A global provider of Managed Detection and Response (MDR) security services, eSentire, has recently stopped three distinct ransomware assaults that were planned by members of the infamous LockBit Ransomware Gang.
This criminal organization has evolved its method of operation, using Remote Monitoring and Management (RMM) technologies to sneak into target networks and covertly carry out ransomware operations.
The concerned organizations have avoided substantial disruption and monetary losses thanks to eSentire’s quick involvement.
Contents
What is Lockbit Ransamware ?
Since its launch in late 2019, LockBit, a ransomware group that uses the ransomware-as-a-service (RaaS) business model, has amassed an estimated $91 million in ransom payments, mostly from victims in the United States.
This destructive group employs a variety of entrance techniques, such as browser-based attacks like SocGholish, exploiting services that are accessible to the Internet, and stealing legitimate credentials.
The key differentiator of LockBit is its skillful application of Living-off-the-Land methods, which avoids using traditional malware and instead makes use of genuine RMM technologies that are already present in target environments.
This strategy gives them the ability to blend in, avoid detection, and obfuscate attribution, especially when RMM technologies are cloud-based.
LockBit attempted to spread ransomware in three different situations, according to eSentire’s Threat Response Unit (TRU):
Attacks on a Managed Service Provider (MSP):
LockBit affiliates targeted an MSP, acquiring access to its downstream clients and attempting to spread ransomware.
To facilitate their fraudulent actions, the attackers used RMM technologies like AnyDesk, Atera, and ConnectWise RMM.
Manufacturer of Home Décor
In this instance, LockBit affiliates disrupted a manufacturing business by deactivating Windows services, using tools like PsExec, and attempting to establish persistence using AnyDesk.
Storage Materials Manufacturer
To infect a storage materials manufacturer’s network with ransomware, LockBit used ConnectWise RMM. The attackers introduced their own copy of this RMM tool even though the victim already had it to reduce suspicion.
How to Protect Your Online Banking Accounts