With the LockBit ransom function, attackers can penetrate the corporate network and use their buy-back programs to encrypt hundreds of devices in just a few hours.
From September 2019, LockBit will be a relatively new ransom service (RaaS) where the developers will be responsible for the payment and development site and where the partners commit to distribute the ransom.
LockBit release note
With this installation, LockBit developers typically earn around 25-40% of the ransom, while affiliates get a larger share – around 60-75%.
Three hour encrypted enterprise network
In a new joint report by researchers from McAfee Labs and Northwave, a cyber security company, we get an overview of how the LockBit solution software entered the company’s network and encrypted approximately 25 servers and 225 workstations.
It was all done in just three hours.
According to Patrick Van Looy, cybersecurity specialist at Northwave, the hackers had access to the network and brutally forced the management account to go through the outdated VPN service.
Although most cyber attacks require hackers to access management accounts after the network has been hacked because they already have a management account, they had a head start and could quickly deploy a ransom program over the network.
In this particular case, it was a classic hit-and-run. After the attacker had gained access via the raw VPN application, he started almost immediately with the ransom (which he could obtain with the administrative account to which he had access). The main access took place around 1 a.m., after which the ransom was hung and the intruder was checked around 4 a.m.. It’s the only interaction we’ve seen, Louis BleepingComputer said by e-mail.
Not all devices on the network were encrypted, which Looy associates with a bug in the buy-back program that caused the program to crash.
For systems that are encrypted, this is quickly done thanks to an interesting feature built into LockBit.
Distributed LockBit
McAfee’s analysis shows that LockBit’s buy-back program includes a feature that allows it to be extended to other computers on the network.
When it is running, in addition to encrypting device files, LockBit executes ARP queries to find other active hosts on the network and then tries to connect to those hosts via SMB.
Connecting to other computers via SMB
If the blackmailer was able to connect to the computer via SMB, he will issue a remote PowerShell command to download and execute the blackmailer.
LockBit solvent download and run order
As more and more computers on your network are infected, the same infected computers help speed up the installation of the ransom on the other computers on your network.
This feature allowed attackers to hack into the network and automatically encrypt 225 computers in just three hours.
The faster you attack, the smaller the chance that you will be detected.
When attackers enter a network, they are more likely to be detected the longer they move through the network.
This means that unskilled hackers are more likely to be detected than more experienced and advanced attackers if they try to spread the network from the site.
The automatic distribution of the ransom program makes it easier for unskilled attackers to carry out an attack.
An unusual aspect compared to the other cases we have had is that the attacker was only online for this short period of time. Usually we see intruders online for days or even weeks before ransom demands are made.
In this particular case, the aggressor did not need to be so qualified. The repurchase program is distributed on its own, so as soon as it gets access (by the administrator), it just runs the repurchase program, and the job is done, Louis BleepingComputer.com said.
Because LockBit is fast and easy to implement, we can expect it to continue to grow and expand at the expense of affiliates who want to get in and out of the network quickly while encrypting most of their devices.