The Health Sector Cybersecurity Coordination Center issued a threat briefing on LockBit, a ransomware gang that recently published a new variation. The hackers were behind the widely publicized ransomware attack on Accenture this summer, in which the firm was supposedly held hostage for $50 million. Threat actors claimed to have acquired more than six terabytes of data, according to researchers from the cyber intelligence firm Cyble.
"Through our security controls and protocols, we identified irregular activity in one of our environments," said Accenture in a statement. "We immediately contained the matter and isolated the affected servers. We fully restored our affected systems from backup. There was no impact on Accenture's operations, or on our clients' systems."
According to Eleanor Barlow, content manager at SecurityHQ, LockBit attacks are recognized for their ability to encrypt Windows domains using Active Directory group settings. When a domain is compromised, the malware generates new group policies and sends them to networked devices. The policies in this case disable antivirus protection and allow malware to be installed.
"Threat actors continue to view unpatched systems as an easy, if not preferred, method of intrusion," wrote officials from the cybersecurity arm of the U.S. Department of Health and Human Services in its brief.
LockBit was founded in September 2019 and began advertising its "ransomware as a service" affiliate scheme in January 2020, according to HC3. In May 2020, it began collaborating with Maze, another ransomware organization, and in September of the same year, it launched its own leak site. LockBit v2.0 was released in June of this year. Now, according to HC3, it employs a double extortion scheme involving the StealBit malware. It has improved encryption and circumvents user account control methods.
It also relaunched its affiliate programme, in which affiliates determine the ransom, choose the payment method, and receive the majority of the money before paying the gang. Armenia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, and Uzbekistan are not part of the Commonwealth of Independent States.
According to HC3, hospitals are simple targets, but the LockBit affiliate showed "a great dislike for people who attack healthcare companies while providing contradicting information regarding whether he targets them himself." Although the United States has lucrative targets, data privacy regulations mandating victim organizations to notify all breaches have lowered the incentive for such entities to pay the ransom, according to HC3.