A feature of the LockBit ransomware that was examined in-depth only recently allows the ransomware to spread itself to a large number of devices in a short span of time. A corporate network was attacked using LockBit and 250 systems were infected after the breach, with the ransomware spreading itself automatically to new victim systems.
Automated Infection, Minimal Bad Actor Involvement
LockBit is a ransomware-as-a-service (RaaS) operation, in which the malicious toolkit is leased to budding hackers. Once an attack is carried out by a third party, the authors of the ransomware who operate the payment processing website receive a significant cut of the ransom payments – between 25 and 40 percent, while the bad actors who executed the attack receive the better portion of the payments.
Cybersecurity experts from Northwave were called in to respond to the attack on the corporate entity who had a total of 225 workstations and 25 servers infected. Northwave reports that the entire attack took place over the course of three hours.
The hackers found their way into the network by exploiting an outdated VPN service that allowed them to brute-force an administrator account’s password. Once they had admin access, it was very easy to deploy the LockBit ransomware. However, the curious part is not so much the infiltration and deployment but rather what LockBit can do once it has been deployed.
Self-Propagating LockBit Makes Life Easy for Bad Actors
The ransomware is able to spread itself to other connected devices on a network, using ARP (address resolution protocol) to find additional active systems and hook up to them using SMB (server message block) protocol. If the SMB connection went through successfully, the ransomware executes a PowerShell command that downloads and deploys the payload. This process is repeated by each newly infected system, leading to an avalanche effect and each new infected host searching for more machines. The only thing that a budding black hat needs to spread LockBit to a considerable number of systems is admin access and a couple of hours, which can be a worrying prospect.
This feature lowers the bar when it comes to the skill of the hackers who can attempt to use the ransomware, but it also means that attacks using this sort of method are easier to detect and stop. Still, this extremely easy to use, self-spreading threat means a lot of new potential bad actors may turn to LockBit, expecting a payout with minimum investment and effort.