Analysis of Lockbit 2.0 Impact

Industries: Construction, Federal Government, Real Estate, High Tech, Manufacturing, Professional, Legal, Real Estate, Wholesale & Retail | Level: Tactical | Source: Unit42

Palo Alto Unit 42 shared its investigation of Lockbit 2.0 labeled by the security team as the most "most impactful and widely deployed ransomware" during 2022. Numbers back up the claim, as Lockbit 2.0 was responsible for 46% of ransomware breaches tracked in 2022. Deployments observed of other ransomware strains are considerably lower, with second place Conti following at 17% and BlackCat/ALPHA with 10%. Lockbit has listed over 850 victims on its data leak site. Gauging the ransomware gang's victimology profile, the group heavily targets the United States accounting for 49.6% of its victim base, with Italy 9.6& a distant second, and Germany 7.9% in third place. Industry impact is vast with the top five targets of professional and legal 45.6%, construction 12.8%, wholesale and retail 11.3%, and manufacturing 10.2%. The ransomware operators appear to be conducting campaigns more ruthlessly as dwell times have decreased leading to quicker ransomware deployments. Additionally, flexibility in ransomware payment and negotiations appeared to have lowered, as ransom payments are closer to the initial asking price vs. dropping the value in negotiations. From all indications, Lockbit is not slowing down as the group has been identified to be developing Lockbit 3.0 with stronger encryption processes.

Anvilogic Use Cases:

• Potential Web Shell
• Encoded Powershell Command
• Create/Modify Schtasks
• Remote Admin Tools
• Create/Add Local/Domain User
• Clear Windows Event Logs
• Service Stop Commands
• Modify Windows Defender
• Windows Defender Disabled Detection
• Mimikatz
• Adfind Execution
• AVL_UC6146 - Adfind Commands
• Cobalt Strike Beacon
• Rclone Execution