The latest tactic used to deploy the prolific malware allows threat actors to end processes, stop services and duplicate more quickly.
The implications of threat actors gaining access to network servers and spreading ransomware is worrisome because once the malware gains admin controls it can create a group policy to stop services, end processes and reproduce quicker at greater scale.
Attackers can gain access to on-premises network servers via remote desktop applications or by exploiting a known vulnerability, according to Symantec’s threat hunting group.
Ransomware gangs often mimic other successful tactics, and if this technique is more widely deployed it could present yet another serious challenge for organizations in the fight against cyberthreats.
“Once the double extortion technique was shown to be effective for some ransomware actors it began being deployed by almost all of them,” Brigid O Gorman, senior intelligence analyst on Symantec’s threat hunter team, said via email.
LockBit, a ransomware as a service that first appeared in September 2019 and is now on version 3.0, behaves differently when executed on server machines with domain controllers, according to Symantec.
It goes into an infinite loop if the malware process is being debugged, checks system languages to avoid target organizations in Russia and some nearby countries, then it ends processes and disables services related to malware analysis. The malware can also achieve privilege escalation and bypass user account control.
“Privilege is the goal. With more awareness in privileged accounts, privileged systems may not be getting the same scrutiny,” John Bambenek, principal threat hunter at Netenrich, said via email. “The takeaway is that anything IT relies on to manage an environment can be relied on by attackers to take it down.”
Symantec pointed to multiple indicators of compromise in its report to help organizations detect and block LockBit ransomware on network servers. The threat hunting team observed the activity in on-premises servers, but added that similar activity can be achieved on cloud servers.
Ransomware groups can scan and exploit broadly across the internet to gain a foothold into servers without any specific targeting, Blumira CTO Matthew Warner said via email. Once that level of access is obtained, attackers can drop into highly-sensitive portions of the victim’s network and quickly move across the environment to steal data and spread ransomware.
Get the free daily newsletter read by industry experts
Addressing the causes of burnout requires a top-down approach that better aligns security teams with the rest of the business.
Guidelines call for developers to attest they use secure software practices.
Subscribe to Cybersecurity Dive for top news, trends & analysis
Get the free daily newsletter read by industry experts
Want to share a company announcement with your peers?
Addressing the causes of burnout requires a top-down approach that better aligns security teams with the rest of the business.
Guidelines call for developers to attest they use secure software practices.
The free newsletter covering the top industry headlines