Ransomware is bigger than ever, and signs seem to indicate that it’s not going away any time soon. With the cost of ransom demands skyrocketing, the lack of mitigation strategies, and ransomware-as-a-service operations popping up, it’s easy to see why cybercriminals have flocked to the strategy like a fly to manure. We wrote a couple of weeks ago about how ransomware groups have begun to offer their malicious software as a service to other criminals in exchange for a cut of the profits, and one of the most notable names in the business is LockBit. Most recently in the news for their hack and ransom of Bangkok Air, wherein they released over 100GB of exfiltrated data when the ransom went unpaid.
LockBit first emerged in 2019, quickly making a name for itself as an advanced ransomware strain that utilized AES encryption to hold user data hostage until a (typically) five-figure demand was paid. It was a complex program that propagates largely autonomously of its minder, since it can spread throughout a network once it gains a foothold through a misconfigured remote desktop protocol, a phishing email, or exploiting known vulnerabilities to obtain access to a device on the network. To propagate throughout a network, the program uses a network scanner to identify the networks’ Domain Controller before it then tries to infiltrate the Domain Controller. If it obtains access to the domain controller, it will push out group policies to disable security programs on network devices, facilitating the spread. LockBit then encrypts system files on any system it touches and leaves a note with the ransom demand and the details for how it can be paid.
Since its’ initial appearance, it has been continuously developed and now exists as a ransomware-for-hire platform known as LockBit 2.0 that allows affiliates (LockBit customers) the ability to conduct their own infection campaigns in exchange for 20-30% of the ransom proceeds. With how much money is flowing into these operations, these ransomware providers are utilizing their influx of cash and the distributed nature of their affiliate program to proliferate their strain of malware globally.
However, not all is well in the ransomware-for-hire industry. In an ironic twist last week, ThreatPost reported that the REvil ransomware gang has been hijacking ransoms from their own affiliates via a backdoor and chat monitoring service on their platform. It is, of course, no surprise that cybercriminals have no qualms about ripping each other off for profit; and it’s even less surprising that representatives from LockBit swooped in to share similar stories from their affiliates, perhaps in an attempt to claw further affiliates away from REvil and onto their own platform. At the end of the day, it seems ransomware exists as a vehicle for profit for cybercriminals, and they don’t particularly care who they get their money from or who it “rightfully” belongs to.
Whether LockBit 2.0 specifically will continue to be a big player in the ransomware scene will depend on many factors, but it’s certain that this business model will remain as long as ransomware continues to be lucrative. Ransomware is proliferating across the globe, with new variants, strains, and new implementations of old ransomware deployed constantly. It’s clear that it is necessary to prepare a strategy to prevent both the initial infection and the proliferation of the payload throughout your organization; because all that it takes is one point of infection and a slightly outdated software deployment on organizational infrastructure to spell untold disaster and financial ruin.