Published on: April 27, 2023

LockBit ransomware

LockBit ransomware

Why in news?  In  a first, reports emerged that LockBit ransom ware was found to be targeting Mac devices. Cybercriminals have developed new ransom ware encryptors designed to target macOS devices, making this the first major ransomware operation to specifically target Apple computers. The new encryptors target both older Macs and newer ones running on Apple Silicon.

What is LockBit ransomware?

  • First reported in September 2019 and dubbed the “abcd” virus, due to the file extension used when encrypting victim’s files, the LockBit ransomware is designed to infiltrate victims’ systems and encrypt important files.
  • The virus is categorised as a “crypto virus” due to its requests for payment in cryptocurrency to decrypt files on the victim’s device.
  • The ransomware is therefore typically deployed against victims who feel hindered enough by the disruption to pay heavy sums in exchange for access to the files and can afford to do so.
  • In the past, LockBit ransomware has been used to target enterprises and organisations in the U.S., China, India, Ukraine, and Indonesia. Attacks have also been recorded throughout Europe, including France, Germany, and the U.K.

Why is LockBit targeting macOS?

  • Historically, ransomware has targeted Windows, Linux, and VMware ESXi servers. However, LockBit is now working to create encryptors targeting Macs for the first time, a report from BleepingComputer said.
  • Analysis of the encryptors revealed they were put together as a test, rather than an actual ready-to-use ransomware. Experts believe that, after launching multiple attacks across Europe and Asia, the gang is developing tools to target macOS and further increase the scope of attacks to bring in more financial gains for the operation.

How does LockBit ransomware work?

  • It works as a self-spreading malware, not requiring additional instructions once it has successfully infiltrated a single device with access to an organisational intranet. It is also known to hide executable encryption files by disguising them in the .png format, thereby avoiding detection by system defences.
  • Attackers use phishing tactics and other social engineering methods to impersonate trusted personnel or authorities to lure victims into sharing credentials. Sometimes, the ransomware has also used brute force to gain access to the intranet server and network of an organisation.
  • Once it has gained access, the ransomware prepares the system to release its encryption payload across as many devices as possible. It then disables security programs and other infrastructures that could permit system data recovery. The goal is to ensure that data recovery without assistance from the LockBit gang is impossible.
  • After this is ensured, the ransomware places an encryption lock on all system files, which can only be unlocked via a custom key created by the LockBit gang. The process leaves behind a ransom note, with instructions to restore the system, and has reportedly also included threatening blackmail messages.
  • Victims are then left with no choice but to contact the LockBit gang and pay up for the data, which the gang may sell on the dark web — whether the ransom is paid or not.

Who is behind the ransomware?

  • The group behind this is known as the LockBit gang. It is considered the most prolific ransomware group ever. It operates on the ransomware-as-a-service (Raas) model and comes from a line of extortion cyberattacks.
  • In this model, willing parties put down a deposit for use in a custom attack and make profits through the ransom payment.

How do we protect systems against the LockBit ransomware?

  • While there are no fool-proof ways of protecting against ransomware attacks, organisations and individuals can take certain steps to increase resilience against such cyber threats.
  • The use of strong passwords, with strong variations of special characters which are not easy to guess along with multi-factor authentication should be implemented. This ensures the use of brute force will not be enough to compromise systems.
  • Organisations can also undertake training exercises to educate employees on the use of phishing attacks and their identification.
  • Old and unused user accounts should be deactivated and closed as they can become weak links in the security apparatus.
  • Additionally, organisations and individuals should have an understanding of cybersecurity threats and vulnerable points that may be exploited by cybercriminals.