Ransomware attacks have grown to be the top cybersecurity threat for organizations in both the public and private sectors. It seems that as hackers gain more experience, they are getting better— the biggest ransomware attacks have at times forced companies to pay ransoms as high as $40 million.
This is due in large part to the improved capability of ransomware itself. As hackers have claimed bigger and bigger ransoms, they’ve been reinvesting their ill-gotten gains into improving their software, and researching methods to evade security measures.
Lockbit 2.0 is one of the newest and most dreaded varieties of ransomware, and has hit a number of major companies since its release in July of 2021, including Bangkok Airways and consulting firm Accenture. The effectiveness of Lockbit 2.0 demonstrates that an arms race is going on between hackers and cybersecurity teams— and for the time being, it seems like the hackers are winning.
So what makes Lockbit 2.0 so deadly? To understand the answer to this question, it’s important to understand that the ransomware market works much like the market for legal software. Lockbit 2.0 is a Ransomware-as-a-Service (RaaS) gang. The developers of the software themselves don’t actually hack into individual networks themselves. Instead, they find partners to do it for them and take a percentage of the profits.
The goal of RaaS gangs is to attract as many affiliates as possible, and the best affiliates possible. Producing the best quality software means recruiting the most talented hackers, who are likely to be able to hit bigger and more lucrative targets. Hackers “shop around” for the best set of features, much like anyone trying to decide which software to purchase.
Lockbit 2.0 claims to have the best features available on the market, and so far, it seems that those claims are accurate. According to some measures, since the release of Lockbit 2.0, it has been used in six times more attacks than Conti, another major ransomware gang. This indicates that it has gained a lot of popularity among affiliates.
This competition in the ransomware market is pushing hackers to continually produce better software, pushing the bar ever higher and helping them stay ahead of cybersecurity teams.
So how did Lockbit 2.0 manage to attract so many affiliates? According to their dark website, one of the major selling points is the speed with which it can encrypt files. The gang claims that their software can encrypt 373 MB per second, which is more than double the speed of the next runner up, BlackMatter ransomware, which boasts an encryption rate of 185 MB per second.
The size of ransom that can be requested in a ransomware attack depends on how much data the attackers can encrypt, so the faster ransomware works, the more damage it can do. Speed matters very much, because once ransomware begins encrypting a network, it’s only a matter of time before the users realize it and shut down the network to contain the attack.
Lockbit 2.0 accomplishes this by using a unique method where they encrypt only a small amount of data in each file, enough to make the file unreadable.
The other main selling point advertised by the gang is the rate at which it can steal data. Most ransomware hackers have shifted to conducting double extortion attacks in recent months. Double extortion attacks attempt to coerce victims into paying a ransom by threatening to release sensitive data like medical or legal records or trade secrets to the public.
They claim their rate of data theft exceeds the competition by an even wider margin— 83 MB per second, compared to 4 MB per second for the competition. Lockbit 2.0 achieves this by integrating real time compression into the upload process.
In addition to higher performance, Lockbit 2.0 also incorporates a new deployment technique which alters Windows in order to avoid detection. All of these features mean that if the attackers get into to a network, they can do quite a bit more damage than with other varieties of ransomware.
This can all seem very intimidating. State-of-the-art, high tech ransomware that can evade the latest security measures and outclass the best cybersecurity team might seem like an insurmountable challenge.
In reality, the vast majority of ransomware attacks occur because of simple mistakes which can be prevented with minimal effort.
The most common cause of ransomware infections is phishing, where attackers trick an employee into clicking a malicious link or opening an attachment on an email. Some of these tricks can be very persuasive; for example, hackers may sometimes hack a co-worker’s email and send a very convincing message asking an employee to open a link.
The best defense against this is to hire tech savvy workers with good basic knowledge of cybersecurity, but many companies are conducting phishing awareness training to prevent human errors that could lead to an attack.
Remote Desktop Protocols are also a favorite attack vector for hackers. Surprisingly, many RDP users use weak passwords, and hackers frequently access them using simple brute force attacks.
A good backup setup is also a powerful tool in reducing the risk of a devastating ransomware attack. A physically air gapped backup updated frequently can prevent hackers from shutting down a network for an extended period of time.
Good backups can’t prevent data theft and extortion, however, but well-planned network architecture can. Encrypting sensitive data and requiring additional steps to access it, such as one-time passwords, makes it much more difficult for hackers to access valuable data.
Last but not least, it’s very important to always keep up to date with all patches and updates. This may require ensuring that all equipment connected to a network is currently supported.
These simple measures can make life much more difficult for ransomware hackers and dramatically reduce the incidence of ransomware attacks, including Lockbit 2.0 attacks.