Forensic expert, Brendan Read, discusses the urgency for organisations to revise their cybersecurity posture.
A new ransomware threat moving quickly through the corporate world is magnifying the need for revising an organisation's cybersecurity posture.
Known as LockBit 2.0, this malicious software pursues 'double extortion' with unprecedented precision, first locking files and systems in unusable formats while allowing the exfiltration of data to the dark web. Victims are sent instructions on how to engage with perpetrators only after a breach is complete, and multi-million-dollar ransom demands are common.
LockBit's speed and multi-pronged capability make its emergence particularly concerning. When a machine is infected, LockBit's sophisticated software moves rapidly to home in and lock its central server, the domain controller which governs all user permissions and security for data stored on an organisation's network. The software platform saves time by only partially, not totally, encrypting files, while simultaneously deploying malicious software across an entire network to steal and upload data on its own dark web site, 'LockBit 2.0'. From here, the organisation's data can easily be sold if victims fail to meet initial ransom demands. Cybersecurity firms now largely regard LockBit as one of the most efficient ransomware variants on the market.
LockBit has been active globally for at least two years. According to the Australian Cyber Security Centre (ACSC), it was first detected in September 2019 and again on Russian-language cybercrime forums in January 2020. Then in June this year, LockBit creators upped the ante with LockBit 2.0, a more sophisticated and debilitating version than the first because of an in-built information-stealing function 'StealBit'. This enhanced tool has proved popular with perpetrators; most Australian victims of LockBit 2.0 have come to the attention of the ACSC since July 2021, making the newer platform one of the most prevalent of tracked ransomware variants. 1
LockBit 2.0 is openly offered for sale to cybercriminals as ransomware-as-a-service (RaaS). Purchasers can use it as they wish with the only stipulation being they pay the LockBit operators a commission.
Even more worrying is that LockBit also operates as a cyber Darth Vader, tempting victims to the 'dark side' by offering them the opportunity to join an affiliate program that would earn them millions of dollars and anonymity in exchange for releasing an organisation's user credentials and access. This cash-for-credentials style approach places a more insidious danger in the path of corporate cybersecurity. Consider a disgruntled employee or unprincipled consultant suddenly presented with LockBit's partner-in-crime offer, which may entice them. Such a scenario would make it easy to bypass multiple layers of risk mitigation.
Industries favoured by LockBit 2.0 perpetrators are many and varied. They range from health, construction and manufacturing to professional services, as well as retail and food. But in the ACSC's Ransomware Profile-LockBit 2.0, issued this year to alert and encourage organisations to undertake their own risk assessments, the commission warned that threat actors are 'opportunistic in nature' and capable of targeting any type of organisation. 2
We see LockBit 2.0 presenting enormous risk to industries such as financial services and critical infrastructure, including water boards, hospitals and other healthcare institutions. It boasts proficiency at extracting large quantities of data before a breach can be detected. With an effective capability of stealth and speed, the disruption caused by the software could potentially be among the worst Australia has experienced so far.
Ransom demands linked to LockBit 2.0 incursions have been enormous. When global consultancy firm, Accenture, fell victim to a LockBit 2.0 attack, 3 it was rumoured the offenders demanded a $50 million ransom in exchange for 6TB of stolen data. 4 In an August 4 blog post, Accenture acknowledged the emergence of more powerful malware when it stated, "Ransomware is likely to remain one of the top threats to businesses globally. If anything, it has entered a new phase as threat actors adopt stronger pressure tactics and capitalize on opportunistic intrusion vectors." 5
A variety of measures is needed to ensure that organisations are best placed to combat the dual threat of ransomware coupled with data theft. Organisations will remain at risk unless they incorporate multi-layered defence strategies which are critical in light of this new threat – even simple ones. Among the first actions any organisation can take is encrypting any data 'at rest': information such as back-ups and historical data stored on a server. This should never be forgotten and left to remain unprotected and vulnerable.
Multi-factor authentication and restricting administrator privileges to bare minimums also go a long way to protecting systems. Preventing users from accessing common web-based storage platforms, such as Dropbox, is another basic, yet effective, step.
At the end of the day, corporations must bear in mind that malware creators are constantly bettering their game by developing more powerful and efficient malware. Complacency and a 'near enough is good enough' attitude to cybersecurity will only make their job easier.
1 Australian Cyber Security Centre, 2021-006:
ACSC Ransomware Profile – Lockbit 2.0 (6 August 2021) <
3 Alicia Hope, Accenture Downplays the LockBit Ransomware Attack That Reportedly Encrypted 2,500 Computers, Leaking 6 Terabytes of Data (18 August 2021) CPO Magazine < HTTPS://WWW.CPOMAGAZINE.COM/CYBER-SECURITY/ACCENTURE-DOWNPLAYS-THE-LOCKBIT-RANSOMWARE-ATTACK-THAT-REPORTEDLY-ENCRYPTED-2500-COMPUTERS-LEAKING-6-TERABYTES-OF-DATA/ >
4 Lisa Morgan, Accenture Faces $50 Million Ransom Demand (20 August 2021) Cyber Security Hub < HTTPS://WWW.CSHUB.COM/EXECUTIVE-DECISIONS/ARTICLES/ACCENTURE-FACES-50-MILLION-RANSOM-DEMAND >
5 Accenture, Triple digit increase in cyberattacks: What next? (4 August 2021) < HTTPS://WWW.ACCENTURE.COM/US-EN/BLOGS/SECURITY/TRIPLE-DIGIT-INCREASE-CYBERATTACKS >
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.