Ransomware isn’t just an evolving threat—it’s a constant one. LockBit and other ransomware groups don’t take days off, and neither can our defenses. We saw a recent reminder of this as experts warned organizations that they may have a small window to prepare before the next wave of ransomware attacks begins to surge.

With steady infiltration tactics, rapid encryption, and relentless extortion, ransomware actors like LockBit continue to refine their attacks, making traditional security measures increasingly insufficient. Organizations must adopt a proactive, layered defense strategy to detect, prevent, and mitigate these threats before they cause lasting damage.

This blog will explore how these attacks unfold, their impact, and—most importantly—the key strategies to strengthen your defenses before it’s too late.

Ransomware on the Move

Ransomware operates through a series of sophisticated tactics designed to infiltrate, encrypt, and hold valuable data hostage. Understanding its attack mechanism is crucial for organizations to recognize early signs of infection and strengthen their defenses. From its initial entry into the system to the encryption of files and demand for ransom. Ransomware uses stealthy techniques to evade detection, spread rapidly across networks, and maximize impact.

This section will break down each phase of the attack, providing insight into how Ransomware exploits vulnerabilities and the steps organizations can take to mitigate this threat.

Step 1: Initial Infection

Initial attacks for ransomware typically spread through phishing campaigns. Attackers use convincing emails to trick victims into downloading malicious attachments. This is typically achieved by:

• Creating crafted emails targeting, fear, urgency, or hero tactics (making the reader feel they are the only ones who can accomplish a priority task).
• Other Tactics:
  • Exploiting VPN vulnerabilities or using stolen credentials to infiltrate network environments.
  • Credential stuffing: Attempting multiple usernames and passwords (often from previous data breaches) to gain access to systems.

Step 2: Interference Evading Techniques

Ransomware threat actors normally take interference measures prior to launching their malicious ransomware application. 

• Shadow copy deletion: Removes backup copies to prevent easy file recovery. Such as using PowerShell command:

vssadmin delete shadows /all /quiet

• Disabling security tools: Shutting down defense applications such as Windows Defender and stopping certain processes and services to avoid detection.
  • Such as PowerShell command:

Set-MpPreference -DisableRealtimeMonitoring $true

• Tampering with EDR/XDR tools
• Flood the network with noise traffic.
• Using tools like Process Hacker or GMER, to directly make registry edits to turn off security protections.
• Modify or delete security logs. For example, using PowerShell command:

wevtutil cl Security

These techniques allow ransomware threats to efficiently breach networks, elevate privileges, and encrypt data while remaining under the radar of security systems.

Step 3: Exfiltration Process

We’ve seen the hacker playbook change to where threat actors are now exfiltrating data prior to encryption.

• Hacker groups utilize third-party tools (like 7-Zip and WinRAR) to exfiltrate data, leveraging double extortion tactics by threatening to leak stolen data if the ransom is not paid.

Step 4: Encryption Process

Once downloaded, the malware normally is crafted to immediately begin its campaign to encrypt files and systems.

• Encrypting files: ransomware encrypts a wide variety of files, including Virtual Machine Disks (VMDKs), network shares, and connected cloud systems.

Step 5: Ransom and Extortion Demand

Victims are presented with a ransom note demanding cryptocurrency payments through a designated TOR site. Where they are also held for extortion if the demands are not met.

The Impact of Ransomware

A ransomware attack can result in prolonged downtime, with business operations halted until systems are restored. Permanent data loss can occur, especially if the organization lacks secure backups. The cost of recovery includes not only the ransom demand but also system recovery expenses, potential legal penalties, and reputational damage.

Detecting Ransomware is critical to minimizing its impact. Key signs of infection include a noticeable spike in CPU usage and files being renamed with extensions. With LockBit in recent news articles ransomware extensions tied to that malware can be seen below:

• .lockbit (Early versions)
• .abcd (Observed in early variants)
• .lockbit2 (LockBit 2.0)
• .lockbit3 (LockBit 3.0, also known as “LockBit Black”)
• .lockbit_black (Variant of LockBit 3.0)
• .HLJkNskOq (or random 9-character extensions) (Seen in later versions where extensions are randomized)

As anticipated, the LockBit 4 threat materialized on Monday February 3, 2025, and utilize the .lockbit4 file extension. This aligns with previous LockBit iterations, which have consistently followed a version-based naming convention for their encrypted files.

In these instances, organizations should continue to leverage behavioral analysis tools that monitor for suspicious activity patterns. Additionally, YARA rules can be employed to identify code unique to Ransomware, providing another layer of defense in spotting and stopping this threat before it spreads.

Mitigation and Defense Strategies

Below are a few examples of actions your organization can take on the road to staying ahead of the attack landscape:

Step 1: Prevention

• Patch Management: Regularly update all systems to close security vulnerabilities.
• Email Security: Use robust email filtering and train employees to identify phishing attacks.
• Network Segmentation: Isolate critical systems to prevent ransomware from spreading.
• SMB Security: Implement SMB signing validation and disable SMB V1 throughout the environment to minimize exploitation.
• Use SMB V3 with encryption to secure network file shares.
• Restrict SMB access to only necessary users and systems.
• Access Control: Apply “need-to-know” rights within the environment to restrict access—e.g., users with access to secret data cannot access top-secret information. Also, restrict admin rights on user accounts.
• IAM Audit: Conduct Identity and Access Management (IAM) audits regularly to ensure appropriate access control policies.
• Network Access Controls: Implement VLANs and Next-Gen Firewalls with Unified Threat Management (UTM), capable of deep packet inspection to identify threats entering the network.
• Macro Security: Disable macros in Microsoft Office products to reduce risk from malicious attachments in phishing emails.

Step 2: Backup and Recovery

• Backup Strategy: Follow the 3-2-1 backup rule (3 copies of data, 2 different media, 1 stored offsite) to ensure data availability.
• Immutable Backups: Store backups in environments that cannot be altered.

Step 3: Detection and Response

• Intrusion Detection Systems (IDS): Use IDS tools to monitor and detect ransomware activities in real-time.
• Incident Response Plan: Have a predefined plan for isolating infected systems and restoring services.

Recovering from Ransomware

By implementing proactive cybersecurity measures, organizations can significantly reduce the impact of ransomware attacks. Regular data backups, employee training, and robust security protocols are essential in preventing and mitigating ransomware threats.

Advanced cybersecurity solutions, lay a crucial role in detecting, containing, and eliminating ransomware before it can cause widespread damage. A strong, multi-layered defense strategy is key to maintaining operational resilience and safeguarding critical data against evolving cyber threats.

Protect your organization with Adlumin’s Ransomware and Exfiltration Prevention capabilities to stay ahead of the curve. To learn more visit: https://adlumin.com/platform/total-ransomware-defense/

Written by

Will Ledesma, Director MDR, Adlumin
Jose Alvarez, Senior MDR Cybersecurity Analyst Manager, Adlumin
Javier Faustino, Senior MDR Cybersecurity Tech Lead, Adlumin