WithSecure Comment: NCSC and int’l partners issue Lockbit advisory
June 2023 by WithSecure™
The NCSC and int’l partners have issued an advisory of mitigations for network defenders to take action against the most globally deployed ransomware strain, LockBit.
Stephen Robinson, Senior Threat Intelligence Analyst at WithSecure, offers the following unique insight:
“Firstly, if you look at the statistics being given, they are either specifically for public bodies, which are almost certainly required by law to notify the cyber security agencies, or they reference leak site data, i.e., the information that Lockbit itself has published about its campaigns and successes. This really highlights the big transparency issue in reporting of cyber attacks. That lack of reliable information affects the ability of organisations to plan effectively. We know that ransomware groups try to build a brand and mythos around themselves to attract affiliates to work for them, and to make victims more likely to pay up. If it was not for their attempts to do this, to make their “work” easy to identify, it would be extremely difficult to differentiate the activities of different RaaS groups.
Secondly, Lockbit has branded and marketed the different versions of their encryptor software to make clear that new versions are better. Analysis of these versions has shown that several times LockBit has improved their own malware by incorporating code taken from other Ransomware as a Service (RaaS) groups, namely BlackMatter and Conti. This may be a result of leaks from the other groups (Such as the famed Conti Leaks) or it may be a result of personnel moving from one RaaS group to another, as both BlackMatter and Conti shutdown abruptly. This really highlights that cyber threat actors are extremely pragmatic and will evolve, adopting methods and tactics that are proven to work. It also shows that just because a threat group is shut down or dissolved it does not mean that the overall threat diminishes, instead the operators of that group will most likely leave and join new groups, simply cross-pollinating ideas and expertise across the industry. Lockbit has really been very successful in continuing to adapt and evolve, which has left them on the top of the market like this.
Finally, the report contains a list of CVEs exploited by Lockbit, which are really a “who’s who” of public facing CVEs for the last 5 years. Mass exploitation has proven extremely effective, and so Lockbit, along with other ransomware groups such as Cl0p, and the Initial Access Brokers that they buy from such as SILKLOADER, have been instrumental in industrializing exploitation, and creating the waves of mass exploitation affecting the industry today, such as GoAnywhere, Papercut and MOVEit.”