Researchers have investigated on how LockBit, one of the more recent ransomware organisations, operates.
As per the instances this year, ransomware has emerged as one of the most disruptive forms of cybercrime. So far, the world has witnessed the Colonial Pipeline ransomware crisis, which resulted in fuel supply shortages throughout sections of the United States; continuous troubles with Ireland's national health care; and systematic interruption for meat processing major JBS as a result of the infection.
By 2031, ransomware assaults are expected to cost $265 billion globally, and settlements are now routinely in the millions of dollars, as in the case of JBS. However, there is no guarantee that decryption keys are suitable for their intended use, or that paying once guarantees that a business will not be targeted again.
According to a Cybereason report issued this week, up to 80% of organisations that were victimised by ransomware and paid the ransom have experienced a second attack, possibly by the same threat actors.
The danger of ransomware to businesses and essential infrastructure has grown to the point where it was brought up during a meeting between US President Joe Biden and Russian President Vladimir Putin at the Geneva summit.
Prodaft Threat Intelligence (PTI) published a study (.PDF) on LockBit and its affiliates on Friday.
According to the study, LockBit, which was previously known as ABCD, uses a RaaS model to give affiliate groups a central control panel where they can produce new LockBit samples, monitor their victims, make blog articles, and view statistics on the success — or failure — of their attacks.
LockBit affiliates frequently purchase Remote Desktop Protocol (RDP) access to servers as an initial attack vector, however, they may also employ traditional phishing and credential stuffing approaches.
"Those kinds of tailored access services can be purchased in as low as $5," Prodaft says, "making this approach very lucrative for affiliates."
Exploits are also utilised to attack vulnerable systems, including Fortinet VPN vulnerabilities on victim machine that have not been fixed.
As per the forensic studies of machines attacked by LockBit affiliates, threat organisations will frequently try to find "mission-critical" systems first, such as NAS devices, backup servers, and domain controllers. The data is subsequently exfiltrated, and packages are typically uploaded to services such as MEGA's cloud storage platform.
After that, a LockBit sample is manually installed, and files are encrypted using an AES key that is generated. Backups are erased, and the system wallpaper is replaced with a ransom notice with a link to a.onion website address where decryption software can be purchased.
The website also offers a free decryption 'trial,' in which one file (less than 256KB in size) can be decoded.
If victims contact attackers, a chat window in the LockBit panel is used to communicate with them. The ransom demand, payment date, method (typically in Bitcoin (BTC)), and directions on how to obtain bitcoin are frequently discussed.
Prodaft gained access to the LockBit panel, which revealed affiliate usernames, victim counts, registration dates, and contact information.
The study team stated that evidence in the affiliate names and addresses indicate that some may also be linked with Babuk and REvil, two other RaaS organisations; however, the inquiry is still ongoing.
LockBit affiliates look for an average of $85,000 from each victim, with 10 to 30% of that going to the RaaS operators, and the ransomware has attacked thousands of machines around the world. The software and services industry accounted for more than 20% of the victims on the dashboard.
"Commercial and professional services as well as the transportation sector also highly targeted by the LockBit group," Prodaft says. "However, it should be noted that the value of the ransom is determined by the affiliate after various checks using online services. This value does not solely depend on the sector of the victim."
LockBit's leak site was unavailable at the time of publication. After breaking into LockBit's systems, the researchers decrypted all of the platform's accessible victims.