Ransomware Roundup: Protecting Against New Variants

Ransomware Roundup: Protecting Against New Variants

Posted by HSSL Technologies on Jul 22nd 2022

Over the past few weeks, FortiGuard Labs has observed several new ransomware variants of interest that have been gaining traction within the OSINT community along with activity from our datasets. This isn’t new. This same thing has been going on, week in and week out, for years, with very little changing.

Unfortunately, ransomware is here to stay. Ransomware infections continue to cause significant impact to organizations, including—but not limited to—disruptions to operations, theft of confidential information, monetary loss due to ransom payout, and more. It’s why we feel it's imperative that we increase our efforts to raise awareness about existing and emerging ransomware variants.

This new Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape, along with the Fortinet solutions that protect against these variants.

This latest edition of the Ransomware Roundup covers the LockBit, BlueSky, Deno, RedAlert, Dark Web Hacker, Hive, and Again ransomware.
LockBit Ransomware

LockBit is a ransomware strain that targets both Windows and Linux. It has been in the wild since December 2019. This ransomware employs a Ransomware-as-a-Service (RaaS) model. Ransomware operators develop LockBit ransomware and all the necessary tools and infrastructure to support it, such as leak sites and ransom payment portals. They offer these solutions, along with user support, to their affiliates (criminals who pay a fee to use their technology). Support is provided via TOX (a RaaS framework). They also offer additional services, such as ransom negotiation, for affiliates.

LockBit affiliates carry out the actual attacks that infect and deploy ransomware to targets and, in return, receive 20% of the ransom paid by victims. While rules prohibit affiliates from encrypting files in critical infrastructure environments, such as nuclear power plants or gas and oil industries, affiliates are allowed to steal data without encrypting critical files and or the infrastructure of these organizations. In addition, former Soviet countries (Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Latvia, Lithuania, Moldova, Russia, Tajikistan, Turkmenistan, Uzbekistan, Ukraine, and Estonia) are off-limits from attack.
Affiliate rules for LockBit 3.0 on its Tor site
Affiliate rules for LockBit 3.0 on its Tor site Figure 1. Affiliate rules for LockBit 3.0 on its Tor site

Prior to file encryption, data on victim machines is exfiltrated using “StealBit,” an information stealer tool developed by the LockBit gang. Files encrypted by the ransomware typically have a “.lockbit” file extension. The ransomware also leaves a ransom note in Restore-My-Files.txt.

Some variants of LockBit also replace desktop wallpaper with a message to let victims know that they are a victim of the ransomware, asking them to check the ransom note for how to reach out to the LockBit threat actor. LockBit employs a double-extortion tactic that demands victims pay their ransom in Bitcoin to recover affected files and not have stolen information leaked to the public.

LockBit 3.0 debuted in March 2022 as a successor to LockBit 2.0. The ransomware made the news again at the end of June because the ransomware gang introduced a “bug bounty” program with rewards of between $1000 and $1,000,000 (USD) for detecting flaws and weaknesses in its portfolio.