Ransomware is a type of malware that encrypts a victim’s files, making them inaccessible until a ransom is paid. The LockBit ransomware family is one of the most active and dangerous groups of ransomware out there, with a new version called LockBit 3.0 causing concern among security researchers. In this article, we will discuss the evolution of LockBit, the tactics used by its operators, and the challenges posed by LockBit 3.0 to security experts.
The Rise of LockBit
The LockBit ransomware family was first discovered in September 2019, but it wasn’t until 2021 that it became a prevalent form of ransomware. This was due to the introduction of LockBit 2.0, which adopted the double extortion model. This involves both encrypting and exfiltrating (or transferring) a victim’s files to another device, making the situation even more dire for the victim.
In July 2022, LockBit made headlines by announcing that it would offer the data of its nonpaying victims online in a freely available, easy-to-use, searchable form. This move was designed to increase pressure on victims to pay the ransom. The group also introduced a bug bounty program to find defects in its ransomware, and even offered money to people willing to get the LockBit logo tattooed on their bodies.
The Tactics of LockBit’s Operators
LockBit’s operators use a Ransomware-as-a-Service (RaaS) model, in which users can pay to have access to a given kind of ransomware. This often involves some form of subscription. Sometimes, users can even check statistics to see if their use of LockBit ransomware was successful.
The group typically targets organizations around the world, including those in the UK, US, Ukraine, and France. They often purchase Remote Desktop Protocol (RDP) access on the dark web so that they can access victims’ devices remotely and more easily.
Challenges Posed by LockBit 3.0
LockBit 3.0 is a major challenge for security researchers. Each instance of the malware requires a unique password to run, without which analysis is extremely difficult or impossible. Additionally, the malware is heavily protected against analysis and makes use of a substantial number of undocumented kernel-level Windows functions.
Moreover, the malware is self-spreading , that is it only certain victims are targeted, mainly those with the ability to pay a large ransom. As a result, the malware is now active in the wild, causing a lot of concern among security experts.
LockBit 3.0 is a dangerous and challenging strain of ransomware that is affecting organizations around the world. Its operators have shown a willingness to use aggressive tactics and have made it difficult for security researchers to analyze the malware. With LockBit continuing its rise to the top of the ransomware ecosystem, it is important for organizations to be aware of the threat and take steps to protect themselves against it.
