After a short break, due to increasing law enforcement scrutiny, the LockBit ransomware group is back with a new affiliate scheme, stronger payloads, and a shift in infrastructure.
IBM X-Force confirms that LockBit’s recruitment efforts have been successful after observing a significant increase in the data leak activities on the ransomware gang’s new website.
LockBit is one the many ransomware-as-a-service (RaaS) groups that hire affiliates to spread malware. In recent years, RaaS has emerged as a profitable economic model for ransomware operators. It allows gangs to increase their reach without expanding their core workforce or incurring more costs.
The first affiliate recruitment advertisement of the LockBit gang surfaced in January 2020 on a famous forum, XSS. It is a Russian-language forum previously used by numerous RaaS gangs, such as Netwalker, DarkSide, REvil/Sodinokibi, and others, to market their malware and recruit new affiliates. However, in early 2021, XSS removed all ransomware discussions from their forum due to increased law enforcement monitoring.
When this route was closed, LockBit’s owners shifted to use their own infrastructure for advertising. And by the June 2021 end, there was an announcement on the leak site of LockBit that they’ll be recruiting for LockBit 2.0 affiliate program.
Their post says that the affiliate will gain access to “the core server,” which is most likely a domain controller. The LockBit payload will handle the remaining things.
Moreover, the affiliate gets control over the ransom payments and will receive money directly from the victim with the LockBit gang receiving a share of the earnings when the ransom is paid.
Organizations should make securing their networks and data a top priority or will risk being another victim of RaaS affiliates. Here are a few steps that businesses can follow:
- Form an incident response team and rehearse incident response with it.
- Make offline backups and keep them up to date.
- Incorporate a plan to avoid unauthorized data theft, mainly while uploading vast data to secure cloud storage services that criminals may abuse.
- To identify possible security incidents, use user and entity analysis tools.
- Penetration testing may be used to uncover weak spots in business networks and vulnerabilities that should be patched first.
- Segment networks based on their hosted data.
- Consider using a zero-trust approach and architecture to restrict what users may access.