Numerous techniques are being leveraged by the LockBit ransomware operation, which has since become the dominant ransomware this year, according to The Hacker News
As a ransomware-as-a-service group, LockBit has been working with affiliates for attack execution in exchange for a portion of ransom payments received. Double-extortion tactics are also being implemented by LockBit prior to asset encryption, a report from Cybereason revealed.
LockBit achieves initial infection through the exploitation of exposed remote desktop protocol ports and server vulnerabilities, as well as the deployment of phishing attacks resulting in malicious payload downloads. Credential theft and reconnaissance efforts then follow, allowing lateral network movement, persistence, privilege escalation, and ransomware deployment, before backups are deleted to avert detection.
"The affiliates that use LockBit's services conduct their attacks according to their preference and use different tools and techniques to achieve their goal. As the attack progresses further along the kill chain, the activities from different cases tend to converge to similar activities," said researchers Gal Romano and Loc Castel.