Cited as one of the most prolific threat groups by the US law enforcement agencies, the ransomware is evolving rapidly

With an increase in global attacks involving LockBit ransomware, the federal law enforcement agencies in North America (the FBI, DHS and CISA) had issued a joint advisory earlier this year on proactive cyber measures.

First launched in 2019 when it infected thousands of organizations, LockBit (now into version 3.0 this year) has become one of the most prolific ransomware strains, according to some cybersecurity industry experts.

Recent observations released by one firm, Cybereason describe three characteristics of the threat group:

  1. Intensive data exfiltration: Large amounts of information are exfiltrated mostly using FTP and cloud file hosting solutions.
  2. Constantly evolving tools and techniques: LockBit operates on a Ransomware-as-a-Service model. The affiliates that use LockBit’s services conduct their attacks according to their preferences and use different tools and techniques to achieve their goal. As the attack progresses further along the kill chain, the activities from different cases tend to converge to similar activities.
  3. EDR evasiveness:The threat group constantly evolves its tactics, techniques and procedures just as endpoint detection and response solution vendors are doing. Thus, the group strive to make detection, investigation, and prevention more complex by disabling such security products while deleting the evidence to thwart forensics attempts.

According to Kaspersky, three versions of LockBit are running wild, with the first variant renaming files with the “.abcd” extension, and the rest using the “.LockBit” extension. LockBit version 2 no longer instructs victims to download the Tor browser for ransom instructions, but sends them to an alternative website via uncloaked internet access.

LockBit 3.0, discovered in March 2022, now has a new double-threat extortion model, allowing stolen data to be bought on the threat actors’ leak site via peer-to-peer downloading (for large data dumps) or direct downloads (smaller packages). The group even offers a bug bounty program to entice hackers to find flaws in their code!