LockBit 2.0 ransomware, also known as LockBit Red, is an advanced strain of malicious software that operates as Ransomware-as-a-Service (RaaS), encrypting files on targeted systems and demanding ransom payments from victims in exchange for decryption keys. Here are more precise details about LockBit 2.0 ransomware:
- First Appearance: LockBit 2.0 ransomware was first observed in the cybersecurity landscape in June 2021. It represents an evolution of first version of LockBit ransomware, incorporating advanced features and techniques to maximize its effectiveness. This release introduced StealBit, a built-in information-stealing tool.
- Infection Vector: Similar to its predecessors, LockBit 2.0 ransomware primarily spreads through various infection vectors, including phishing emails, malicious attachments, exploit kits, and vulnerabilities in software or systems. Attackers may utilize social engineering tactics to lure unsuspecting users into executing the malware payload.
- Encryption Mechanism: Upon infecting a system, LockBit 2.0 ransomware utilizes sophisticated encryption algorithms such as RSA or AES to encrypt files stored on local drives and network shares. This encryption process renders the files inaccessible to the victim without the decryption key, which is held by the attackers.
- Ransom Note and Payment: After encrypting the files, LockBit 2.0 ransomware typically presents victims with a ransom note containing instructions for payment. The ransom note specifies the ransom amount, often demanded in cryptocurrency like Bitcoin, and provides details on how to contact the attackers for further instructions on payment and decryption.
- Data Exfiltration Capability: LockBit 2.0 ransomware is known for its ability to exfiltrate sensitive data from compromised systems before encrypting files. This dual-threat approach allows attackers to extort ransom payments for decryption keys while also threatening to leak or sell stolen data if ransom demands are not met, increasing pressure on victims to comply.
- Persistence and Evasion Techniques: LockBit 2.0 ransomware employs various techniques to maintain persistence on infected systems and evade detection by security software. These techniques may include modifying system settings, disabling security tools, and employing anti-analysis methods to hinder detection and removal efforts.
- Mitigation and Recovery: To mitigate the risk of LockBit 2.0 ransomware attacks, organizations should implement robust cybersecurity measures such as regular data backups, endpoint protection solutions, user education on phishing awareness, and timely software patching. In the event of an infection, organizations should follow incident response protocols, isolate affected systems, and consider options for recovery, including data restoration from backups and collaboration with cybersecurity professionals.
See more details on the Cybersecurity and Infrastructure Security Agency (CISA) website and on the FBI Flash CU-000162-MW.