LockBit 2.0 Ransomware is Active and Looking for Affiliates

Nowadays the operations of ransomware gangs are often short-lived, especially if they end up 'striking gold' – just like the REvil Ransomware gang shut down after the Colonial Pipeline hack. However, there are some ransomware families that have been around for over a year, and they are still actively looking for affiliates. This is the case of the LockBit Ransomware, whose 2.0 version was released just recently. The LockBit 2.0 Ransomware features an enhanced file-encryption algorithm, and its creators are looking for affiliates through LockBit's data leak site. The malware developers are hiring other threat actors to compromise network and systems, but they take a fee of 20-30% of the ransom payment.

These campaigns are extremely profitable for malware authors, since they are simply providing an implant and a control panel – it is up to their affiliates to do the rest. This is exactly what makes threats like the LockBit 2.0 Ransomware so dangerous – their reach is enormous, and they may be spread online via all sorts of methods and tricks.

A large fraction of file-lockers focus on encrypting the files on the infected machine, and dropping the ransom message. However, high-profile threat actors like the one using the LockBit 2.0 Ransomware will not be satisfied by this. This is why this file-encryption Trojan comes pre-loaded with special scripts, which aim to manipulate the configuration of Windows Group Policies. By tampering with these settings, the ransomware tries to soften the security measures imposed by Microsoft, and making it possible to infect other devices on the same network. Of course, the full process is much more complicated, but the end result is always the same – accessing files across multiple devices on the infected network.

Just like other modern ransomware, the LockBit 2.0 Ransomware also steals files prior to encrypting their contents. This way, the criminals have two ways to extort the victim – they threaten to delete their decryption key, and they also threaten to publish the files online.

One peculiar feature of the LockBit 2.0 Ransomware is that it tries to deliver the ransom note in an interesting manner. Apart from dropping the usual document, it also tries to access all printers available on the network, and then print the ransom message on paper. Previously, the same tactic was used by the Egregor Ransomware.

The LockBit 2.0 Ransomware is, without a doubt, alive and well. Although its operators had gone silent for many months, their project is certainly far from dead. Individuals and businesses can protect their networks by enforcing strong security policies, using reputable antivirus software, and ensuring that computer operators know how to stay away from suspicious sites.

July 28, 2021