Not all ransomware strains are created equally. Some are designed as slow burns that will infect a target system, expanding its reach for days, or even weeks before striking and locking your business critical files. Others are designed to hit fast and hard.
Lockbit definitely falls into this latter category, based on a detailed analysis of the code conducted by researchers at Sophos.
Their conclusion is that from the time a target network is breached, Lockbit will start encrypting files in as little as five minutes, which is so fast that it doesn’t really give your IT staff an opportunity to respond to the attack. By the time they become aware of it and begin deploying resources to minimize the damage, it’s usually over.
The research team discovered that once Lockbit makes its way onto a target system, it will do a quick, keyword based scan of network drives to locate the information most valuable to the team that inserted it.
This particular malware strain is offered as “Ransomware as a Service” so the keywords Lockbit uses for this search will be different, depending on who paid for the service, who they’re attacking, and what they’re most interested in acquiring. This is because of course, the hackers will copy the information they want before they start encrypting files.
In any case, this process doesn’t take long, and once that’s done, the malware executes in memory via a Windows Management Instruction (WMI) command. The research team observed that in every case they studied, the attack began in earnest, with files being locked, within five minutes of issuing the WMI command. That’s as fast and brutal as it gets.
During the ransomware execution, a ransom note is created in each directory it encrypts with the following content:
This type of ransomware is not spread through social engineering attacks like phishing. It is deployed after hackers have already infiltrated the network. Because of this, fighting this threat is difficult! Monitoring can be a successful preventive measure, at least to detect potential intrusions on the network in an early stage.