LockBit first checks if the malware process is being debugged. When LockBit is executed on a server machine it carries out the following actions: On Windows 10 machines it performs routine ransomware activity and encrypts files. When executed on a server, it has the capability to spread through the network using Group Policy. LockBit behaves differently on server machines with domain controllers than on Windows 10 machines. This access may have been obtained through remote desktop applications such as AnyDesk or Windows RDP, or by exploiting a known vulnerability, etc. In one observed instance, before dropping and executing the LockBit ransomware, an attacker had RDP access to the enterprise network for a couple of weeks at least. The ransomware, which has currently reached version 3.0, has evolved over the past few years, as has its operators who have recently launched a bug bounty program in order to weed out weaknesses in the malware’s code and the RaaS operation as a whole. Shortly after it first appeared in September 2019, the Syrphid gang expanded its operations, using a network of affiliates to deploy the LockBit ransomware on victim networks. LockBit is a ransomware-as-a-service (RaaS) operated by malicious actors Symantec tracks as Syrphid. In one attack observed by Symantec, LockBit was seen identifying domain-related information, creating a Group Policy for lateral movement, and executing a "gpupdate /force" command on all systems within the same domain, which forcefully updates group policy. Symantec, a division of Broadcom Software, has observed threat actors targeting server machines in order to spread the LockBit ransomware threat throughout compromised networks.
0 Comments
Leave a Reply. |