ALPS blog

Ransomware Spotlight: LockBit

The LockBit intrusion set, tracked by Trend Micro as Water Selkie, has one of the most active ransomware operations today. With LockBit’s strong malware capabilities and affiliate program, organizations should keep abreast of its machinations to effectively spot risks and defend against attacks.

Ransomware Spotlight: LockBit Infographic 

LockBit first emerged as the ABCD ransomware on September 2019, which was improved to become one of the most prolific ransomware families today.

Through their professional operations and strong affiliate program, LockBit operators proved that they were in it for the long haul. Thus, being acquainted with their tactics will help organizations fortify their defenses for current and future ransomware attacks.

What do organizations need to know about LockBit?

LockBit uses a ransomware-as-a-service (RaaS) model and consistently conceived new ways to stay ahead of its competitors. Its double extortion methods also adds more pressure to victims, raising the stakes of their campaigns.

One of its notable tactics was the creation and use of the malware StealBit, which automates data exfiltration. This tool was seen with the release of LockBit 2.0, the latest known version, which has been touted by its creators for having the fastest and most efficient encryption among its competition. In October 2021, LockBit also expanded to Linux hosts, specifically ESXi servers, in its release of Linux-ESXI Locker version 1.0. This variant is capable of targeting Linux hosts and could have a big impact on targeted organizations.

Another side of LockBit’s operations is its recruitment of and marketing to affiliates. It has been known to hire network access brokers, cooperate with other criminal groups (such as the now defunct Maze), recruit company insiders, and sponsor underground technical writing contests to recruit talented hackers. Using such tactics, the LockBit group has built itself into one of the most professional organized criminal gangs in the criminal underground.

The tactics we’ve enumerated are evident in their attack on Accenture in 2021. Experts suspect that an insider helped the group gain access to the firm’s network. LockBit also reportedly published a small part of the stolen data from the attack.

LockBit’s timeline of notable activities

Further information can be found here.


Featured News