Server Attack Leads to LockBit
Server Attack Leads to LockBit
Industry: N/A | Level: Tactical | Source: Symantec
The spree of attacks from LockBit ransomware-as-a-service (RaaS) is not showing signs of slowing down. The latest Symantec report shared an attack from LockBit ransomware spreading through server machines. A difference in LockBit ransomware behaviors when spreading through server machines with domain controllers is the distribution can be facilitated with group policies. When LockBit is run on a server machine the execution flow involves a debugger check for anti-forensics, language check to avoid countries such as Russia, terminating processes and services, creation of tokens for privilege escalation, bypassing user access control, creating a group policy, modifies windows defender settings, clear event logs, encrypts files and mshta comes in as the finisher to display the ransom note. The threat of LockBit continues to surge as the stage is larger for the group given the absence of Conti. During the month of May 2022, NCC Group attributed LockBit to 40% of ransomware attacks.
Anvilogic Use Cases:
- Modify Group Policy
- RDP Logon/Logoff Event
- Service Stop Commands
.svg)
