Earlier this month, LockBit rolled out a new version of its ransomware. LockBit 2.0 implemented lots of additional features that made it even more dangerous. With the recent international efforts on fighting ransomware, those gangs are finding it difficult to advertise their malware in hacking forums. A few posts from this new version of LockBit were spotted on a few forums frequented by cyber crime gangs, but they were quickly removed. This version is currently advertised on a new version of their website.
Our team got access to LockBit’s deep-web site, where the ad is published along with data from victims that refused to pay the ransom. Among the advertised capabilities is a new dangerous feature to encrypt entire Windows domains through group policies. After infecting a domain controller, the malware creates new group policies and pushes them to every device connected on the network. Those policies disable antivirus protections and execute the ransomware. Additionally, LockBit seems to have copied a feature from Egregor ransomware, that after a successful infection, it sends to all connected printers a command to repeatedly print the ransom note.
LockBit’s new version also added a new strategy to acquire “affiliates”. After encrypting a device, LockBit sets the wallpaper to a ransom note, claiming responsibility for the attack and pointing to the more detailed ransom note .txt file. Now the set wallpaper also contains a recruitment ad, promising millions of dollars to employees that provides them access to the company systems so they can launch a ransomware attack. According to the ad, the access can be a valid credential or even executing a threat attached in an e-mail.
This strategy may seem unusual at first, but it’s somewhat common for companies to get breached by employees. For example, in 2020, a Russian citizen living in USA was arrested after offering $1 million to a Tesla employee to deploy ransomware in Tesla’s internal network.
With Accenture being the latest high-profile victim of LockBit, it’s clear that at least some of its new tactics are paying off. By adopting a Zero Trust methodology, a company can limit the damage an insider can cause. By assuming all access can be compromised, and that you always need to validate it, it’s easier to detect malicious activity and isolate the affected perimeters in case of a breach. Zero Trust can also help in enabling access to only what an employee needs, limiting the systems an insider can damage.