The Australian Cyber Security Center (ACSC) has observed an increase in the LockBit 2.0 ransomware attacks against Australian organizations and has warned against a further increase in attacks since July 2021.
According to ACSC, the victims of LockBit attacks have reported the data that was stolen during the attacks to be leaked online, a tactic used by ransomware gangs to coerce the victims into complying to pay the ransom.
Attack Profile since July
The attacks of LockBit 2.0 are not only restricted to corporate systems, but they have shown a significant increase in domestic cyber-crime in comparison to other ransomware variants that were tracked, as stated by ACSC. They have also attacked corporate systems in sectors such as construction, manufacturing, professional services, food, and retail.
ACSC has also published a ransomware profile with information on the LockBit group. This information includes targeted sectors, mitigation measures, and access indicators.
LockBit is very opportunistic and the threat actors target industries from a variety of sectors. So, not being included in the list of already targeted sectors of LockBit doesn’t necessarily mean that they won’t be targeted in the near future.
- The Enabling Multi-factor Authentication (MFA) to restrict usage of stolen credentials on all accounts.
- Encryption of sensitive data to restricting the exfiltration of said data.
- Segmentation of corporate networks and restriction of admin privileges to restrict lateral movement and prevention of escalation attempts.
- Maintenance of daily backups to reduce chances for a successful attack.
- Patching the security bug CVE-2018-13379 which is widely exploited by LockBit breach networks.
The LockBit ransomware gang started its operation in September 2019. Starting as ransomware-as-a-service (RaaS), they recruited threat actors to encrypt devices and breach networks. They have since been very active in the promotion of RaaS. They also provided support on Russian-language hacking forums.
LockBit 2.0 RaaS was announced in June 2021 on their data leak site since the topic of ransomware was banned on cyber-crime forums.
The alert shows that LockBit has started to operate on the full-throttle after slowing down during January 2021. This relaunch came with the redesign of TOR sites and other advanced features. LockBit 2.0 also aims to recruit insiders, to provide them with Remote Desktop Protocol (RDP) and Virtual Private Network (VPN).