The LockBit ransomware-as-a-service (RaaS) group has struck another victim, this time using stolen credentials to launch a sophisticated attack against an unidentified organization in West Africa. The attackers used a new variant of the LockBit 3.0 builder, which was leaked in 2022.
Kaspersky researchers discovered the latest variant in late March 2024 after responding to the incident in West Africa, describing it at the time as Trojan-Ransom.Win32.Lockbit.gen, Trojan.Multi.Crypmod.gen and Trojan -Ransom. Win32.Generic. Of particular concern about this variant is that it can generate customized, self-propagating ransomware that is difficult to defend against.
During the attack, the threat actors posed as administrators and infected multiple hosts with malware, with the goal of spreading it deep into the victim’s network. According to Kaspersky, the custom ransomware performed various malicious actions, including disabling Windows Defender, encrypting network shares, and deleting Windows event logs to avoid discovering its actions.
Researchers found that the variant can also direct attacks on selected systems and infect specific .docx or .xlsx files. “The nature of this discovery is quite critical as the use of leaked privileged credentials allows the attackers to have full control of the victim’s infrastructure, as well as cover their tracks,” says Cristian Souza, incident response specialist at Kaspersky .
According to Souza, the organization affected by the new LockBit variant in West Africa is the only casualty that Kaspersky’s Global Emergency Response Team (GERT) has encountered so far in that area. “However, we have detected other incidents using the leaked builder in other regions,” he says.
LockBit 3.0’s appeal to attackers
Since it was leaked in 2022, attackers have continued to actively use the LockBit 3.0 builder to create custom versions and variants. “This opens up numerous possibilities for attackers to make their attacks more effective since network spreading options and defense destruction capabilities can be configured,” according to a brief research on the attack and a detailed description of the variant published by Kaspersky. “It becomes even more dangerous if the attacker has valid privileged credentials in the targeted infrastructure.”
According to a recent report from Trend Micro, the LockBit group was responsible for at least 25% of all ransomware attacks in 2023 and has affected thousands of victims since 2020. The LockBit 3.0 builder is a popular tool among threat actors because it does not requires advanced programming skills.
In February 2024, the Cronos Group, an international law enforcement group, said this had demolished the group’s infrastructurebut less than a week later, LockBit responded that it had recovered and was back in business.
Protection from LockBit attacks
As debate continues over whether LockBit remains the pervasive force in ransomware attacks, Kaspersky advises organizations to take the same steps they would take to prevent an attack by any group. These steps include using properly configured anti-malware and endpoint detection software, implementing a managed detection and response solution, conducting vulnerability assessments and penetration testing, and running and testing backups of critical data.
Additionally, Sousa advises network administrators to use network segmentation, apply multi-factor authentication (MFA), whitelist allowed applications “and have a well-defined incident response plan.”