Threat actors spent at least five months inside a US regional government agency’s network before detonating a LockBit ransomware payload, according to a report by Sophos on Tuesday.
The report did not name the agency, or which state or local government said agency is linked to. Instead, Sophos researchers Andrew Brandt and Angela Gunn provided an image of the attack and used event logs that the hackers had not deleted to piece together a timeline of events.
LockBit is a major ransomware-as-a-service gang that has been active since at least mid-2019. As is now common practice, LockBit uses a double extortion method in which it encrypts data and threatens to leak a victim’s data if the victim does not pay. The ransomware, offered primarily to Russian-speaking users, has been used in a number of notable attacks, including last year’s breach against consulting giant Accenture.
The researchers wrote that the attackers spent five months remotely researching and downloading hacking tools from the agency’s own machines before successfully deploying the LockBit ransomware.
Tools included ScreenConnect, now called ConnectWise Control, and later AnyDesk for remote access; attackers have also used Remote Desktop Protocol (RDP) scanning, exploits and brute force password tools, as well as cryptocurrency miners and hacked VPN software. Additionally, the actors “used free tools like PsExec, FileZilla, Process Explorer, or GMER to run commands, move data from one machine to another, and kill or knock down processes that hindered their efforts.”
Brandt and Gunn argued, based on behavioral data, that two or more groups were “digging” during this five-month period. This is based on data suggesting that attackers have become more “focused” four months after the breach began, as well as new IP addresses that have been assigned to a wide variety of countries – although Sophos admits that the addresses maybe were just Tor exit nodes.
Sophos got involved days before the attackers deployed the ransomware. Over the past month, actors used their access to dump account credentials, verify RDP capabilities, create new user accounts and run network enumeration tools, which Sophos described as “table definition activities”.
On the day the threat actors launched the ransomware attack, the Sophos team used defensive measures to stop some malware installation attempts. However, as Brandt and Gunn wrote, “compromised credentials allowed the attacker to bypass these protections.”
The ransomware attack was successful, but a number of machines were unencrypted and Sophos took action to shut down the servers that provided the attackers with remote access. In addition to the standard ransom note, the attackers included an advertisement apparently aimed at agency insiders looking to sell access. It is unclear whether the agency paid the LockBit ransom.
Sophos declined SearchSecurity’s request for additional comment.
Brandt and Gunn noted multiple weaknesses in the anonymous agency’s defensive posture. According to the report, the victimized organization lacked both an organizational implementation of multi-factor authentication protection and a firewall rule to prevent “remote access to RDP ports in the absence of a VPN connection. “.
“Responding quickly to alerts, or even warnings about reduced performance, would have prevented a number of attack stages from bearing fruit,” the report said. “Disabling features such as tamper protection on endpoint security software seemed like the critical lever attackers needed to completely remove protection and complete their work unhindered.”
Alexander Culafi is a Boston-based writer, journalist, and podcaster.