A devastating ransomware attack by Lockbit recently targeted the charming city of Calvià in Majorca, Spain, which is well-known for its tourism appeal.
This incident underscores the escalating audacity of ransomware groups targeting both governmental and corporate entities.
ANY.RUN reported that the attack led to IT outages, suspending all administrative deadlines until January 31, 2024.
ANY.RUN is a cloud malware sandbox that handles the heavy lifting of malware analysis for SOC and DFIR teams. Every day, 300,000 professionals use our platform to investigate incidents and streamline threat analysis for Windows and Linux tasks.
If you’re a security analyst or researcher, you can request a demo today and get 14 days of free access to the Enterprise plan.
Despite no specific ransomware group claiming responsibility, reports indicate a demand for €10 million (approximately $11 million).
The city’s mayor, Juan Antonio Amengual, affirmed the city’s stance of not capitulating to the cybercriminals’ demands.
LockBit Ransomware Unveiled
While primarily known for crippling Windows systems, the infamous LockBit ransomware poses a growing threat to Linux and MacOS users as well.
This RaaS (Ransomware-as-a-Service) offering empowers even novice attackers with potent encryption capabilities, making it a versatile tool for cybercriminals.
LockBit’s self-proclaimed “fastest encryption software” title might be more a marketing ploy than reality.
While its encryption speed may be noteworthy, its true impact lies in the disruption and financial losses it inflicts on victims.
Businesses forced to recover from LockBit attacks face downtime, data loss, and hefty ransom demands, making its impact far more significant than mere encryption speed.
Are you a Security Analyst? Try ANY.RUN Interactive Malware Sandbox for Free
More than 300,000 analysts use ANY.RUN is a malware analysis sandbox worldwide. Join the community to conduct in-depth investigations into the top threats and collect detailed reports on their behavior..
RaaS: Democratizing Cybercrime?
Operating as a RaaS model, LockBit makes ransomware attacks more accessible by providing pre-built tools and infrastructure to its affiliates.
This lowers the technical barrier to entry, potentially enabling less skilled attackers to launch sophisticated ransomware attacks.
This democratization of cybercrime poses a significant challenge for defenders as the attack landscape becomes increasingly diverse and unpredictable.
This implies that access to the ransomware is sold on underground forums, contributing to its widespread usage. This marketing effort, unusual for ransomware, underscores their calculated approach.
LockBit stands out not just for its destructive capabilities but also for its surprisingly professional website and even a bug bounty program.
Once it breaches a system, LockBit unleashes a multi-pronged attack:
- Siphoning Credentials: It gathers credentials to expand its foothold within the network.
- Disarming Defenses: Security software is disabled, further weakening the victim’s defenses.
- Lateral Movement: The ransomware propagates across the network, maximizing its impact.
- Data Exfiltration: Sensitive data is stolen and uploaded to cloud storage, potentially for additional leverage.
- File Encryption: AES encryption with RSA keys scrambles critical files, rendering them inaccessible.
Analysis of ANY.RUN’s Malware Trends Tracker reveals LockBit’s current ranking as the 19th most popular malware overall. Notably, for ransomware, this level of popularity is relatively high.
The surge in LockBit activity corresponds with the Calvià attack, highlighting increased interest and detection by researchers.
LockBit, previously known for targeting small to medium-sized businesses with an average ransom demand of $85,000, has seemingly abandoned its usual playbook in this larger-scale attack, raising concerns about its evolving tactics.
To better understand LockBit’s work, check out this sample in ANY.RUN.
Possible Causes of the Attack
The Calvià incident’s exact cause remains unknown until the IT committee concludes its investigation.
However, considering LockBit’s typical tactics, some possibilities emerge:
- Phishing: An employee might have inadvertently opened a malicious email (spearphishing), granting attackers access through a downloaded link or attachment.
- Unpatched software: A vulnerability in outdated software could have been exploited for initial access.
- Brute-forcing: Attackers might have used brute-force techniques to crack VPN or RDP credentials.
It’s crucial to understand that these are merely educated guesses based on known LockBit methods and should not be considered definitive until the official investigation unveils the true cause.
The LockBit ransomware attack on Calvià is a stark reminder of the ongoing threat that cybercriminals pose.
Regardless of size or industry, organizations must prioritize cybersecurity basics to fortify their defenses against evolving ransomware tactics.
By investing in employee training, maintaining up-to-date software, enforcing strong authentication, implementing access controls, and conducting regular backups, businesses can significantly enhance their resilience against ransomware attacks.
As cyber threats evolve, a proactive and multi-layered cybersecurity approach is essential for safeguarding digital assets and maintaining operational continuity.
You can also try the ANY.RUN interactive malware sandbox for a 14 days Free Trial.