The LockBit ransomware gang is using several different automation tools and techniques to enable the crypto-locking malware to quickly spread through compromised networks and assist in selecting targets.
LockBit ransomware is used for encrypting victims’ data and exfiltrating that data to extort targets into paying the ransom to avoid having their data publicly released. Malware analysts have also noted that other hacking syndicates, including the Maze gang, cross-reference LockBit victims on their leak sites that disclose information regarding various attacks and give names of victims.
LockBit leaves few forensic traces, and according to Sean Gallagher, Senior Threat Researcher at Sophos: “It’s not clear what the initial compromise was across these organizations, as we had no visibility into the event,” He added: “But it appears all of the activity in the attacks we analyzed here were initiated from a single compromised server within the network used as the ‘mothership’ for the LockBit attack.”
LockBit Uses PowerShell
Researchers have also found that LockBit uses several PowerShell scripts that help the automation process. These scripts enable operators to target specific processes that reveal financial data, including tax accounting and point-of-sale software. The use of PowerShell scripts also helps the malware quickly infect entire networks, immediately locking victims’ files.
“We’ve seen ransomware shut down business applications upon execution, but this is the first time we’ve seen attackers looking for certain types of applications in an automated approach to score potential targets,” Sean Gallagher, Senior Threat Researcher at Sophos.
LockBit and Automation
Although it’s not been determined how LockBit attacks exactly start, researchers have found a trend that shows the extensive use of PowerShell scripts in the latter stages of LockBit deployment. Lockbit operators use a weaponized version of PowerShell Empire to collect data on potential victims as they prepare to deploy their attacks.
LockBit Obtained Information Goes On Sale on Hacker Forums
The information and access obtained via LockBit attacks are sometimes offered on hacker forums for a price. Although hacking as a whole has grown in profitability since 2020, a report from threat intelligence firm KELA indicates that “number of offers for network access and their median prices on the public posts on hacker forums dropped in the final quarter of last year.”
For only $1,500 to $2,000, criminals can gain access to domain admin rights for a medium-sized company with less than a thousand employees. That price will surely allow for many more small-time criminals to engage in the online criminal underworld.
Additionally, the boost in remote working and distance learning because of COVID-19 has increased the number of potentially vulnerable victims and made conditions more favorable for LockBit and other ransomware operators to expand their activities.