- Affiliates of the LockBit ransomware group are infiltrating on-premises servers to spread malware on targeted networks, according to new research from Broadcom’s threat hunting team at Symantec.
- Threat analysts observed a threat actor operating on a victim’s enterprise network with remote desktop protocol access for several weeks before it dropped and executed the LockBit ransomware. This type of sustained and undetected access allows attackers to conduct reconnaissance and identify weaknesses on networks before deploying payloads.
- Attackers operating LockBit ransomware can leverage group policy management to spread the malware through a network, run commands and encrypt many machines almost simultaneously, Symantec’s researchers said.
The implications of threat actors gaining access to network servers and spreading ransomware is worrisome because once the malware gains admin controls it can create a group policy to stop services, end processes and reproduce quicker at greater scale.
Attackers can gain access to on-premises network servers via remote desktop applications or by exploiting a known vulnerability, according to Symantec’s threat hunting group.
Ransomware gangs often mimic other successful tactics, and if this technique is more widely deployed it could present yet another serious challenge for organizations in the fight against cyberthreats.
“Once the double extortion technique was shown to be effective for some ransomware actors it began being deployed by almost all of them,” Brigid O Gorman, senior intelligence analyst on Symantec’s threat hunter team, said via email.
LockBit, a ransomware as a service that first appeared in September 2019 and is now on version 3.0, behaves differently when executed on server machines with domain controllers, according to Symantec.
It goes into an infinite loop if the malware process is being debugged, checks system languages to avoid target organizations in Russia and some nearby countries, then it ends processes and disables services related to malware analysis. The malware can also achieve privilege escalation and bypass user account control.
“Privilege is the goal. With more awareness in privileged accounts, privileged systems may not be getting the same scrutiny,” John Bambenek, principal threat hunter at Netenrich, said via email. “The takeaway is that anything IT relies on to manage an environment can be relied on by attackers to take it down.”
Symantec pointed to multiple indicators of compromise in its report to help organizations detect and block LockBit ransomware on network servers. The threat hunting team observed the activity in on-premises servers, but added that similar activity can be achieved on cloud servers.
Ransomware groups can scan and exploit broadly across the internet to gain a foothold into servers without any specific targeting, Blumira CTO Matthew Warner said via email. Once that level of access is obtained, attackers can drop into highly-sensitive portions of the victim’s network and quickly move across the environment to steal data and spread ransomware.