LockBit ransomware is a relatively new Ransomware-as-a-Service (RaaS), started in September of 2019. The developers are in charge of the payment site and development and “affiliates” sign up to spread the infection. Researchers at McAfee and Northwave described [RP1] a recent breach of a corporate network during which LockBit was used to encrypt 25 servers and 225 workstations, all in about three hours. The company’s network was breached at around 1 AM by performing a brute-force attack of an administrator account on an outdated VPN which gave the attackers immediate admin-level access. Once in they were able to infect the system with LockBit, which is self-spreading, and logged off at 4 AM the same morning. The ransomware spreads by monitoring network traffic to discover other computers on the LAN and attempting to run remote PowerShell commands on each of them via Server Message Block (SMB) using the compromised account credentials. Not all of the company’s devices were encrypted, which was attributed to a bug in LockBit that caused it to crash. The interesting aspect of this breach is the sheer speed of infection. Normally, attackers breach a system and snoop around for days or weeks to gain access to as many critical systems as possible before they launch ransomware to cause the maximum damage. The attacker did not have to be that skilled either, with the self-spreading nature of LockBit.
[RP1]Changed “responded to” to “described” because McAfee researchers did not respond to the breach, only Northwave did.