LockBit ransomware has found a new victim, PayBito cypro exchange. The group claims that they have stolen data from the cryptocurrency exchange and threatened them via their Tor leak site. PayBito is a cryptocurrency and bitcoin exchange for major cryptocurrencies like Ethereum, Bitcoin, Litecoin, Bitcoin Cash, Ethereum Classic, and HCX. HashCash – a global blockchain and IT services company – operates PayBito.
LockBit was discovered for the first time in September 2019. Due to the .abcd file extension that early versions of the ransomware would attach to encrypted files, it was formerly known as ABCD ransomware. The file extension was changed to in subsequent versions. LockBit ransomware prevents users from accessing their computers in return for a ransom payment. LockBit automatically scans a network for lucrative targets, propagates the virus, and encrypts all computers that are accessible.
LockBit attackers have created a name by threatening businesses with operational interruption, extortion for the hacker’s financial benefit, and data theft and unlawful disclosure as blackmail if the victim does not cooperate. Although LockBit isn’t as well-known as some other types of ransomware, people who use it have profited from ransom payments made in Bitcoin. LockBit mostly targets businesses and government agencies, rather than people.
LockBit has emerged as a highly severe and critical threat in 2022. So much so that the FBI has issues a flash alert warning against the group. The flash alert details the TTPs ( Tactics, Techniques, and Procedures) of the group. The group has been very active globally and is increasing it’s victim list drastically. The most recent victim being the Ministry of Justice of France.
Command Line Activity:
The activity below provides a listing of all observed command line activity during execution:
Created – UAC Bypass
Created – LockBit 2.0 Wallpaper Change
Created – Persistence
Created – Encryption
Created – LockBit 2.0 Icon Location
Created / Modified – LockBit 2.0 Desktop
Group Policy Update – Windows Defender Disable
PowerShell Command – Force GPO Policy
LockBit 2.0 Extension
LockBit 2.0 Ransom Note