TLDR:
- Cybercriminals in West Africa deploy a customized variant of LockBit ransomware with self-propagation capabilities
- Attackers use stolen administrator credentials to breach corporate infrastructure, highlighting ongoing risks
A recent incident in West Africa has once again drawn attention to the persistent threat posed by the LockBit ransomware. Cybercriminals, armed with stolen administrator credentials, have deployed a customized variant of the encryption malware equipped with self-propagation capabilities. This variant exploits privileged access to breach corporate infrastructure, showcasing the ongoing risk posed by the leaked LockBit 3.0 builder despite previous exposure in 2022.
The flexibility of the leaked builder allows attackers to create customized versions of LockBit with enhanced effectiveness, as demonstrated in the recent case. The ransomware exhibits unprecedented features such as self-spreading across networks, impersonation of system administrators, and adaptive behavior to turn off security measures, encrypt network shares, and erase event logs. Each infected host becomes a vector for further infection, amplifying the impact within the victim’s network.
Kaspersky’s research also uncovered the use of the SessionGopher script by attackers to extract saved passwords from affected systems. The incident highlights a concerning trend where attackers craft sophisticated ransomware capable of autonomously spreading within networks, presenting significant challenges for cybersecurity professionals. While incidents lacking advanced capabilities have been observed in various industries and regions, the geographical scope of attacks may be expanding.
To mitigate ransomware attacks, Kaspersky recommends implementing frequent backups, deploying robust security solutions, and providing regular cybersecurity training to employees. The recent takedown of the LockBit ransomware group by international law enforcement underscores the collaborative efforts required to combat such threats.