The ransomware group LockBit, known for launching attacks on businesses worldwide, remains a significant threat. Recently, Kaspersky, a global cybersecurity company, has illuminated the methods employed by such adversaries who use LockBit's custom ransomware, revealing previously unseen techniques.

The Lockbit 3.0 builder, otherwise known as Lockbit Black, was first detected in June 2022. Despite its age, attackers consistently utilise this tool to generate customised versions for their illegal activities. It is particularly concerning that the exploitation of this ransomware does not require advanced programming skills, thereby enabling more frequent and damaging attacks.

A recent incident in Guinea-Bissau pointed out that custom ransomware employs previously unseen techniques. According to the insights by Kaspersky, such ransomware has the potential to create a damaging ripple effect. Infected hosts can attempt to spread the malware further within the victim's network.

The adversaries, with illicitly-acquired credentials, impersonate the system administrator with privileged rights. Given the excessive opportunities presented by privileged accounts to execute the attack and access critical areas of the corporate infrastructure, this situation is highly critical. Furthermore, the customised ransomware can spread across the network autonomously, employing highly-privileged domain credentials to carry out malicious activities. The malware can disable Windows Defender, encrypt network shares, and erase Windows Event Logs, effectively concealing its actions.

The malware adapts to the specific configurations of the victimised company's network. For instance, the attacker can configure the ransomware to infect only specific file types or a set of specific systems. By executing this custom build in a virtual machine, Kaspersky observed it carrying out harmful activities and generating a custom ransom note.

The LockBit 3.0 builder was leaked in 2022, but adversaries still actively use it to tailor their attacks. Cristian Souza, Incident Response Specialist at Kaspersky Global Emergency Response Team, said, "This flexibility gives adversaries many opportunities to enhance the effectiveness of their attacks, as the recent case shows. It makes these kinds of attacks even more dangerous, considering the escalating frequency of corporate credential leaks."

Kaspersky's findings also show that attackers used the SessionGopher script to locate and extract saved passwords for remote connections in the affected systems. Incidents based on the leaked LockBit 3.0 builder often occur within various industries and regions, including Russia, Chile, and Italy.

LockBit operates as a Ransomware-as-a-Service (RaaS) network. In February 2024, the group was seemingly defeated when an international law-enforcement operation took control. However, following the operation, the group declared its return to illicit activity.

To mitigate ransomware attacks, Kaspersky suggests implementing regular backups, saving encrypted files for future decryption, deploying robust security solutions, reducing attack surface by disabling unused services and ports, maintaining updated systems, and conducting vulnerability scans. Additionally, holding regular cybersecurity training can further help to equip employees with the knowledge of cyber threats and their potential mitigations.