A deep dive into LockBit ransomware can educate defenders on how hackers are also undergoing digital transformation for obfuscation and reconnaissance.

The latest research in LockBit ransomware has unveiled an emerging trend: hackers are using automation and pentesting tools approved within systems to sharpen their attacks.

A deep dive by Sophos researchers into LockBit showed that the hacker group was expanding into the targeted extortion business alongside Maze and REvil. The ransomware uses PowerShell tools to search for specific business applications on breached networks, including tax and point-of-sale software. If a fingerprint generated by this search meets the keyword criteria, the tools automatically execute a number of tasks, including launching the LockBit ransomware.

Throughout an attack, the operators also make extensive use of PowerShell, repurposing the code to suit their needs. To evade detection, LockBit’s tactics include renaming PowerShell files and using a remote Google document for command and control communications. Due to the highly-automated nature of the attacks, the ransomware, once launched, can spread across the network within five minutes, wiping its activity logs along the way.

First instance of automated targeting

Said Sean Gallagher, Senior Threat Researcher, Sophos: “LockBit’s interest in specific business applications and keywords indicates the attackers were clearly looking to identify systems that are valuable to smaller companies—the systems that store financial information and handle daily business—in order to pressure victims to pay, and pay faster. We’ve seen ransomware shut down business applications upon execution, but this is the first time we’ve seen attackers looking for certain types of applications in an automated approach to score potential targets.”

The LockBit hacker group appears to be following other ransomware groups, including Ryuk—which are adapting tools developed for penetration testing to automate and accelerate their attacks. Gallagher continued: “In this case, the PowerShell scripts help the attackers identify systems that have applications with particularly valuable data, so that they don’t waste their time encrypting or ‘supporting’ victims that are less likely to pay. They are using these tools in an automated fashion to cast as wide a net as possible, while limiting their actual hands-on-keyboard activity, to track down the most promising victims.”

Layers of obfuscation

The LockBit attackers now conceal their activities by making them look like normal automated administrative tasks. They do this by abusing native tools: creating disguised copies of Windows scripting components (VBscript host) and then using Windows’ task scheduler to launch them. They have also modified the built-in anti-malware protection, so it could not function.

“The only way to defend against these types of ransomware attacks is to have defense-in-depth, with a consistent implementation of malware protection across all assets. If services are left exposed or misconfigured, attackers can easily leverage them,” said Gallagher.