Intelligence Report On Lockbit Ransomware Gang

A survey released in mid-June says that up to 80 percent of businesses that paid ransomware demands have experienced a second attack, often by the same gang. Ransomware victims hemorrhage money while their systems are down, and routinely are subjected to secondary threats – i.e., corporate data leaks – until they pay. The Prodaft Threat Intelligence team has published a report about the ransomware gang LockBit, how it manages its victims, blog posts it publishes, and statistics concerning the success or failure of its attacks. Forensic investigations show that it often tries first to identify mission-critical systems including NAS devices, backup servers, and domain controllers. Data exfiltration then begins and packages are usually uploaded to services including MEGA’s cloud storage platform. A LockBit sample is deployed and files are encrypted with a generated AES key. Backups are deleted and a ransom note containing a link to a website address where decryption software can be purchased is delivered. The website also offers a decryption trial, in which one file can be decrypted free.