How LockBit attackers are infiltrating and extorting banks

The criminal group behind the ransomware LockBit has continued a campaign in recent weeks to publish personal data stolen from companies, including some U.S. financial institutions, and the FBI last month released guidance on identifying the malware.

A review of the gang’s dark web blog shows that in the past two months it has published data stolen from at least 60 companies and government agencies, including personal data stolen from U.S. financial institutions. According to the cybersecurity company Trend Micro, attacks slowed in December.

As of March 4 the gang was threatening two loan servicers, a credit union, a bank, and an asset management firm with publishing data it said it stole from the U.S. institutions. In two cases, the gang had already published personal information taken from the companies, including customers’ Social Security numbers, scans of passports, personal addresses and more.

Spokespeople for two of the companies, who asked not to be identified discussing active criminal investigations, told American Banker they would notify affected customers at the conclusion of those investigations, which were not expected to wrap up until weeks after the data had been stolen.

The people also said that hackers did not successfully encrypt any of the target systems — only exfiltrated (stole) data. It was unclear whether the companies headed off the encryption or whether attackers opted not to encrypt the systems.

The group behind LockBit markets the tool to potential accomplices — sometimes insiders at victim companies — wishing to deploy it on particular targets. The group then takes a cut of the money paid out in ransom, and because cyber insurance contracts tend to cover the cost of payouts, victims do not always refuse payment or even haggle.

LockBit responds to Russian invasion of Ukraine

Reports have tied LockBit to Russia, and in a note published after Russia’s invasion of Ukraine, the gang said it had members “in China, the United States, Canada, Russia and Switzerland.” The group claims that it does not operate in post-Soviet countries — including Russia and Ukraine — presumably to avoid prosecution in those areas, according to the cybersecurity firm Kaspersky. However, the cybersecurity firm Cybereason said in December that newer elements of the LockBit ransomware drop locale restrictions, meaning the malware can now operate in the region.

The gang behind LockBit recently denied any stance on Russia’s invasion of Ukraine. The announcement came after a separate group, Conti, decided to publicly side with Russia and ended up having internal communications leaked by a Ukrainian hacker.

The extortion of U.S. financial institutions began before last week, when Russia invaded Ukraine.

According to Trend Micro, the top targets of LockBit ransomware are in health care and education despite a claim last year by a member of the group that they would not attack such institutions. Technology and financial institutions were the next most common victims.

How the attacks work

According to the cybersecurity firm Emsisoft, LockBit attackers typically gain initial access to their target computer systems via compromised remote desktop protocols, phishing campaigns, credential stuffing or otherwise exploiting known security vulnerabilities.

Credential stuffing involves finding lists of usernames and passwords that have been stolen in previous data breaches and using those credentials to break into a system. Phishing involves using deceptive emails to trick people into sharing their credentials or personal information with an attacker.

While the company offers tools for decrypting files after attacks by some strains of ransomware, Emsisoft said the strains of ransomware hackers are using “currently make it impossible to decrypt data without paying for an attacker-supplied decryption tool.”

According to IBM, the LockBit group can also exploit Microsoft Active Directory, a service for authenticating and authorizing users in Windows-based networks, to automatically access a network and deploy malware on it. Attackers then reconfigure Windows Defender, Microsoft’s antivirus software, in the process to avoid detection.

While many of the exploits target Windows-specific software vulnerabilities, the FBI said in its announcement last month that the newest version of LockBit also includes a Linux-based malware that takes advantage of vulnerabilities within some VMWare virtual machines.

Mitigating attacks

In its bulletin about LockBit, the FBI recommended a number of mitigation techniques.

First is requiring all accounts with password logins to have strong, unique passwords. Reusing passwords or storing them improperly can allow adversaries to expand their reach within a network.

Another FBI recommendation is that organizations require multifactor authentication for all services, particularly email, virtual private networks, and accounts that access critical systems. While multifactor authentication will not prevent all attacks, it can slow criminals down and tip would-be victims off to their activities.

The FBI said timely software patching is “one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.”

The bureau counseled companies to limit administrative access to Windows systems and take steps to prevent unauthorized changes to critical files.

Emsisoft recommends that organizations teach users the fundamentals of cybersecurity, such as password management, to facilitate the use of strong passwords and not reusing those passwords.

The security company also advises companies to create ransomware-proof backups to ensure that any data encrypted in a ransomware attack exists in duplicate form in multiple, protected locations. It suggests that they block macros in Microsoft Office and PDF documents from unknown sources, as many ransomware families deliver payloads via macros.

Emsisoft also emphasizes the importance of penetration testing to reveal vulnerabilities in IT infrastructure and employees’ susceptibility to ransomware and incident response planning.