LockBit ransomware attacks targeting Australia

Australian government warns organizations about increased LockBit ransomware attacks

LockBit ransomware attacks rapidly increasing this year in Australia

The Australian Cyber Security Centre (ACSC) has alerted businesses and organizations about an increase in reporting of LockBit 2.0 ransomware incidents in Australia. ACSC has found the alert status to be medium. More specifically, The ACSC has observed threat actors actively exploiting current vulnerabilities in the Fortinet FortiOS and FortiProxy products identified as CVE-2018-13379 to gain initial access to victim networks^[1].

According to the agency, LockBit victims report data stolen during the attacks being leaked online, a popular tactic between ransomware gangs to coerce their targets into paying the ransoms. LockBit's associates use the “double extortion” technique by taking victims' private and sensitive information and uploading it to their website “LockBit 2.0,” which is hosted on the Tor network (The Onion Router), giving them a better chance of staying anonymous. If the victim does not pay the asked amount, they threaten to release or sell the information.

What is concerning is that a typical ransom demand in 2018 was $6,000, rising to $84,000 in 2019 and reaching the peak in 2020 with an average ransom ask of $178,000.

Australia’s cybersecurity agency said:

The ACSC has observed LockBit affiliates successfully deploying ransomware on corporate systems in a variety of sectors including professional services, construction, manufacturing, retail, and food.

The agency also noted that these cybercriminals are opportunists and could target any industry, so those not mentioned should not assume that LockBit will not target them.

Using LockBit 2.0, the group is seeking to recruit insiders whose job will be to provide them with credential-based remote access solutions to RDP (Remote Desktop Protocol) and VPN (Virtual Private Network), which will give them another route to obtaining victims' files.

The beginning of LockBit and its new methods

Simple individuals developed ransomware, but it has become a multibillion-dollar industry as we keep stepping into the digital world more and more. These days it is designed as well, if not better than any other commercial software.

First discovered in September 2019 as a ransomware-as-a-service (RaaS), LockBit has the ability to encrypt thousands of files in a couple of seconds, even when targeting organizations with strong security measures implemented in their systems. The LockBit ransomware restricts access to corporate files and systems by encrypting them into a locked and unusable format. It has worm-like functionality, which is expected to become more common in 2021 after the encryption victims receive instructions on how to communicate with hackers.

Originally known as “ABCD” because of the filename extension on the encrypted files, LockBit is also known to exploit protocols like SMB and PowerShell. The group started using the current .lockbit extension. Since its recent beginning, the cybercrime gang has become one of the most notorious malware to this date, asking an average of $40,000 ransom per organization.

Unlike a typical attack, where a hacker has to spend a long time inside a system, manually searching for the best way to get inside the victim’s business, LockBit only requires the presence of a human for a couple of hours. After that, the program penetrates the system and infects other hosts on its own. That is why the malware continues to spread during the encryption stage. This allows for the maximum amount of damage to be done at speed much faster than other approaches, making it so dangerous. Ransomware as a Service (RaaS) allows criminals to obtain services, typically in return for a cut of the ransom.

Safety measures you can take according to ACSC

To protect yourself or your organization from ransomware attacks, you should check if your organization operates Fortinet^[2] devices. They offer high-performance network security solutions, centralized management, and end-to-end security infrastructure that protect data from evolving cyber threats.

You should always identify and patch vulnerabilities as soon as possible. Also, requiring multifactor authentication (MFA) for all user accounts will add an extra layer of security.

Passwords should not be re-used. It is suggested to change them after an appropriate timeframe. Encrypting sensitive data and segmenting networks to separate sensitive data from corporate environments should put you more at ease. Also, it is a good idea to restrict access to web-based storage.

Restrict administrative privileges to operating systems and applications based on user duties. Keep operating systems and applications up to date. Perform daily backups and test recovery and integrity procedures. Keep backups offline and encrypted^[3].

To prevent LockBit's ransomware attacks, it is important to have the tools to detect unusual activity across the entire digital infrastructure in real-time. Darktrace^[4], world-leading AI for cybersecurity, uses unsupervised machine learning, which can respond in seconds to these sudden attacks and interrupt them in their earliest stages.