One of the most widespread cyber threats, which continues to affect banks, companies and even public bodies. The gang of ransomware LockBit 3.0 He has landed some excellent hits in recent weeks as well, including the alleged one attack on the Revenue Agency (which Sogei denies). So let’s get to know these hackers and their way of acting, to understand who takes risks and how to defend themselves.
Who is the LockBit gang and how the new version of the ransomware works
The first time that a security agency intercepts this band is September 2019. But the notoriety for the LockBit ‘crew’ comes in February 2020, and then continues to grow for the next two years. A group of about 25-30 hackers with relevant technical skills and an almost corporate business model. There are in fact several experts in the ranks of LockBit, with programmers, experts in gathering information, masters of evasion of detection systems.
The transactions concluded are thousands, with approximately 70-80 annual victims per affiliate. According to Cyble’s analysis, exactly one third (33.3%) of the victims are part of the financial system: banks, insurance companies, investment agencies. Then follow the companies that provide professional services (22.2%), but there is also no shortage of public bodies.
The technicians of theRevenue Agency in Italywhich they are investigating after the hackers announced they had stolen 78GB of data which they threaten to publish In 5 days. Sogei he explained that he did not detect any interference, but also given the ability to leave no traces of LockBitthe agency and the police Postal investigations will continue.
Ransomware-as-a-Service
The LockBit code is particularly ‘performing’ by hacker standards. In fact, it is the fastest at encrypting victims’ files and uses advanced tactics to spread malicious files without being blocked by corporate security experts. This makes it particularly difficult to spot the attack, with corporate IT often only responding after the gang has stolen and encrypted files.
To circumvent security, it often happens that hackers even hire unfaithful collaborators in companies in order to bypass the defenses. And since last year they use a bug bounty program that rewards you with rewards from one thousand to one million dollars who provides access to certain systems.
Cybercriminals can afford such rewards because they have a model of “ransomware-as-a-service” (RaaS). The bad guys who want to target a company or a public body hire LockBit to exploit their code and their resources, paying a fee. This also leads to working for ‘state bodies’ and for rivals of large companies, willing to pay large amounts for an effective result. But even smaller criminals can borrow ‘basic’ versions of ransomware to attack their targets. Flexible and scalable, like good software: but designed for crime.
Il ransomware LockBit 3.0
Almost exactly one year ago, at the end of June 2022, hackers had launched the new version of the ransomware: LockBit 3.0. A sign of the rapid evolution of this gang of cybercriminals. In 2019, the version known as ABCD, later renamed LockBit as the gang, knew how to encrypt data like any ransomware. But version 2.0, released in June 2021, has new features. For example, it allows you to delete the copy shadow of Windows it varies log of the systemmaking it nearly impossible to recover the data.
The new version, as mentioned, offers a programmer of Bug Bounty to find ways to access the servers of companies and organizations. Furthermore, with LockBit 3.0 the gang predisposesand a TOR site where victims’ data can be published if they do not pay the ransom: it is from here that the researchers discovered the attack on the Revenue Agency.
Victims can go to this site to choose ‘how to pay’. In fact, hackers often leave the option of extend the ultimatum before publication of a day, or of to delete all information or download them if they want to close the affair. All automatically on the site, as if it were the most normal of online operations.
Beyond the hardening of hacking tools, what LockBit 3.0’s change shows is the business website style. Almost passing off ransomware as a practice that is part of the cost of doing business.
Who are the hackers of the LockBit ransomware
An analysis of the LockBit 2.0 code has shown how ransomware, among the various operations it performs to trap your data and steal it, there is one particular one. That doesn’t really serve to ask for the ransom. In fact the ransomware controls the default language of your system and, if it is Russian, it stops the attack.
This has made the experts think that it is a Russian gang. Proof of contact with the Kremlin is virtually impossible. However the fact that you spare the Russians suggests that there may be some sort of agreement between cybercriminals and the Moscow authorities. If no Russian companies are attacked, the Russian law enforcement agencies do not investigate the matter. These are all hypotheses, but security experts seem to give credit.
How to defend yourself
For cybersecurity operators, you can find a detailed analysis of how LockBit works in order to develop the best defense strategy. But the truth is, functioning as ransomware-as-a-service, it uses a lot of attack vectors. And the ability to encrypt files on different operating systems (there is also a version for Linux servers), lightning-fast encryption times and the ability of the cybercriminals who work there makes it difficult to organize a defense.
Companies should focus on the safety of backup, perhaps with solutions that take them offline or distribute them effectively on the cloud. Also, one approach “Zero Trust” it could limit the damage in the event of a breach. Individual employees, on the other hand, must lend usual cybersecurity attentions now to be taken for granted: beware of email attachments and sites, use two-factor authentication where possible and a password manager in any case. In short: try to make the job more difficult for hackers.
But probably to stop hackers would require a coordinated operation, which perhaps after the attacks of recent months governments could put into practice. To date nearly half of ransomware attacks come from LockBit, the fact that there is a need for intervention is evident. But the operation to stop them seems very complicated.
We will keep you informed, but sadly we doubt that we will stop talking about LockBit within a few weeks.