LockBit gang Using Remote Monitoring Tools to Infect Employees with Ransomware

In a recent wave of cyberattacks, eSentire, a global Managed Detection and Response (MDR) security services provider, has thwarted three separate ransomware attacks orchestrated by affiliates of the notorious LockBit Ransomware Gang. 

This Russia-linked criminal group has adopted an increasingly sophisticated modus operandi, deploying Remote Monitoring and Management (RMM) tools to infiltrate target networks and discreetly execute ransomware attacks. 

eSentire’s timely intervention has prevented significant disruption and financial losses for the affected organizations.

LockBit, operating under a Ransomware-as-a-Service (RaaS) model, has become one of the most alarming and profitable ransomware groups globally, amassing an estimated $91 million in ransom payments, primarily from U.S. victims, since its emergence in late 2019. 

This destructive gang uses various entry methods, including browser-based attacks like SocGholish, exploiting vulnerable Internet-exposed servers, and pilfering valid credentials.

LockBit Using Remote Monitoring Tools
Example of trampolines implemented by LockBit
FREE Webinar

Live DDoS Attack Simulation

Attend the Live DDoS Website & API Attack Simulation webinar to gain knowledge on various types of attacks and how to prevent them.

LockBit’s distinguishing feature is its adept utilization of Living-off-the-Land tactics, avoiding conventional malware and employing legitimate RMM tools already present in target environments.

This approach enables them to blend in, evade detection, and complicate attribution, especially when RMM tools are accessible via the cloud.

eSentire’s Threat Response Unit (TRU) detailed three distinct incidents in which LockBit aimed to deploy ransomware:

Attacks Against an MSP: LockBit affiliates targeted a Managed Service Provider (MSP), gaining access to the MSP’s downstream customers and attempting to distribute ransomware.

The attackers utilized RMM tools, such as AnyDesk, Atera, and ConnectWise RMM, to facilitate their malicious activities. 

Home Décor Manufacturer: In this incident, LockBit affiliates disrupted a manufacturing company by disabling Windows services, employing tools like PsExec, and attempting to establish persistence via AnyDesk.

Storage Materials Manufacturer: LockBit deployed ConnectWise RMM to spread ransomware across a storage materials manufacturer’s network. Despite the target already having this RMM tool, the attackers introduced their own copy to minimize suspicion.

LockBit Using Remote Monitoring Tools
Decoded ransomware binary

Preventing RMM Tool Hijacking

To safeguard against cybercriminals hijacking RMM tools and launching ransomware attacks on employees and customers, organizations are advised to:

  • Implement two-factor authentication and strong, unique passwords for RMM access.
  • Enforce Access Control Lists (ACLs) for trusted IPs and promote VPN usage for roaming clients.
  • Consider client SSL certificates for RMM system access.
  • Exercise caution in revealing software stacks in job postings to deter personalized phishing attempts.
  • Conduct phishing awareness training for employees with RMM access.
  • Employ a 24/7 Managed Detection and Response solution to protect IT environments.
  • Ensure timely patching and updates for software applications and third-party tools.
  • Educate clients on cybersecurity and collaboratively establish security policies.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.