Search This Blog

Expansion of the LockBit Ransomware

Along with Mitre mapping, the experts also discussed signs of vulnerability.


To keep the masses notified about potential threats, the Cybereason Global Security Operations Center (GSOC) Team publishes Cybereason Threat Analysis Reports. The Threat Analysis Reports examine into such threats and offer suggestions for how to defend against them. 

LockBit, which was first identified in September 2019, uses the ransomware-as-a-service (RaaS) attack method and targets businesses. The ransomware operators are improving their techniques to disable Endpoint detection and response (EDR) tools and other security solutions. 

Variables of the Virus 

Using the infrastructure and tools already in place for ransomware, Lockbit RaaS enables affiliates to conduct their own attacks while splitting a portion of the money received.

The affiliates associated with the LockBit gang utilized their own malware and tools to exploit the targets in the first attack that the researchers were able to document, which happened in Q4 2021. The majority of the infections that the researchers examined involved threat actors infiltrating the target networks by taking advantage of a misconfigured service, particularly an RDP port that was left accessible to the public. 

The attacker started the reconnaissance work and credentials extraction after gaining the first foothold on the vulnerable network. In this instance, the attackers employed advanced network monitoring tools like Netscan and Mimikatz to find the network's structure and valuable assets. 

The researchers describe a second infection that happened in Q2 of 2022. The researchers described the attack's many phases, including the initial compromise, lateral actions, creating durability, upgrading of privileges, and the generation of the ransomware in its final stages. 

The attackers made use of net.exe to create domain accounts and grant themselves 'domain administrator' rights. They then exploited these accounts to propagate throughout the victim's network and maintain persistence. The researchers also discovered that the attackers were using Ngrok, a reliable reverse proxy tool that enables them to build a tunnel to servers protected by firewalls.

Additional PCs in the target network were also infected by the threat actors with the malware 'Neshta', a file infector that inserts malicious code into targeted executable files. 

Exfiltration of Records

The data was collected and exfiltrated when the LockBit affiliate secured persistent remote access and the necessary credentials. For this, the actors employed three different tools: 
  • Filezilla.exe is used to establish a connection to attacker-controlled remote FTP service. 
  • Data exfiltration using Rclone.exe to a cloud hosting provider associated with 'Mega'.
  • Data exfiltration tool Megasync.exe to a "Mega"-related cloud hosting provider .
The LockBit affiliate has now fulfilled all the steps required to run the LockBit payload and start encryption:
  • Through several hacked devices, persistence in the system.
  • Access to accounts with high privilege.
  • Gathered and leaked victim info.
  • List of the most valuable assets discovered through network scans .
Along with Mitre mapping, the experts also discussed signs of vulnerability. LockBit 3.0, which includes significant innovations like a bug bounty program, Zcash payment, and new extortion techniques, was just launched by the Lockbit ransomware operation. The group is now one of the most active ransomware gangs and has been active at least since 2019.
Share it:

Data Breach

LockBit 2.0 ransomware

Money Laundering

Ransomware Attacks.

User Privacy