The LockBit ransomware group has become the top ransomware group based on its volume of attacks in recent months. They are utilizing a new phishing email tactic by disguising the malware as copyright claim and creating a bug bounty program. Once the attack is successful, a threat actor can leverage their position to control an organizations network. Barracuda MSP recommends being proactive about mitigating risk in your environment as soon as possible to avoid potential impact.
What is the threat?
Threat actors are disguising the malware as a copyright violation email. Recipients are asked to download and open an attachment to see the infringement content. The attachment is a password-protected ZIP archive containing a compressed file that contains an executable file disguised as a PDF document. Once a victim opens the “PDF,” the malware will load and encrypt the device with the LockBit 2.0 Ransomware. This ransomware prevents recovery by deleting volume shadow copy and ensures the ransomware runs continuously. It will register a Run Key to the registry and drops LockBit_Ransomware.hta on the desktop to keep it running even after a desktop change or a reboot.
Why is it noteworthy?
This threat is perfect for today’s online marketing landscape. As marketing teams are creating new advertisements or video business email compromise (BECs) to grow their companies’ online presence, there are risks that they could have potentially infringed content. With more than 3.5 billion active social media users today and businesses relying on online marketing, there is now a one thousand-to-one-million-dollar incentive to ethical and unethical hackers to contribute any information to strengthen this threat, further elevating the risk. As news of this bounty becomes public, attackers will accelerate attacks on targets while the window remains open.
What is the exposure or risk?
Once the attack is successful, a threat actor will have complete and unrestricted access to the target network without being detected. If a threat actor has network access, they can easily terminate multiple services and conduct a ransomware event that can lead to temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses, and potential harm to an organization’s reputation.
What are the recommendations?
Barracuda MSP recommends the following actions to prevent this threat:
- Inform and educate users-at-risk of this new threat tactic
- Protect all common attack surfaces, especially email, to prevent potential exploit
- Review identity posture, monitor external access to networks, and update all vulnerable services
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.