Lockbit 3.0 Brain Chiper ransomware has become a hot topic lately after The National Data Center (PDN) experienced a hacking attack that resulted in the paralysis of immigration services at all international airports in Indonesia.

 

Basically, ransomware is malicious software designed to encrypt data or lock a system, then demand a ransom in the form of money or crypto assets so that access to the data or system can be returned to the owner.

 

Regarding the attack that occurred since June 20, 2024, the Minister of Communication and Information or Kominfo, Budi Arie Setiadi, said that hackers demanded a ransom of $8,000,000.

 

For information, the case of the attack on PDN is not the first to occur. Previously, a similar virus in 2023 had attacked the server of Bank Syariah Indonesia or BSI.

 

 

 

What is Ransomware LockBit 3.0 Brain Chipper?

Ransomware continues to evolve and become an increasingly complex threat in the cyber world. One of the latest variants that stands out is LockBit 3.0 Brain Chipper.

 

As the latest development of the LockBit ransomware family, Brain Chipper has caused significant disruption to computer systems in various organizations, including in Indonesia.

 

LockBit, originally known as “ABCD Ransomware” or “.abcd virus” when it first appeared in 2019, uses specific file extensions to encrypt victims’ data.

 

This ransomware is designed to attack devices belonging to organizations, companies, and government agencies, with the primary goal of obtaining ransom from victims.

 

LockBit continues to evolve, with LockBit 2.0 launching in 2021. This version not only encrypts files, but also transfers them to other devices, making it a more serious threat.

 

In mid-2022, a new variant emerged, LockBit 3.0, which has the ability to encrypt and extract all files on a victim’s device. This allows attackers to hold data hostage until a ransom is paid.

 

LockBit 3.0 Brain Chipper, identified by the National Cyber and Crypto Agency (BSSN), works by stealing data from the victim’s device before encrypting it.

 

This ransomware has demonstrated its ability to steal and encrypt victims’ data, and demand a ransom to restore data access.

 

Broadcom, a digital services and cybersecurity provider, revealed that LockBit 3.0 Brain Chipper operates by taking data from a victim’s device before encrypting it.

 

The stolen data is then used as leverage to blackmail the victim. The attacker provides the victim with an encryption ID, which is used to communicate through the dark web site Onion, where the ransom negotiation process takes place.

 

How LockBit 3.0 Ransomware Works

Here is how LockBit 3.0 ransomware works that is important to know, including:

 

Stage 1: Malware Distribution and Infection

 

Before attackers can demand a ransom, they must infiltrate the victim’s system and infect it with malware. The most common ransomware attack vectors are phishing, Remote Desktop Protocol (RDP) and credential abuse, and exploitable software vulnerabilities.

 

1. Phishing

 

Phising is the most popular type of social engineering and continues to be the primary attack vector for all types of malware.

 

Attackers insert malicious links and attachments in legitimate-looking emails to trick users into unknowingly installing malware.

 

Smishing, vishing, spear phishing, and watering hole attacks are all forms of phishing and social engineering scams that attackers use to trick people into initiating malware installations.

 

2. Hearing and credential abuse

 

This involves using brute–force or credential-stuffing attacks or purchasing credentials from the dark web, with the aim of logging into the system as a legitimate user, then infecting the network with malware.

 

RDP, which is favored by attackers, is a protocol that allows administrators to access servers and desktops from almost anywhere as well as allowing users to access their desktops remotely. Insecure RDP implementations are often the entry point for ransomware.

 

3. Software vulnerability

 

It is also a frequent target for ransomware infections. Attackers infiltrate victims’ systems by attacking unpatched or outdated software.

 

One of the largest ransomware incidents in history, WannaCry, was linked to the exploitation of EternalBlue, a vulnerability in an unpatched version of Windows Server Message Block (SMB).

 

Stage 2: Command and Control

 

Command and control (C&C) servers set up and operated by ransomware attackers transmit encryption keys to target systems, install additional malware, and facilitate other stages in the ransomware lifecycle.

 

Stage 3: Discovery and Lateral Movement

 

This two-step stage involves the attacker first gathering information about the victim’s network to understand how to launch a successful attack, then spreading the infection to other devices and increasing their access rights in search of valuable data.

 

Stage 4: Malicious Theft and File Encryption

 

At this stage, the attacker extracts data to the C&C server for use in later extortion attacks. The next process involves the attacker encrypting data and systems using keys sent from their Command and Control (C&C) server.

 

Stage 5: Extortion

 

The attacker demands a ransom payment. Organizations now realize that they are victims of a ransomware attack.

 

Stage 6: Resolution

 

The victim organization must take action to address and recover from the attack. This could involve restoring backups, implementing a ransomware recovery plan, paying the ransom, negotiating with the attackers, or rebuilding the system from scratch.

 

The Impact of the LockBit 3.0 Attack that Must Be Avoided

The following are some of the impacts of the Lockbit 3.0 attack that must be aware of, including:

 

1. Operational Disruption

 

Quoting the widyasecurity.com page, the LockBit 3.0 attack can cause significant operational disruption for companies. For example, when this attack hit Bank Syariah Indonesia or BSI, the impact was very detrimental to customers.

 

In this case, customers were unable to conduct transactions, either through ATMs or mobile banking applications. This caused delays in transaction completion, disrupted customer activities, and reduced customer satisfaction and trust in the bank.

 

2. Financial Loss and Company Reputation

 

These attacks have the potential to cause financial losses as customers may switch to other service providers, which in turn can affect the company’s revenue.

 

Customers may also feel that the company is less competent in keeping their systems safe from cyberattacks. In addition, companies may face social penalties, such as negative publicity that affects their reputation.

 

3. Data Leakage

 

LockBit 3.0 attacks have the potential to leak important company data. This attack encrypts or locks data so that it cannot be accessed by the company.

 

The attacker then utilizes this situation as a threat, demanding the payment of a ransom so that the company can get the key or code needed to restore access to the locked data.

 

Types of Ransomware

Ransomware is defined and categorized based on its delivery method and impact. Delivery includes ransomware as a service (RaaS), automated delivery (not as a service), and human-operated delivery.

 

Impact can include data unavailability, data destruction, data deletion, and data theft and extortion. The following are the types of ransomware that are important to know, including:

 

1. Locker Ransomware

 

Locker ransomware locks victims out of their data or system entirely.

 

2. Crypto Ransomware

 

Crypto ransomware encrypts all or part of the victim’s files.

 

3. Scareware

 

Scareware scares victims by making them believe that their device is infected with ransomware, when it is not.

 

Attackers then trick victims into purchasing software that is supposed to remove the ransomware, but instead steals data or downloads additional malware.

 

4. Extortionware/Leakware/Doxware

 

Extortionware, juga dikenal sebagai leakware, doxware, dan exfiltrationware, melibatkan penyerang mencuri data korban dan mengancam untuk mempublikasikannya atau menjualnya di dark web.

 

5. Double Extortion Ransomware

 

Double extortion ransomware encrypts the victim’s data and extracts the data to force the victim to pay a ransom, potentially double.

 

6. Triple Extortion Ransomware

 

Triple extortion ransomware encrypts the victim’s data, extracts data to coerce the victim, and adds a third threat.

 

Often, this third vector is a DDoS attack or extortion of the victim’s customers, partners, suppliers, and stakeholders to pay the ransom or push the initially infected organization to pay.

 

This can result in the attacker receiving three or more ransom payments for a single attack.

 

7. Ransomware as a Service (RaaS)

 

Ransomware as a Service (RaaS), a delivery model instead of a type of ransomware, is often included in the list of ransomware options.

 

RaaS is a subscription-based model where ransomware developers sell malware paid for use to ransomware operators, who give a percentage of the attack profits to the developer.

 

Tips for Avoiding LockBit 3.0 Attacks

The following are some tips to avoid LockBit 3.0 attacks that are important to know, including:

 

1. Perform Data Backup

 

To protect themselves from the LockBit 3.0 ransomware threat, companies can perform regular data backups.

 

By carrying out regular backup procedures, companies can ensure that all important data is copied and stored in a safe place, separate from the main network. This not only makes it easier to recover data in the event of an attack.

 

2. Conduct Regular Pentests

 

To avoid attacks from LockBit 3.0, companies can run penetration tests (pentests) regularly. Conducting regular pentests allows companies to identify and fix system security gaps before they are exploited by attackers.

 

Such steps are not only useful in preventing LockBit 3.0 ransomware attacks, but also improve the company’s cyber safety.

 

3. Performing System Updates

 

To strengthen and improve system security, companies can perform regular system updates.

 

This includes installing the latest patches and updates released by software providers, which aim to close security gaps and fix vulnerabilities that can be exploited by attackers.

 

4. Not Opening Illegal Links

 

Company users and employees are advised not to open suspicious links. The link may be a phishing attempt, where malware is inserted in the link.

 

Therefore, it is important to always check the authenticity and security of any link before clicking on it, as well as raise awareness of the risk of phishing among all service users.

 

Recovery Steps after a Ransomware Attack

After experiencing a ransomware attack, the following are common recovery steps, among others:

 

1. Recovery from backup

 

Organizations restore the affected data from a trusted and secured backup copy of their systems. Regular data backups are key in this process to ensure that lost information can be recovered quickly and efficiently.

 

2. Negotiating with the attacker

 

In some cases, organizations may choose to negotiate with the attacker to obtain the decryption keys or other solutions needed to restore access to encrypted data.

 

This negotiation could involve paying a ransom, although this is often recommended to be considered carefully as it could encourage more attacks in the future.

 

3. Rebuilding the system

 

If data cannot be recovered from backups or negotiations with the attacker are unsuccessful then organizations may need to rebuild their systems from scratch.

 

This involves reinstalling operating systems, applications, and security configurations to ensure that the IT environment is back to operating normally and securely.

 

4. Improve cybersecurity measures

 

After an attack, companies should evaluate and improve their security measures, including by updating software, strengthening access policies.

 

Furthermore, it is important to increase security awareness among employees, and implement additional security solutions, such as advanced threat detection and endpoint protection to prevent similar attacks in the future.

 

Can Blockchain Technology Fight Ransomware?

It is important to understand that blockchain technology has the potential to help fight ransomware in the following ways, among others:

 

• Transaction security: Blockchain uses strong cryptographic technology to ensure transaction security. This can reduce the risk of unauthorized transactions or data manipulation that is often exploited by ransomware attackers.
• Identity management: Blockchain can be used to verify digital identities securely and efficiently. With a decentralized and secure identity system in place, users can validate their transactions without the need to share sensitive personal information, as is often leveraged in phishing attacks.
• Secure data recovery and backup: Blockchain can be used to securely store encrypted data backups. With a decentralized structure and the ability to create distributed copies of data, blockchain can help organizations to more securely recover their data after a ransomware attack.
• Traceability and transparency: Blockchain technology offers high clarity and auditability in transactions and data usage. This can help in detecting and preventing ransomware attacks by providing better visibility into suspicious data changes or unauthorized transactions.

 

 

Blockchain Technology’s Challenges and Potential in Fighting Cyberattacks

Blockchain technology offers great potential in improving security and resilience against cyberattacks, including ransomware.

 

By using strong cryptography, blockchain is able to secure transactions and data, reducing the risk of data manipulation by attackers.

 

The decentralized nature of blockchain makes it difficult to be manipulated or attacked by attacks such as DDoS because data is spread across various network nodes.

 

In addition, blockchain also allows for the secure storage of encrypted data backups, with data stored at various points of the network to facilitate rapid data recovery after a ransomware attack.

 

Nonetheless, blockchain implementations are known to face several challenges. The scalability of blockchain technology is currently still an issue as the complex and power-intensive transaction process can limit the efficiency in handling high transaction volumes.

 

High implementation costs and difficulties in integration with existing technology infrastructure are also barriers.

 

In addition, complex and varied regulations in different jurisdictions can slow down the adoption and application of blockchain, especially in the financial sector and data regulation.

 

Conclusion

 

To conclude, ransomware vigilance is essential in maintaining the security of company data and systems. This threat can cause huge losses, both financially and operationally.

 

To protect themselves, companies need to take effective preventive measures, such as performing regular data backups and storing them in a safe place. In addition, it is also important to keep software and systems updated with the latest security patches and educate users about the risks of phishing.

 

The implementation of security solutions, such as strong firewalls, anti-malware software, and threat detection systems, is also necessary to reduce the risk of falling victim to ransomware.

 

Ultimately, through proper precautions, companies can maintain security and reduce the impact of ransomware attacks on their operations and reputation.

 

FAQ 

 

1. What is LockBit 3.0 Brain Chipper Ransomware?

LockBit 3.0 Brain Chipper ransomware is the latest variant of the LockBit ransomware family that is capable of stealing and encrypting the victim’s data, and demanding a ransom to restore data access.

2. How does LockBit 3.0 Ransomware work?

LockBit 3.0 spreads through methods such as phishing and software vulnerabilities, then encrypts the victim’s data and demands a ransom through the dark web site Onion.

3. What is the impact of the LockBit 3.0 attack on the company?

The impacts include operational disruption, financial loss, reputational damage, and leakage of critical company data.

4. What are the types of ransomware?

Some types of ransomware include Locker Ransomware, Crypto Ransomware, Scareware, Extortionware, Double Extortion Ransomware, and Triple Extortion Ransomware.

5. How to avoid LockBit 3.0 Ransomware attack?

Some preventive measures include performing regular data backups, performing regular pentests, updating the system, and not opening illegal or suspicious links.