LockBit Black (version 3.0), a new variant of the notorious global data encryption virus, started its attacks in Vietnam in early 2024. Experts say the malicious code has made many improvements. More sophisticated in terms of encryption scripts and transmission methods, capable of bypassing conventional security solutions.
In the past 2 months, Bkav experts have continuously received requests for help from many businesses in Vietnam with the common situation that computers in the internal network are encrypted at the same time, data cannot be saved.
Investigation and analysis results from many cases show that the data encryption culprit is LockBit 3.0, also known as LockBit Black, a ransomware of a famous hacker gang, recently banned by the International Police Union. (including the British National Crime Agency - NCA, the US Federal Bureau of Investigation - FBI and the European Union Police Agency - Europol).
LockBit Black has more sophisticated improvements compared to previous variants. They are specifically designed to target Windows Domain management servers in the internal system. Once penetrated, the virus uses these servers to continue spreading to the entire system, disabling security solutions (disable anti-virus, firewall), copying and executing code. malicious... In this way, the virus can encrypt the entire machine in the internal system at the same time without having to attack each machine as before.
Not only changing the method and target audience, LockBit Black also has a more dangerous data encryption scenario. Instead of directly encrypting data upon launch, this virus performs privilege escalation, then bypasses UAC and finally reboots the victim's computer into Safe Mode (system only mode and some applications). application is launched) and perform data encryption in this mode. In this way, malicious code can bypass conventional security solutions.
To avoid being attacked by LockBit as well as other data encryption viruses, Bkav experts recommend that users and system administrators need to:
- Back up important data regularly
- Do not open internal service ports to the Internet when not necessary
- Evaluate the security of services before opening up the Internet