s shadow copies and cleaned up the event logs.

ReaQta-Hive’s Behavioural Tree showing removal and disabling of the system shadow copies and cleaning up of event logs.

MSP compromise is a high-reward strategy for ransomware actors, normally MSPs enjoy privileged access to their customers’ networks, presenting a very appealing path for actors looking to coordinate multiple attacks from a single point and reducing the risk of discovery. This approach is not new and it’s been widely explored by sophisticated state actors, such as APT10 during the CloudHopper campaign that followed a similar set of TTPs, namely: initial access via spear-phishing and credentials reuse to move from the MSP network into the victims’ infrastructure. 

New call-to-action

Attackers Keep Innovating

The profitability of ransomware attacks is creating strong incentives for criminal groups to specialize. The influx of money is enabling access to a larger pool of talents in different areas and more sophisticated tools, including 0-day exploits or vulnerabilities, As threat actors continue to innovate and develop new attack vectors, it is crucial for organizations to adopt technologies that can detect and stop sophisticated and unknown threats – ranging from ransomware to fileless and in-memory attacks. Ransomware has evolved quickly since 2018, moving from regular users to the large enterprise and adopting a sophisticated attack scheme where the ransomware itself is only the last step of a complex breach.

Through the use of dedicated AI and ML engines, ReaQta-Hive provides real-time visibility over the infrastructure, for early detection of compromise and it natively detects the ransomware’s behaviour and actively mitigates threats as they unfold. Providing an all-around protection from the initial stages of the attack to the final ransomware deployment.

We can see LockBit 2.0 ransomware in action below:

ReaQta-Hive’s Behavioral Tree showing the Lockbit 2.0 ransomware

Upon execution, ReaQta-Hive reconstructs the infection chain in no time, presenting process and behavioral information in a storyline-like way to help analysts identify associated malicious and anomalous techniques swiftly. Via the behavioural tree, complete response options are also presented to aid quickly remediate and contain the threat.

Lockbit2.0 is automatically detected and blocked by ReaQta-Hive

ReaQta-Hive’s proprietary ransomware detection engines automatically identify and block the threat without any user intervention and without requiring any data restoration to a prior point in time. ReaQta’s AI automatically terminates all malicious processes involved in the incident, thereafter closing off the alert, reducing the need and workload for additional actions by the security team.

ReaQta Hive-Cloud’s Layered Defense Approach

Hive-Cloud Trigger Activation

When new security threats are identified, Hive-Cloud is automatically activated, providing additional analysis, seamlessly via cloud intelligence. Lockbit2.0 was initially detected as ransomware and blocked by the first layer of defense. Simultaneously, Hive-Cloud investigates the behaviors with ReaQta’s integrated threat intelligence sources, providing additional confirmation of the threat. Within external intervention, Hive-Cloud confirmed that Lockbit 2.0 was indeed malicious and activated an additional level of protection. With ReaQta’s AI engines and a comprehensive multi-layered defense approach organizations can obtain real-time visibility, protection and automated response with no delays.