LockBit Using Remote Monitoring Tools to Infect Employees with Ransomware

In a present wave of cyberattacks, eSentire, a international Managed Detection and Response (MDR) security products and services provider, has thwarted three separate ransomware attacks orchestrated by friends of the notorious LockBit Ransomware Gang.

This Russia-linked criminal community has adopted an additional and extra extra refined modus operandi, deploying Distant Monitoring and Management (RMM) tools to infiltrate goal networks and discreetly create ransomware attacks.

eSentire’s timely intervention has prevented vital disruption and financial losses for the affected organizations.

LockBit, working below a Ransomware-as-a-Provider (RaaS) mannequin, has change into one in every of essentially the most alarming and winning ransomware groups globally, collecting an estimated $91 million in ransom funds, essentially from U.S. victims, since its emergence in gradual 2019.

This destructive gang makes utilize of diverse entry solutions, together with browser-essentially based mostly mostly attacks fancy SocGholish, exploiting prone Net-uncovered servers, and pilfering right credentials.

LockBit’s distinguishing characteristic is its adept utilization of Living-off-the-Land ways, averting venerable malware and employing legit RMM tools already present in goal environments.

This suggests lets them blend in, evade detection, and complicate attribution, in particular when RMM tools are accessible by capacity of the cloud.

eSentire’s Threat Response Unit (TRU) detailed three sure incidents by which LockBit aimed to deploy ransomware:

Attacks Towards an MSP: LockBit friends focused a Managed Provider Provider (MSP), gaining safe admission to to the MSP’s downstream possibilities and attempting to distribute ransomware.

The attackers utilized RMM tools, similar to AnyDesk, Atera, and ConnectWise RMM, to facilitate their malicious activities.

Dwelling Décor Manufacturer: On this incident, LockBit friends disrupted a manufacturing firm by disabling Dwelling windows products and services, employing tools fancy PsExec, and attempting to construct persistence by capacity of AnyDesk.

Storage Supplies Manufacturer: LockBit deployed ConnectWise RMM to spread ransomware all the arrangement in which thru a storage offers manufacturer’s community. In spite of the goal already having this RMM instrument, the attackers launched their very grasp reproduction to lower suspicion.

Struggling with RMM Instrument Hijacking

To safeguard in opposition to cybercriminals hijacking RMM tools and launching ransomware attacks on workers and possibilities, organizations are told to:

• Put in power two-ingredient authentication and well-known, uncommon passwords for RMM safe admission to.
• Set in power Entry Control Lists (ACLs) for relied on IPs and promote VPN usage for roaming possibilities.
• Keep in mind consumer SSL certificates for RMM machine safe admission to.
• Divulge warning in revealing utility stacks in job postings to deter personalized phishing makes an are trying.
• Behavior phishing consciousness coaching for workers with RMM safe admission to.
• Divulge a 24/7 Managed Detection and Response resolution to guard IT environments.
• Create sure timely patching and updates for utility functions and third-party tools.
• Educate possibilities on cybersecurity and collaboratively build security policies.