Lockbit hits fast and hard, based on a detailed analysis of the code conducted by researchers at Sophos.
Not all ransomware strains are equal. Some ransomware is slow burns that will infect a target system, expanding its reach for days or even weeks before striking and locking your business’ critical files. Other ransomware hits fast and hard. Lockbit hits fast and hard.
The research at Sophos states that from the time Lockbit breaches its target, Lockbit hits and will start encrypting files in as little as five minutes, which is so fast that it doesn’t allow your IT staff to respond to the attack. By the time your IT Staff becomes aware of the breach and begins deploying resources to minimize the damage, it’s usually over.
The research team discovered that once Lockbit hits and makes its way onto a target system, it will do a quick, keyword-based scan of network drives to locate the information most valuable to the team that inserted it.
Ransomware as a Service
This particular malware strain offers “Ransomware as a Service,” so the keywords Lockbit uses for this search will be different, depending on who pays for the service, whom they’re hitting, and what they’re most interested in acquiring. The hackers will copy the information they want before they start encrypting files.
In any case, the Lockbit hit doesn’t take long, and once done, the malware executes in memory via a Windows Management Instruction (WMI) command. The research team observes the attack begins in earnest in every case they studied, will lock files, within five minutes of issuing the WMI command. That’s as fast and brutal as it gets.
There’s still a lot the team doesn’t know about Lockbit hits, but they’re continuing to study both the code and the aftermath of the attacks made on corporate networks worldwide. They will continue updating the rest of us with their findings. None of the news is good, but it’s always better to know than not.