An enterprising ransomware gang is recruiting workers by promising millions in rewards for people willing to infect their company network with LockBit 2.0 ransomware, whose resurgence in Australia has drawn concern and a warning from government cybersecurity experts.
“A number of Australian organisations” in professional services, construction, manufacturing, retail and food have received ransom demands after being hit by LockBit 2.0, the Australian Cyber Security Centre (ACSC) said in a recent advisory that saw the organisation warning of a “sharp and significant increase” in infections by the newly updated malware.
Like its predecessor, LockBit 2.0 is a ransomware-as-a-service web application that handles both the encryption of company files and the theft of data from the target network.
The package provides everything needed for ‘double extortion’ ransomware attacks, in which the malware downloads company data while encrypting it and threatens to sell it on darkweb sites or release it publicly if the ransom isn’t paid.
LockBit 2.0 is being actively promoted as an “affiliate program” to individuals who are promised 70 to 80 per cent of any ransom payments earned from their distribution.
One marketing page, discovered by cybersecurity researchers, promises that affiliates will gain access to StealBit – described as “the fastest stealer all over the world”, complete with benchmarking results comparing it to rival gangs’ download speeds.
Because it is hosted in the cloud, the code is continually being updated, with a recent version adding the ability to encrypt entire Windows networks using group policies in Active Directory, which manages user and device access across most businesses.
“The only thing you have to do is to get access to the core server, while LockBit 2.0 will do all the rest,” one information page about the affiliate program says.
Layers upon layers
The ACSC offers a number of mitigation strategies for companies to avoid compromise by LockBit and LockBit 2.0, yet despite some victories companies across all sectors are continuing to fall in droves as ransomware authors continuously develop and refine their methods.
Exploding use of double-extortion attacks pushed average ransomware payments up 82 per cent year-on-year, to $775,000 ($US570,000) in the first half of this year alone, according to a recent analysis by Palo Alto Networks’ Unit 42 security consulting arm.
Much of this growth comes thanks to the automated bundling of malware that have become the new frontier for cybercriminal developers, who have made great strides not only in developing malware-as-a-service and ransomware-as-a-service offerings – but packaging them with a range of other code for stealing or damaging data.
Security firm Sophos, for example, recently reported on the resurgence of Raccoon Stealer, a two-year-old stealer that rummages through web browsers for code like passwords, cookies, ‘autofill’ text for websites, credit card data, cryptocurrency wallets, and whatever else it can find.
Raccoon Stealer can also steal files from, and install malware on, infected systems – and the whole package, Sophos notes, is available to anybody for seven days for just $102 ($US75).
Cybercriminal gangs are adding even more tactics to pressure companies into paying ransoms, Unit 42 warned, noting a growing number of spate of ‘quadruple extortion’ attacks that include encrypting files; stealing data for threat of release; launching denial of service (DoS) attacks that block victims’ websites; and even harassment, in which cybercriminals actively contact customers, business partners, employees, and media organisations to publicise the breach of the company.
Ransomware payments have become such a significant issue for Australian businesses that the government recently launched a multi-agency task force, called Operation Orcus, that will add 22 staff to Australian Federal Police-led cybercriminal investigations.
The task force is part of a broader offensive against the cybercriminal industry that has seen the government pushing companies to not pay ransoms, threatening to force companies to reveal ransom payments, and ban ransomware payments by insurance companies.