SMBs in focus: Sophos presents its latest study on LockBit ransomware. Two techniques stand out: firstly, the use of automated tools to infect certain tax and accounting software in hacked networks with ransomware and secondly, the renaming of PowerShell files to disguise themselves.
“LockBit attackers use automated attack tools to identify promising targets,” summarizes Sean Gallagher, senior threat researcher at Sophos. The analysis reveals how the criminals use PowerShell tools to search for specific business applications on hacked networks, including tax and accounting software. If a fingerprint generated by this search matches the keyword criteria, the tools automatically perform a number of tasks, including launching the LockBit attack.
Identified new attack methods
The researchers were also able to identify a number of new attack vectors that LockBit can use to avoid detection. This includes renaming PowerShell files and using a remote Google Document for command and control communication. Due to the highly automated nature of the attacks, once launched, the ransomware can spread over the network within five minutes while clearing its activity logs at the same time.
LockBit attackers are specifically looking for smaller companies as victims
“LockBit's interest in specific business applications and keywords indicates that the attackers clearly wanted to identify systems that are valuable to smaller businesses - systems that store financial data and handle day-to-day operations - in order to massively pressure victims to pay ' said Gallagher. "We've seen ransomware freeze business applications as they run, but this is the first time attackers have looked for specific types of applications with an automated approach to identify potential targets."
LockBit ransomware group follows ransomware factions like Ryuk
“The LockBit gang appears to be following other cyber gangster groups, including Ryuk. Sophos recently found out about this group using Cobalt Strike. These are adapted tools developed for penetration testing to automate and accelerate attacks. In this case, the PowerShell scripts help the attackers to identify systems that host applications with particularly valuable data. This way they don't want to waste their time on victims who are less likely to pay.”
Abuse of legitimate tools and modification of anti-malware protection
The LockBit attackers try to hide their activities by making them look like normal, automated administrative tasks and using legitimate tools: The criminals create, for example, disguised copies of Windows scripting components and then use the Windows task scheduler to start them . In addition, they modify the built-in anti-malware protection so that it can no longer work.
“The only way to defend against these types of ransomware attacks is through a multi-layered defense with a consistent implementation of anti-malware protection across all systems. If services are left unprotected or misconfigured, attackers can easily exploit them,” Gallagher concludes.
More on this at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.