The LockBit 3.0 ransomware builder, leaked in 2022, became the basis for many modifications that have already appeared on the market. As Kaspersky Lab researchers found out (https://securelist.com/lockbit-3-0-based-custom-targeted-ransomware/112375/), some of the attacks using modifications were used in attacks on targets in Russia and other countries CIS, and by different groups.
“So, during one of the incidents, a LockBit sample was used with previously unseen impersonation and network distribution functions. Since the attackers took possession of the system administrator’s credentials, they were able to gain access to the most critical areas of the corporate infrastructure,” Kaspersky Lab analysts gave an example.
They added that the effectiveness of attacks is increased by additional configuration of the network propagation and protection bypass functions in the builder. Thanks to this, the malware begins to independently spread itself across the network using stolen credentials. Some variations could also disable the firewall, encrypt network shares, and clear Windows event logs.
“Most often, attackers use predominantly the standard or slightly modified configuration of the leaked builder, but we do not rule out that there may be other incidents in the future when the malware will be able to perform operations as an administrator and spread throughout the network. In Russia, the LockBit ransomware is often used in attacks whose goal is to completely destroy data rather than obtain a ransom. This threat can have devastating consequences for companies,” stated Konstantin Sapronov, head of the global computer incident response team at Kaspersky Lab.
“So, during one of the incidents, a LockBit sample was used with previously unseen impersonation and network distribution functions. Since the attackers took possession of the system administrator’s credentials, they were able to gain access to the most critical areas of the corporate infrastructure,” Kaspersky Lab analysts gave an example.
They added that the effectiveness of attacks is increased by additional configuration of the network propagation and protection bypass functions in the builder. Thanks to this, the malware begins to independently spread itself across the network using stolen credentials. Some variations could also disable the firewall, encrypt network shares, and clear Windows event logs.
“Most often, attackers use predominantly the standard or slightly modified configuration of the leaked builder, but we do not rule out that there may be other incidents in the future when the malware will be able to perform operations as an administrator and spread throughout the network. In Russia, the LockBit ransomware is often used in attacks whose goal is to completely destroy data rather than obtain a ransom. This threat can have devastating consequences for companies,” stated Konstantin Sapronov, head of the global computer incident response team at Kaspersky Lab.
