Cybersecurity Threat Advisory Update: LockBit Ransomware Threat

A new critical security alert requires the mission-critical community’s immediate attention.

The LockBit ransomware group has become the prominent ransomware group based on its high volume of attacks in recent months. They are utilizing a new phishing email tactic that disguises malware as a copyright claim and creates a bug bounty program. Once an attack is successful, a threat actor can leverage their position to control an organization's network. MCP recommends proactively mitigating risk in your environment as soon as possible to avoid potential impact.

What Is the Threat?

Threat actors disguise malware as a copyright violation email. Recipients are asked to download and open an attachment to see the infringement content. The attachment is a password-protected ZIP archive that contains an executable file disguised as a PDF document. Once a victim opens the "PDF," the malware will load and encrypt the device with the LockBit 2.0 Ransomware. This ransomware prevents recovery by deleting volume shadow copy, which ensures the ransomware runs continuously. It will register a Run Key to the registry and drop LockBit_Ransomware.hta on the desktop to keep it running even after a desktop change or a reboot.

Why Is it Noteworthy?

Business email compromise (BEC), also known as email account compromise (EAC), is one of the most financially damaging online crimes. It often appears as a spoofed email account, website, or spearphishing email, where messages look like they're from a trusted sender. There is now a significant financial incentive, ranging in the thousands to $1 million, for ethical and unethical hackers to contribute information to strengthen this threat, further elevating the risk. As news of this bounty becomes public, attackers will accelerate attacks on targets hoping to strike while the window remains open.

What Is the Exposure or Risk?

Once an attack is successful, a threat actor will have complete and unrestricted access to the target network without being detected. If a threat actor gains network access, they can quickly terminate multiple services and conduct a ransomware event that can lead to temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses, and potential harm to an organization's reputation.

What Are the Recommendations?

Mission Critical Partners recommends the following actions to prevent this threat:

• Inform and educate users at risk of this new threat tactic
• Protect all common attack surfaces, especially email, to avoid potential exploit
• Review identity posture, monitor external access to networks, and update all vulnerable services

If you are looking for guidance, please reach out. MCP offers a comprehensive cybersecurity solutions suite for critical infrastructure organizations to help them determine their network, data, and application vulnerabilities. We can help you develop a complete cyberattack prevention strategy. Contact us today to learn more.

References

For more in-depth information about the recommendations, please visit the following links:

• Lockbit ransomware gang creates first malicious bug bounty program | VentureBeat
• LockBit Ransomware Disturbed via Copyright Infringement Emails - Security Investigation (socinvestigation.com)
• LockBit explained: How it has become the most popular ransomware