Experiencing Ransomware or Cyber Breach?

Response time is everything when you are under attack. If you have been breached or have an urgent matter, contact us immediately.

Lockbit is a Russian backed ransomware group that first emerged in 2019 and has since become one of the fastest growing ransomware groups in the world.

An infection with LockBit, (or any ransomware) is characterised by your systems displaying a notice like the above with the perpetrator, a specialist cybercrime group, holding your infected systems and stolen data hostage until you pay a ransom. The ransom is typically demanded in cryptocurrency such as bitcoin.

Key Take Aways

  • You will not be able to access your systems or data.
  • It is advised that you disconnect from the internet and shut your systems down to stop further infections including pc’s.
  • Your Office 365 system might also be compromised, enabling them to track and understand your responses. Avoid communicating with individuals through your primary email or team systems.
  • Threat actors will have infiltrated your system at least 2-4 weeks prior to you becoming aware. Your data will have already been exfiltrated. If your system is encrypted, this did not all happen last night.

 

Ransom Note Example

If your systems display a message like below, they have been compromised by a LockBit attack.

You must not attempt to touch, restore or overwrite the data (explanation below).

The likely chain of events is shown in the diagram above.

  • Ransom costs can range from £0.5m - £3m
  • Paying the ransom may contravene financial sanctions, which is a criminal offence and could lead to a custodial sentence or further financial penalty.
  • Data sold/published on the web puts your customers and staff at risk, implicating you in a Data Protection breach.
  • You will need to perform a data take down request from the initial location the data went too.
  • Do not overwrite the encrypted data. It is imperative to find out when the infection started and where the data was streamed to.
  • You must not rebuild from the latest back up as this will have been infected.

Why you must not interfere with your ransomware environment

If you discover a physical break-in at your offices, your first thought would be to call the police; touch nothing and let them search for clues to the perpetrator. Then, work out how to get your business operations back up and running.

A cyber-attack requires the same logic. Your environment is a CRIME SCENE. It's imperative for the environment to remain untouched so that a forensic investigation can be carried out.

This is not a job for your IT team or MSP. There are digital forensic specialists available 24/7 who can assist you, just like in a physical crime.


Ransom Groups Stats by Industry

A summary of post-breach actions:

  • Call a NCSC Cyber Incident Response approved supplier https://www.ncsc.gov.uk/schemes/cyber-incident-response/find-a-provider
  • Some NCSC providers will fund up to 48 hours of investigation into your incident. Report the incident to Action Fraud https://www.actionfraud.police.uk/ .
  • Locate your business continuity plan and work out what you can do without access to your systems and data.
  • Identify your business insurance contact details.
  • Your NCSC-approved supplier is a specialist Crime Scene Investigator who helps you get back to full operation faster. They will:
  • Isolate and preserve your environment for forensic investigation.
  • Identify where the data has been duplicated and issue a legal takedown order.
  • Identify your data, application and systems restore points. These might be at different points in time and will need to be carefully restored and reconstructed in a pristine environment.
  • Liase with your business insurance company and if needed, with the Police.
  • Advise you on notifying your customers of your situation.
  • Rebuild your systems, restore your data and get you back to full operation.
  • This process can take between 2 weeks - 2 months.

Solace Cyber can offer a “Black Box” solution to allow you to get your business back in operation in a clean environment early in this process in parallel to the investigation and systems rebuild/restore.

The four phases of ransomware extortion.
Lockbit Employ Double Extortion

Double extortion involves encrypting a victim's data making it inaccessible, and then exfiltrating sensitive information, such as personal or company data. The threat actors demand payment for both decrypting the files and preventing the release of the data on the dark web.

This dual threat significantly increases pressure on the victim to pay the ransom, even if they have backups, as the potential data exposure poses serious risks, including reputational damage and legal consequences. This tactic has become increasingly popular among cybercriminals because it maximises their chances of receiving payment.

Who is LockBit? What does it do?

LockBit first emerged in 2019 under the moniker ABCD Ransomware and is believed to have roots in Russia. It has since undergone several evolutions with Lockbit 3.0 being the latest variant. Lockbit 3.0 provides Ransomware as a service (RaaS) with the criminal group receiving payment from affiliates to launch cyber-attacks using their distinct brand of malware called “StealBit”. This malware automates the transfer of data to the intruder and is known for its rapid and efficient encryption capabilities. In 2022 they were the most deployed ransomware strain in the UK and continue to be the most prolific ransom group globally.

The LockBit group's modus operandi looks to leverage vulnerable Remote Desktop Protocol (RDP) servers and/or obtain compromised credentials from affiliates. They are known to employ common attack vectors such as phishing emails with harmful links, as a way of gaining initial access. In addition to this, they have been found to employ brute-force methods on weak RDP or VPN passwords and exploit vulnerabilities.

Once infiltrated, LockBit executes its ransomware through command-line arguments, scheduled tasks, and/or PowerShell scripts. The malware methodically collects credentials, disables security products, and skilfully evades defences. Before advancing to the final stage of file encryption, it meticulously clears logs, often operating discreetly for days or even weeks before the breach is detected.

UK Data 2024
What is Lockbit Ransomware?

LockBit is a type of Ransomware software that is currently threatening businesses in the UK, gathering money to fund terrorism around the world:

Useful Resources

“The first Cyber Security RANSOMWARE Incident was reported in 2019 and the growth since summer 2022 is significant, smaller organisations are being targeted”

“Cyber risks, such as IT outages, ransomware attacks or data breaches, rank as the most important risk globally (34% of responses) for the second year in succession – the first time this has occurred.”
Ref Allianz Risk Barometer 2023 - Rank 1: Cyber incidents

Most Recent Lockbit 3 Attacks
TitleAvailableLast visitfqdnScreenshots
LockBit LOGINYes2024-07-20 12:09:23.396127http://lockbitqfj7mmhrfa7lznj47ogknqanskj7hyk2vistn2ju5ufrhbpyd.onion
LockBit LOGINYes2024-07-20 12:08:44.376659http://lockbitkwkmhfb2zr3ngduaa6sd6munslzkbtqhn5ifmwqml4sl7znad.onion
LockBit LOGINYes2024-07-20 12:08:03.929191http://lockbiti7ss2wzyizvyr2x46krnezl4xjeianvupnvazhbqtz32auqqd.onion

Solace Cyber’s track record includes hundreds of successful response recoveries, providing Digital Forensic Incident Response services, 24x7x365.

Total No. of Lockbit Attacks

Total attacks

How old is LockBit? When did it start and how many attacks have there been? Who else have been victims of LockBit?

Similar to legitimate software companies, Lockbit continuously develops and releases new malware variants, with LockBit 3.0 being the latest ransomware iteration. LockBit's impact and tactics demonstrate their adaptability. To date, lockbit has amassed 1867 victims.

What is the lifecycle of a ransomware attack?

The chain of events that make up a typical ransomware attack is shown in the figure below. Depending on the incident, the response team may be involved at any stage in the attack, from reconnaissance through to post-encryption and random demand issuance.

When planning the response, it is important to determine what stage the attack is at, so that the attack can be better understood and short-term containment measures put in place to frustrate the attackers efforts to develop the attack any further.

chart sample
Will the issue go away if I pay the ransom?

Criminal organisations like Lockbit are paid by affiliates to launch cyber-attacks using their specific brand of malware that is known for its swift and efficient encryption capabilities. Even if the ransom is paid, the likelihood of having files decrypted and data restored is minimal, underscoring the necessity of employing a ransomware incident response team.

Check Links Monthly The NCSC have documented the deliberations for paying ransomware: https://www.ncsc.gov.uk/ransomware/home

Important Reminder: It is a criminal offense to pay money to people who are subject to financial sanctions. The list of who is subject to financial sanctions is constantly changing. The latest iteration can be found here: https://www.gov.uk/government/publications/financial-sanctions-consolidated-list-of-targets

Global Data 2024

Victims by group

Solace Cyber has consistently rescued customers without having to pay the ransom. This is our specialism. We can help.

Unlocking Lockbit: 9 Key Points You Should Know

Finally, what is life like after LockBit?

How do I maintain security in future to prevent a further ransomware attack?

Solace Cybers’ support continues beyond the recovery process. Once your business is back up and running, we work with you to transform your cyber security through a threat-informed approach utilising our 9-step approach Solace Global - Cyber 9 Step Process

If your systems are showing signs of a LockBit attack, REMAIN CALM.

YOU MUST NOT TOUCH THEM, RESTORE OR OVERWRITE THE DATA (explanation above).

Contact Solace Cyber

Contact Solace Cyber on 01202 308818 or complete our form for a call back from one of our experts. We will act promptly to reduce your business downtime.

Contact Us

Under Attack?

If you think you are under a ransomware attack, don’t hesitate to get in touch with us to start the recovery process.

Complete the form to request a complimentary consultation with our specialists and get a plan of action in place immediately.

If you need assistance right away, we would recommend calling us on 01202 308818.

Request a callback

Solace Cyber, part of Solace Global, helps companies across the UK recover from ransomware attacks and data breaches.

Solace Cyber Limited is registered in England & Wales no. 14028838

Solace Cyber

Suite 6, Branksome Park House,
Branksome Business Park,
Bourne Valley Road,
Poole, BH12 1ED
United Kingdom

Telephone

Please note that calls may be recorded for security and training purposes.