• Home
  • /Learn
  • /LockBit's Automated Ransomware Processes Present Unique Challenges
background image


LockBit's Automated Ransomware Processes Present Unique Challenges


LockBit 2.0 is a ransomware as a service (RaaS) that targets businesses of all sizes by encrypting their data and then demanding a ransom payment in exchange for a decryption key. It first emerged in June 2021 as an update to the original LockBit ransomware that was first discovered in 2019.

LockBit’s operators use an automated process that makes it unique compared to other ransomware-as-a-services. This allows them to quickly deploy the malware and target a larger number of victims in a shorter period of time.

One of LockBit’s most notorious methods was the development and deployment of the malware StealBit, which automates data exfiltration. This utility was manifest in LockBit 2.0, the most recent known version. Its authors claim LockBit 2.0 has the fastest and most efficient encryption among its competitors. LockBit expanded to Linux hosts, notably ESXi servers, in October 2021 with the release of Linux-ESXI Locker version 1.0. 

LockBit’s Russia connect

The UNC2165 threat cluster, which shares many similarities with the Evil Corp cybercrime group based in Russia, has been linked to many LockBit ransomware incursions. UNC2165, active since 2019, is known to get initial access to the victim networks via stolen credentials and a JavaScript-based downloader malware called FakeUpdates (aka SocGholish), which it uses to install the Hades ransomware.

"These actors have changed away from employing exclusive ransomware variants to LockBit — a well-known ransomware as a service (RaaS) — in their operations, possibly to impede attribution attempts in order to escape penalties," threat intelligence firm Mandiant observed in recent research. Hades is the creation of Evil Corp, also known as Gold Drake and Indrik Spider, and has been linked to the infamous Dridex (aka Bugat) trojan and other ransomware strains such as BitPaymer, DoppelPaymer, WastedLocker, Phoenix, PayloadBIN, Grief, and Macaw.

When did the transition to LockBit occur?

The switch from Hades to LockBit as a sanctions-evasion strategy is claimed to have occurred in early 2021. FakeUpdates have previously functioned as the first infection vector for distributing Dridex, which was subsequently utilized as a conduit to dump BitPaymer and DoppelPaymer onto affected PCs. Mandiant discovered parallels between UNC2165 and an Evil Corp-connected cyber espionage campaign directed at government entities and Fortune 500 businesses in the EU and the US, tracked by Swiss cybersecurity firm PRODAFT under the name SilverFish.

How does LockBit infect systems and networks? 

As part of the attack lifecycle, a successful first breach is followed by several steps, including lateral movement, privilege escalation, and documenting long-term remote access. Cybercriminal syndicates constantly close, regroup, and rebrand under new names to evade law enforcement, making it difficult to add a ransomware group to a sanctions list without identifying the individuals behind it.

Threat to Mandiant

"The use of current ransomware is a natural step for UNC2165 to try to disguise their relationship with Evil Corp," Mandiant stated while adding that penalties are "not a limiting factor in getting payments from victims." "Using this RaaS would allow UNC2165 to blend in with other affiliates," it claimed, adding that the people behind UNC2165 operations may continue to remove themselves from the Evil Corp identity.

The findings of Mandiant, which Google is acquiring, are especially relevant because the LockBit ransomware gang has since claimed that it hacked the company's network and took sensitive data. Aside from threatening to reveal "all available material" on its data leak portal, the group did not specify the nature of the files' contents. However, Mandiant stated that there was no proof to support the assertion.  

"Mandiant has analyzed the data disclosed in the initial LockBit release. There are no signs that Mandiant data has been disclosed based on the data that has been released, but rather the actor appears to be attempting to discredit Mandiant's June 2, 2022 study on UNC2165 and LockBit."

Final thoughts

Endpoint devices require comprehensive protection, especially given the extent of LockBit and its far-reaching consequences. The first step is to implement a comprehensive endpoint security solution. If your business is already affected, removing LockBit ransomware will not restore access to your files. Because encryption requires a "key" to unlock, you will still need a tool to recover your system. Alternatively, if you have pre-infection backup images, you may be able to restore your computers by reimaging them.