Threat Watch

LockBit Ransomware

LockBit ransomware is a relatively new Ransomware-as-a-Service (RaaS), started in September of 2019. The developers are in charge of the payment site and development and “affiliates” sign up to spread the infection. Researchers at McAfee and Northwave described [RP1] a recent breach of a corporate network during which LockBit was used to encrypt 25 servers and 225 workstations, all in about three hours. The company’s network was breached at around 1 AM by performing a brute-force attack of an administrator account on an outdated VPN which gave the attackers immediate admin-level access. Once in they were able to infect the system with LockBit, which is self-spreading, and logged off at 4 AM the same morning. The ransomware spreads by monitoring network traffic to discover other computers on the LAN and attempting to run remote PowerShell commands on each of them via Server Message Block (SMB) using the compromised account credentials. Not all of the company’s devices were encrypted, which was attributed to a bug in LockBit that caused it to crash. The interesting aspect of this breach is the sheer speed of infection. Normally, attackers breach a system and snoop around for days or weeks to gain access to as many critical systems as possible before they launch ransomware to cause the maximum damage. The attacker did not have to be that skilled either, with the self-spreading nature of LockBit.

 [RP1]Changed “responded to” to “described” because McAfee researchers did not respond to the breach, only Northwave did.


It is expected to see LockBit RaaS use grow because it doesn’t require the attacker to be skilled and it can spread to many computers very quickly. In this particular case, an outdated VPN was found to be the primary avenue of assault, and the attackers logged on by guessing the password for an administrator account. Because the attacker accessed systems through a legitimate administrator account, no anti-virus or firewall solution would have prevented the initial intrusion. Only an Endpoint Detection and Response (EDR) solution that detects unusual behavior could have helped security analysts recognize this attack, and only if the security team was monitoring at 1 AM could they have responded quickly to stop this attack.

Organizations are recommended to keep all of their systems and remote access solutions as up-to-date as possible. If a software package is no longer supported, then it should be replaced with a newer service. In any ransomware attack, the primary recovery tool is via a clean and secure backup, provided the attackers did not destroy the backups. The 3-2-1 backup rule should be applied: three copies of the data on two separate devices with one of them being offsite. This attack happened at 1 AM, when most companies do not staff the IT or security help desk. A service such as the Binary Defense Security Operations Center can provide around the clock detection and defense of a company’s endpoints. Binary Defense’s Managed Detection and Response (MDR) solution generates many different alarms for the behavior of LockBit, and the Binary Defense analysts on duty would respond quickly to stop the spread of the ransomware at any time of day or night.

To read more: