Who is LockBit?
LockBit is a multimillion-dollar ransomware group that offers ransomware as a service. It treats ransomware as a business and even has affiliate marketing, bug bounty, and HR programs. Using its revenue, it hires individuals to write its ransomware software. LockBit is one of the most active ransomware groups.
At LockBit, “employees” do not execute the initial exploit themselves; instead, they place ads on the dark web to offer initial access. In these ads, LockBit states it will provide everything you need to deploy ransomware, and then splits the ransom profits with the threat actor.
This is a product design upgrade of LockBit 2.0 that made improvements to stay ahead of competition. LockBit 3.0 is primarily a technical upgrade using concepts from other ransomware groups to make its ransomware more effective. Security companies like Blue Team Alpha are considered competitors and LockBit’s goal is to continually try to outsmart us.
LockBit 3.0 is special because it treats victims like clients or customers. In a ransom note, LockBit tries to get the victim to view its attack as a penetration test on its system with the ransom acting as a simple “service fee.” LockBit says to just pay them like you would a normal company providing cybersecurity services. The ransom note also discourages talking to law enforcement because they will always advise against paying the ransom. LockBit hackers go into detail about what happens when you work with authorities and insurance and how it interferes with negotiations.
Regarding insurance, LockBit tells victims to secretly reveal their insurance limits before negotiations so that LockBit will not go over the insurance max. In reality, LockBit wants this information so that during negotiations it can try and get as close to the limit as possible.
It’s important to note that LockBit uses Z cash instead of Bitcoin because it is a private ledger, unlike Bitcoin.
How is LockBit 3.0 Targeting Financial Institutions?
Financial institutions are an incredibly enticing target for LockBit because they hold a lot of sensitive customer information.
Many of these institutions do not care about data encryption because they have excellent backups; however, some do care about stolen data extortion. This is usually based on different countries’ privacy laws. In the United States, if private customer data is stolen (regardless of whether the ransom was paid), companies are required to release this information. If it is not, the company will be fined. It’s important to note that General Data Protection Regulation (GDPR) applies to US companies doing business with companies in the EU. LockBit knows this information and will try and use it to its advantage. This reminder is often present in its ransom note to convince companies to pay the ransom.
LockBit 3.0’s New Tactic
In previous versions of LockBit, hackers would put pressure on companies to pay the ransom to recover their stolen information. Financial institutions have the potential to recover their files and might not care if the data is leaked, but they do care about stealing money and changing balances.
LockBit realized this and in 3.0 they changed their strategy. Instead of focusing on returning data, now it goes after the legal aspect. Its new tactic reminds institutions of their local laws regarding fines for privacy leaks. Financial institutions could have to pay a fine that is more than the ransom, so LockBit argues that it’s cheaper to just pay the ransom and reaffirms that it will work within the insurance limits. For example, LockBit could say “either pay us $1M or your government $5M. By paying us right now, you can save $4M”. This puts the victim in an incredibly difficult place.
How to Mitigate Risks Associated with LockBit 3.0
Implementing basic cyber hygiene is the easiest step a company can take to protect against ransomware attacks. Ransomware attackers chose the most vulnerable targets, which are almost always those without standard cyber protections. Phishing is still the most common way into a network.
Employees should be trained and educated regularly on phishing prevention. At least twice a year (though more is always better) security teams need to deploy phishing campaigns. Those who fail should require extra training.
Companies need to have their network scanned for vulnerabilities often. Security teams need to look at what the threat actor will see on their company when criminals are scanning for victims (external network scanning). What IPs, ports, and services are most vulnerable? Any web applications also in use need to be scanned.
Currently, CISA is tracking around 800 known vulnerabilities.
Pen testing is an attack simulation best executed by a third-party to give companies realistic experience against attackers. In these controlled situations, testers attack networks the same way threat actors would, thereby identifying any potential weaknesses. These companies will test every layer of defense: the perimeter, internal and external networks, and the employees.
By taking these steps, your organization will be better protected, and your risk of attack lowered significantly. At Blue Team Alpha, we offer several offensive and defensive services to help keep your business secure.