LockBit has become one of the most notorious ransomware groups that is currently operating. They are very active on dark web forums and use negative publicity of other ransomware groups to recruit jaded threat actors to their own operation. Recently, there has been a significant increase in ransomware attacks targeting companies in northern Europe. These attacks are being carried out using the LockBit locker. One of the most concerning aspects of these recent attacks is the way in which they are being conducted. The LockBit Locker group is known for using a combination of advanced techniques, even phishing, and also social engineering, to gain initial access to a company’s network. Once they have access, they use a variety of tools and techniques to move laterally throughout the network, compromising systems and stealing sensitive data.
One of the most recent attacks was reported by Computerland in Belgium against SMBs in the country: according to the company they were targeted by a group of cybercriminals who appeared to be using a variant of the LockBit locker malware. However, upon further investigation, it was discovered that these attackers were not likely related to the real LockBit group, but rather “wannabes” who had obtained a leaked version of the malware. Despite not being the true LockBit Locker group, these micro criminals were still able to cause significant damage by encrypting many internal files. However, the company was able to restore its network from backups and no client workstations were affected during the intrusions. Among the increasing popularity of extortion practices in the criminal underground, even among less sophisticated actors, this incident also highlights the dangers of outdated software and systems. In conclusion, the recent ransomware attacks targeting North European SMBs companies are a serious concern for many reasons: despite the reduced effectiveness due to the lack of experience of the criminal operators, the targeted industries suffered significant outages and data exfiltration.
Analyst Notes
To protect against ransomware attacks, organizations should:
• Regularly back up data, air gap, and password protect backup copies offline.
• Ensure copies of critical data are not accessible for modification or deletion
• Implement network segmentation.
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location.
• Install updates/patch operating systems, software, and firmware as soon as possible.
• Implement monitoring of security events on employee workstations and servers, with a 24/7 Security Operations Center to detect and respond to threats.
• Use multifactor authentication where possible.
• Use strong passwords and regularly change passwords to network systems.
• Avoid reusing passwords for multiple accounts.
• Focus on cyber security awareness and training.
• Regularly provide users with training on information security.
