April 16, 2024 at 09:47AM
The LockBit ransomware group launched a sophisticated attack in West Africa using a leaked variant of LockBit 3.0. Kaspersky discovered this new variant and flagged its ability to generate custom, self-propagating ransomware. The attack involved using leaked privileged credentials and affected multiple systems. Organizations are advised to take preventive measures such as proper configuration of security tools and implementing multifactor authentication.
Key Takeaways from the meeting notes:
1. LockBit Ransomware Attack:
– The latest attack in West Africa used stolen credentials and a new variant of the LockBit 3.0 builder, posing a significant threat.
– The attackers impersonated an administrator to infect multiple hosts with malware and performed various malicious actions, including disabling Windows Defender, encrypting network shares, and deleting Windows Event Logs.
– The attackers can direct attacks on select systems and infect specific .docx or .xlsx files, demonstrating the ransomware’s customization capabilities.
2. LockBit 3.0 Appeal and Impact:
– Since its leak in 2022, LockBit 3.0 has been actively used by attackers, making their attacks more effective and dangerous, especially with valid privileged credentials.
– The LockBit group was responsible for at least 25% of ransomware attacks in 2023 and has hit thousands of victims since 2020, indicating its widespread impact.
3. Protection Measures Against LockBit Attacks:
– Organizations are advised to implement various security measures, including properly configured antimalware and endpoint detection software, managed detection and response solutions, vulnerability assessments, penetration tests, backups of critical data, network segmentation, multifactor authentication, application whitelisting, and a well-defined incident response plan.
The meeting notes emphasize the urgent need for organizations to enhance their security measures to defend against LockBit attacks, given the sophistication and customization capabilities of the ransomware.