LockBit 2.0 Ransomware Attacks Increase Worldwide

Security researchers have spotted an uptick of attacks using the latest version of the LockBit ransomware, with new victims in South America, Asia and Europe.

We have previously covered the LockBit 2.0 attack that successfully targeted huge consulting company Accenture, with threat actors allegedly asking for $50 million in ransom, according to some analysts, and allegedly stealing about 6 TB of sensitive Accenture data. The consulting company stated that there was no signfiicant impact from the attack, systems were quickly locked down and impact was minimal, with data restored successfully from backups.

The new attacks come in the wake of the ransom hit on Accenture. Researchers are reporting attacks on entities located in Taiwan, the United Kingdom and Chile. The new version of the ransomware is reportedly using an improved, multi-threaded encryption, boasting one of the fastest encryption methods in the field. It also appears that LockBit 2.0 only encrypts a very small part of each file it scrambles, with just a 4 kilobyte chunk of each file getting encrypted, which speeds the process significantly.

The threat actor behind LockBit is also experimenting with new social engineering tactics. The hackers are trying to get through to company employees and bribe them into cooperation. There are reports of malware changing employee wallpapers, advertising payouts in the millions of dollars for working credentials that will allow the hackers to infiltrate the target organization.

Once LockBit 2.0 finds its way on a network, it has a varied arsenal of tools at its disposal. There is a network scanner that singles out domain controllers as well as an array of .bat files that include automation for a large number of tasks, including enabling RDP, shutting down any anti-malware or security software and flushing event logs to minimize the malware's footprint.

After establishing its basic routines, LockBit starts moving laterally across the victim network, starting with sending out new group policies to connected devices. Those policies take care of shutting off Windows Defender, then spreading and executing the payload on every Windows device found.

Once encryption takes place, the desktop image is replaced with the recruitment message described above, the usual ransom instructions and the threat that already encrypted files may be released to the public in case ransom is not paid.

Researchers have also spotted some similarities in the behaviors of LockBit 2.0 and other infamous ransomware strains such as Ryuk and Egregor, indicating at least partial code overlap.