No user too small to target: A look at the new LockBit ransomware 


It is no secret that ransomware attacks are on the rise, and attackers are finding new ways to access our systems. While malicious emails remain a constant, we are seeing an increase in compromises of trusted software. This increase is coming as extortion gangs become more organized and learn from each other. A great example of the evolution of malware is LockBit, which had already taken on some of the traits of Maze, but with LockBit 2.0 now also showing similarities to Ryuk and Egregor. 

With the improvements in ransomware, and improved malicious access to our computers, what is the worst that can happen if an attack gets through? The problem is too many people ask this question as a way to justify inaction, rather than as a justification for implementing the cybersecurity measures that they should.  

There is an answer to the question, of course. The worst that could happen is being unprepared for an attack, allowing it to run rampant on your computers – stealing data, encrypting files, and enabling future attacks that take advantage of the information uncovered in the initial attack.  

With that in mind, let’s take a look at just how bad a broken security posture can be. 

It won’t happen to me 

The default security on my computer should be enough to keep me safe, right? After all, I’m just an individual, not a large multinational corporation – I’m too insignificant to be targeted. 

Thinking like that allows attackers into our computers. The fact is that extortion schemes are constantly changing, and the criminal use of automation means attackers can target individuals and small businesses as easily as they can a global corporation. As a result, we have seen ransomware hit large corporations, individuals, and everything in between. When these attacks happen, we could lose everything on any computer connected to our home networks.  

With LockBit now rising to the top of the heap as a leading extortion gang, their ransomware is a great example of what happens when you are inevitably attacked. Let’s assume that the attack begins with a vulnerability in a trusted piece of software: a browser, a game, or maybe even Windows. 

Oh, it’s happening 

LockBit 2.0 is a very efficient piece of ransomware, and you may not even notice it running on your computer. It follows what has become a typical practice of being selective in the files that are encrypted. This approach helps to ensure that the computer continues operating as expected, while all of your important documents, pictures, and other files you may not want to lose are being encrypted. 

As you can see in these screenshots, common documents and other select files have .lockbit added to the end of the file name, while applications and less common file types have been left untouched. This tactic buys time for the ransomware to complete its job while you are browsing the internet, watching movies, or whatever else you may use your computer for. Once you try to open a picture or document, you’ll find that it no longer opens.  

If you are like most people, you might not even see these file extension changes, since this requires a change from the default settings. What you will notice is that the icons change to the blank page icon. By now, it’s too late. You can try changing the file extension back to the default for the file, but the file has been encrypted, and can no longer be opened by the computer. 

Once the files have been encrypted, a ransom note is dropped in any directory with encrypted files. In the case of LockBit, this file is named Restore-My-Files.txt. Once all relevant files are done being encrypted, LockBit 2.0 changes your desktop background to alert you to read this file, then shuts itself down. 

I can stop this! 

Maybe you happen to notice your files being encrypted early in the process. No problem, just restart the computer to stop the ransomware from running, right? It’s a nice thought, but by the point files are being encrypted, LockBit has already updated the settings to automatically start it when the computer restarts. The encryption process will begin immediately on startup, and will continue until everything relevant has been encrypted.  

This type of persistence is common in ransomware, because the attackers want to ensure that they steal and encrypt as much of your data as they can. 

What’s the point then? 

If ransomware is used on any target that the attackers can find, and it’s nearly impossible to stop once it’s found its way in, what is the point of worrying about it? Again, the answer is simple, because you can take steps to stop it before it starts.  

Now is the time to look into options for securing your computers, rather than waiting until after all of your data is lost. Make sure that you have a multi-layered solution like Acronis that protects against ransomware, and other types of malware, and even provides a protected backup solution to be able to restore files if something does happen to get past the other measures you have in place.  

With attackers constantly looking for new ways to get in and infect your computer, it is more important than ever to plan for any potential attacks, and implement a solution that will minimize any damage or inconvenience this may cause. 

[In the next part of this three-part series, we’ll look at how to counter the LockBit infection.] 

Topher Tebow is a cybersecurity researcher, focusing on community collaboration and threat analysis. Topher has been working with malware and other cyberthreats for more than a decade, beginning with web-based malware before moving into endpoint protection. Topher has written technical content for several companies, covering topics from security trends and best practices, to the analysis of malware and vulnerabilities. In addition to being published in industry publications like Cyber Defense Magazine and Security Boulevard, Topher has contributed to articles by several leading publications, and spoken at international cybersecurity events.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.