LockBit Used Automated Tools to Sleuth Out Specific Tax and Point-of-Sale Software on Breached Networks to Determine Ransomware Targets, Sophos Research Reveals

Other New LockBit Techniques Include Renaming PowerShell Files to Evade Detection and Using Google Docs for Command and Control

Sophos, a global leader in next-generation cybersecurity, released its latest research into LockBit ransomware, “LockBit attackers used automated attack tools to identify tasty targets,” which shows how they used PowerShell tools to search for specific business applications on breached networks, including tax and point-of-sale software. If a fingerprint generated by this search met the keyword criteria, the tools would automatically execute a number of tasks, including launching the LockBit ransomware.

Researchers also uncovered a number of new attack methods that LockBit used to evade detection. These include renaming PowerShell files and using a remote Google document for command and control communications. Due to the highly automated nature of the attacks, the ransomware, once launched, spread across the network within five minutes, wiping its activity logs along the way.

Recommended AI News: Overbond Achieves Real-Time AI Bond Pricing Utilizing Latest AWS Serverless Cloud Infrastructure

“LockBit’s interest in specific business applications and keywords indicates the attackers were clearly looking to identify systems that are valuable to smaller companies—the systems that store financial information and handle daily business—in order to pressure victims to pay, and pay faster,” said Sean Gallagher, senior threat researcher, Sophos. “We’ve seen ransomware shut down business applications upon execution, but this is the first time we’ve seen attackers looking for certain types of applications in an automated approach to score potential targets.”

The operators also made extensive use of PowerShell throughout the attack, repurposing the code to suit their needs.

“The LockBit gang appears to be following other ransomware groups, including Ryuk—which Sophos recently found using Cobalt Strike—that are adapting tools developed for penetration testing to automate and accelerate their attacks,” said Gallagher. “In this case, the PowerShell scripts help the attackers identify systems that have applications with particularly valuable data, so that they don’t waste their time encrypting or ‘supporting’ victims who are less likely to pay. They’re using these tools in an automated fashion to cast as wide a net as possible, while limiting their actual hands-on-keyboard activity, to track down the most promising victims.”

Recommended AI News: First Databank Announces Partnership With RxCap for Medication Adherence Mobile App

The LockBit attackers tried to conceal their activities by making them look like normal automated administrative tasks. They did this by abusing native tools: creating disguised copies of Windows scripting components and then using Windows’ task scheduler to launch them. They also modified the built-in anti-malware protection, so it couldn’t function.

“The only way to defend against these types of ransomware attacks is to have defense-in-depth, with a consistent implementation of malware protection across all assets. If services are left exposed or misconfigured, attackers can easily leverage them,” said Gallagher.

Recommended AI News: MHS Health Wisconsin and Samsung Donate Smartphone Devices to Healthcare Providers