LockBit ransomware gang has claimed Indian business SRF Limited as a victim. SRF Limited is multi-business group, with interests in fluorochemicals, specialty chemicals, packaging films, technical textiles, coated and laminated fabrics.
The LockBit gang posted the ransom note on 14 February. According to the note, the company has time till March 1, 2023, for ransom payment.
“We observed that one of our non-essential IT infrastructure environments was nonresponsive through our security monitoring systems and suspected some irregular activity,” a company spokesperson told The Cyber Express.
As per our standard protocols, we fully restored back the affected systems from our backups the same day. There was no impact on any operations of the organization.”
The ransom note comes days after SRF Limited shares went up after the company posted a Q3 profit that exceeded expectations, fueled by robust demand in its chemical business.
LockBit ransomware gang: Mode of operation
The LockBit ransomware gang encrypts and exfiltrates files from targeted devices and demands payment for their return. LockBit 3.0 is a strain that was first found in 2019, targets organizations that can pay large ransoms, self-propagates, and has new, harder-to-analyze features.
It may require a 32-character password to launch, and the typical attack process includes infecting, encrypting, deleting, and altering. If the ransom is not paid, data may be sold on the dark web, and LockBit 3.0 exploits Windows Defender to deploy Cobalt Strike.
“LockBit 3.0 is a challenge for security researchers because each instance of the malware requires a unique password to run without which analysis is extremely difficult or impossible,” said a VMware threat analysis report.
“Additionally, the malware is heavily protected against analysis and makes use of a substantial number of undocumented kernel level Windows functions.”
The LockBit group is a Ransomware-as-a-Service model that works with affiliates who may lack the resources for an attack. According to a U.S. Department of Health & Human Services report, the affiliated hacker receives some of the ransom payment.
Ransomware, to pay or not
Researchers, practitioners, and legal professionals are unanimous when it comes to ransom payment: don’t!
“It is downright illegal in a lot of regions. You are essentially funding criminals when you pay ransom,” Andy Norton, European Cyber Risk Officer at Armis, told The Cyber Express earlier.
“Trusting the criminal for not making that public is a bit naïve. But I have seen people justify making ransom payments, because it’s the quickest way to restore life-saving or critical services,” he added.
There is a consensus among governments to refuse payment of ransomware, with legal support.
In 2020, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN) declared that the majority of ransom payments are unlawful.
The European Union (EU) has adopted a comparable approach concerning “critical services,” which have recently been broadened. The Security of Network and Information Systems Directive (NIS Directive) allows EU member nations to impose penalties for ransom payments.