14 DAY TRIAL // LockBit RaaS have begun fresh attacks on workers of various businesses in Taiwan, Italy, the United Kingdom and Chile, offering them millions of dollars in exchange for providing valid credentials for first access, says Trend Micro.
Unlike the 2019 version, LockBit 2.0 targets Active Directory and automatically encrypts devices across all Windows domains. Trend Micro considers it one of the fastest and most efficient encryption techniques on the market, as it uses multithreading for encryption and it only fully enciphers 4 KB of data per file.
The investigation revealed that LockBit 2.0 uses several tools to connect to a system. A network scanner examines the network to identify the target domain controller. At the same time, it uses batch files to terminate security tools, enable RDP connections, delete Windows Event logs and block important processes such as MySQL, QuickBooks, and Microsoft Exchange.
The main ransomware module then appends the .lockbit suffix to every encrypted file it encounters and puts a ransom letter onto each encrypted directory, threatening double extortion. The victims' desktop backgrounds are replaced with recruiting advertising along with instructions on how to pay the ransom.
LockBit RaaS gang is looking for assistance to get genuine RDP credentials
The novelty of this 2021 version is that the LockBit gang recruits allies and helpers who then use authentic RDP credentials to break into the networks of targeted companies. To help the cause, hackers provide partners with the simple StealBit malware that can enable automated data access and exfiltration.
Trend Micro said that the attacks recruit insiders from the targeted companies. In the final stage of the infection, the malware changes the victim's desktop wallpaper to promote the organization's affiliate recruitment program where anonymity and millions in cash are guaranteed. The innovative approach cuts out intermediaries, allowing for faster attacks by delivering legitimate credentials and access to corporate networks.