Not all ransomware strains are created equally. Some are designed as slow burns that will infect a target system, expanding its reach for days, or even weeks before striking and locking your business critical files. Others are designed to hit fast and hard.
Lockbit definitely falls into this latter category, based on a detailed analysis of the code conducted by researchers at Sophos.
Their conclusion is that from the time a target network is breached, Lockbit will start encrypting files in as little as five minutes, which is so fast that it doesn’t really give your IT staff an opportunity to respond to the attack. By the time they become aware of it and begin deploying resources to minimize the damage, it’s usually over.
The research team discovered that once Lockbit makes its way onto a target system, it will do a quick, keyword based scan of network drives to locate the information most valuable to the team that inserted it.
This particular malware strain is offered as “Ransomware as a Service” so the keywords Lockbit uses for this search will be different, depending on who paid for the service, who they’re attacking, and what they’re most interested in acquiring. This is because of course, the hackers will copy the information they want before they start encrypting files.
In any case, this process doesn’t take long, and once that’s done, the malware executes in memory via a Windows Management Instruction (WMI) command. The research team observed that in every case they studied, the attack began in earnest, with files being locked, within five minutes of issuing the WMI command. That’s as fast and brutal as it gets.
There’s still a lot the team doesn’t know about Lockbit, but they’re continuing to study both the code and the aftermath of the attacks made on corporate networks around the world. They will continue updating the rest of us with their findings. None of the news is good, but it’s always better to know than not.
