The dissemination of LockBit 2.0

LockBit is a relatively new ransomware that has become very popular and known fast. The ecosystem behind this threat has significantly increased its criminal activities since Q4 of 2020 and has been collecting more and more victims ever since.


What is Lockbit

Technically speaking, LockBit is a ransomware that operates in SAR (Semi-Automated Ransomware) mode and is able to make files and documents unavailable within the devices it affects.

It has the ability to automatically scan the victim’s network for potential sensitive targets such as network shares, backups, confidential documentation etc …

The primary purpose of a LockBit infection is to impact as much as possible the business of the organizations it affects in order to strategically push them towards a negotiation where the payment of the ransom is always the easiest and safest way to guarantee the restoration of activities.


Lockbit business model

LockBit adopts a business model called “Ransomware as a Service” (RaaS). As in the corresponding legitimate market models called SaaS (Software-as-aService), the creators of LockBit, i.e. those who develop and maintain the actual malware, rent their “weapons” (not only the ransomware, but also 0- day, N-day, RAT, post-intrusion tools, access lists etc.) to affiliated criminal groups, who will then use them to carry out the attacks.

LockBit affiliates have the ability to access a web administration panel through which they can independently generate new variants of the ransomware, manage victims, process ransoms, obtain statistics, decrypt files and much more.

They operate mainly from Russia and the countries of the former Soviet Union and the LockBit payloads implement special controls to ensure that the malware cannot target organizations belonging to the latter countries.

LockBit has infected thousands of devices in the world and almost all of the victims are commercial companies that are asked for an average amount ranging between 80 and 100 thousand dollars in ransom.

This figure can change a lot depending on the type and sector in which the victim operates. 

However, it should be specified that the value of the redemption is always established by the affiliate following a specific investigation carried out after the operation.


Group policy allows ransomware to spread

LockBit ransomware can spread across a local network through Group Policy created on a hacked domain controller.

The creation of ransomware became an underground industry some time ago, with technical support services, press centers, and advertising campaigns.

As with any other industry, creating a competitive product requires continuous improvement.

LockBit, for example, is the latest in a series of cybercriminal groups that advertise the ability to automate the infection of local computers through a domain controller.

As previously said, LockBit follows the Ransomware as a Service (RaaS) model, providing its customers (the real attackers) with the infrastructure and malware, and receiving a share of the ransom. 

Breaking into the victim’s network is the contractor’s responsibility, and as far as distributing the ransomware over the network is concerned, LockBit has designed quite an interesting technology.


The distribution of LockBit 2.0

After the cybercriminals gain access to the network and reach the domain controller they run their malware on it, creating new user group policies, which are then automatically distributed to every device on the network. 

Policies first disable the security technology built into the operating system, while others create a scheduled task on all Windows devices to launch the ransomware executable.

Researcher Vitali Kremez said that the ransomware uses the Windows Active Directory API to query Lightweight Directory Access Protocol (LDAP) for a list of computers. 

LockBit 2.0 then bypasses User Account Control (UAC) and runs silently, without triggering any alarm on the encrypted device.

Apparently, this represents the first-ever spread of mass malware through User Group Policy. 

Also, LockBit 2.0 delivers ransom notes in a rather bizarre way, placing the note on all printers connected to the network.


How can we protect from similar threats?

Keep in mind that a domain controller is actually a Windows server, and as such, it needs protection.

Either way, ransomware that spreads through Group Policy represents the last stage of an attack.

Malicious activity should become evident much earlier, for example when cybercriminals enter the network for the first time or attempt to hack the domain controller.

Managed Detection and Response solutions are particularly effective in detecting the signs of this type of attack.

Most importantly, cybercriminals often use social engineering techniques and phishing emails to gain initial access.

Speacking about companies, to prevent employees from falling into these tricks, improve their cybersecurity awareness with regular training.

LockBit poses a very important threat to public and private organizations today. 

Its ecosystem currently has dozens of affiliates and certainly represents an elite group within the cyber criminal landscape (like REvil and DarkSide).

In all likelihood, LockBit will continue to be improved and maintained with extreme care, therefore it is advisable to take every precaution and practice useful for its mitigation.