LockBit was discovered for the first time in September 2019. Due to the .abcd file extension that early versions of the ransomware would attach to encrypted files, it was formerly known as ABCD ransomware. The file extension was changed to in subsequent versions. LockBit ransomware prevents users from accessing their computers in return for a ransom payment. LockBit automatically scans a network for lucrative targets, propagates the virus, and encrypts all computers that are accessible.
LockBit attackers have created a name by threatening businesses with operational interruption, extortion for the hacker’s financial benefit, and data theft and unlawful disclosure as blackmail if the victim does not cooperate. Although LockBit isn’t as well-known as some other types of ransomware, people who use it have profited from ransom payments made in Bitcoin. LockBit mostly targets businesses and government agencies, rather than people.
Lockbit has announced that they have attacked the Ministry of Justice of France and stolen their data. The group has given a deadline of 14 days to the French government for paying the ransom. The Tor leak site has been fixed on 10 Feb, 2022 11:20:00.
“I think we are in phase 3 leaks for failed negotiations. States will not pay by following the guidelines provided by Europol (nomoreransom.org).” states the expert. “The general advice is not to pay the ransom. By sending your money to cybercriminals you’ll only confirm that ransomware works, and there’s no guarantee you’ll get the decryption key you need in return.” recommends the Europol.
La cyberattaque sur le ministère de la Justice m’est confirmée de source interne au ministère. Pas d’avantages d’infos sur son ampleur et ses conséquences. https://t.co/gzsvCQuqYk
— Emile Marzolf (@emile_marzolf)
The victims include companies from France, Italy, the U.K., and Germany. Recently Lockbit has added support for Linux systems in their ransomware suites. This also includes a new version that target VMware’s ESXi virtual machines. This new version uses a combination of elliptic-curve cryptography (ECC) and Advanced Encryption Standard (AES) algorithms for encrypting data. This version is able to gather the following information from the infected systems:
“The release of this variant is in line with how modern ransomware groups have been shifting their efforts to target and encrypt Linux hosts such as ESXi servers. An ESXi server typically hosts multiple VMs, which in turn hold important data or services for an organization. The successful encryption by ransomware of ESXi servers could therefore have a large impact on targeted companies. This trend was spearheaded by ransomware families like REvil and DarkSide.” reads the analysis published by security researchers.