The Australian Cyber Security Centre is alerting organisations in the country about the frequent use of LockBit 2.0 ransomware by cyber criminals to target multiple industry sectors and to demand ransom.
In an alert published this week, ACSC said it has received reports from a number of Australian organisations that have been impacted by LockBit 2.0 ransomware. Cyber criminals using the ransomware are not only encrypting files and demanding a ransom, they are also threatening to publish stolen data on the Internet if organisations refuse to pay.
According to ACSC, the creators of LockBit 2.0 ransomware are offering the malware through a ransomware-as-a-service model, enabling a vast community of cyber criminals to use the ransomware in targeted attacks and share a portion of the spoils with the creators. This model ensures that criminals with little technical knowledge can also mount ransomware attacks through various means, such as by sending phishing emails, by setting up domain-squatting websites, or by exploiting known vulnerabilities.
While the ransomware first surfaced on Russian-language cybercrime forums in January 2020, its creators are now selling an updated variant, named LockBit 2.0 ransomware, that boasts a built-in information stealing function known as ‘StealBit’, the cyber security watchdog said.
“The ACSC has recently observed LockBit threat actors actively exploiting existing vulnerabilities in the Fortinet FortiOS and FortiProxy products identified as CVE-2018-13379 in order to gain initial access to specific victim networks.
“The LockBit RaaS operators have previously advertised partnership opportunities for threat actors that could provide credential based accesses to Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) remote access solutions. Additional advertisements sought to recruit threat actors proficient in the use of threat emulation software Cobalt Strike and Metasploit.
“Threat emulation software is often used in penetration testing environments and by threat actors seeking to gain unauthorised access to or move laterally within target networks,” it said.
“The ACSC has observed LockBit affiliates successfully deploying ransomware on corporate systems in a variety of sectors including professional services, construction, manufacturing, retail and food.
“Additionally, threat actors involved in ransomware activity are opportunistic in nature and are capable of victimising organisations in any sector; as such, inclusion or exclusion from this list is not indicative of future LockBit behaviour,” it added.
According to security firm Kaspersky, “LockBit is a subclass of ransomware known as a ‘crypto virus’ due to forming its ransom requests around financial payment in exchange for decryption. It focuses mostly on enterprises and government organizations rather than individuals.”
Previously known as the ABCD ransomware, LockBit has been used on multiple occassions since 2019 in targeted attacks against organisations based in the United States, China, India, Indonesia, Ukraine, and several European countries.
“Recently, LockBit has been enhanced with more nefarious features such as negating administrative permission checkpoints. LockBit now disables the safety prompts that users may see when an application attempts to run as an administrator.
“Also, the malware now is set up to steal copies of server data and includes additional lines of blackmail included in the ransom note. In case the victim does not follow instructions, LockBit now threatens the public release of the victim’s private data,” the firm said.