Lockbit Ransomware Targets United Kingdom Rail Network

On Wednesday, April 28, 2021, Merseyrail, a British railway company that operates in and around the city of Liverpool in northwestern England, confirmed a successful attack by cybercriminals using the LockBit ransomware.

• Merseyrail provides commuter train service through sixty-eight stations in the metropolitan area encompassed by the Liverpool City Region.
• The carrier reported that train operations were not disrupted.
• A full investigation is under way – with the appropriate British government and law enforcement authorities notified.

The LockBit ransomware attackers compromised the Merseyrail email system and subsequently sent messages directly to Merseyrail employees and news media outlets announcing the successful network breach and compromise.

• Reporters at the online media site, BleepingComputer.com, stated they had received emails on Sunday, April 18, 2021, purportedly from the Merseyrail Director, with the Subject line reading: “LockBit Ransomware Attack and Data Theft.”
• The email stated that a previous weekend’s “outage” had been downplayed by Merseyrail management and that the railway had now suffered a ransomware attack in which the hackers claimed theft of employee and customer data.
• Included in these emails is a link to an image showing an employee’s personal information that the LockBit attackers assert stole during the attack.

Other published reports contend the compromise of Merseyrail’s computer network resulted from a successful spear phishing campaign – through which the perpetrators gained access to a privileged Microsoft Office 365 account.

An effective spearphishing campaign uses email messages that appear to be legitimate and from a valid source to induce the targeted recipient to open a malicious file or embedded link.

• By opening the file or link, the victim triggers the introduction of the malicious software (malware) that enables persistent network access and data theft, destruction, or encryption to render inaccessible and unusable.

The LockBit ransomware is considered a Ransomware-as-a-Service (RaaS) capability – for which the developers maintain and enhance the malware and control the site for payment of the demanded ransom by victims. Meanwhile, the so-called “affiliates” who purchase LockBit RaaS distribute the ransomware, often via emails in spear phishing campaigns. Ransom payments received are divided between the LockBit developer team and the attacking affiliates. It is not uncommon for the affiliates to be allocated up to 75% of the ransom funds attained.

Once part of what was called the Maze Ransomware cartel, the LockBit perpetrators originally published data stolen from victims that refused to pay the demanded ransom on Maze’s data leak site. However, currently the LockBit ransomware attackers maintain their own data leak site, launched on the dark web in September 2020.

• This platform includes a secure chat room for victims to communicate during ransom negotiations.
• By using their own secure chat infrastructure to host negotiations, the LockBit perpetrators leave no email trail for law enforcement to investigate.
• Victims can only unlock their systems via a custom key created by LockBit’s proprietary decryption tool. Significantly, victims are offered the ability to decrypt one file for free –
  intended as a demonstration that the cybercriminals have the right decryption tool.
• The attackers employ a process that leaves copies of a simple ransom note text file in every system folder. This file provides the targeted victims with instructions to follow to pay the ransom and restore their system. In some cases, this text file has included threats intended to extort the ransom payment – notably, that the failure to pay by the deadline set will result in publication by the attackers of the stolen data.

Additional Characteristics

1. LockBit ransomware attacks are automated, and feature independently directed activity.
2. LockBit uses “post-exploitation” tools to escalate privileges and achieve an “attack-ready” level of access.
3. Using the administrative access illicitly obtained, security services are disabled on the infected host, such as Windows Defender and the system firewall.
4. After gaining initial access, the malware identifies a single host and delivers the ransomware payload.
5. A keylogger/screen capture tool (HAKOPS Keylogger) is dropped on the infected system. This capability captures the victim’s keystrokes, takes screenshots, and transmits data once per day to a file transfer protocol (FTP) server located in Ukraine.
6. The malware instructs the victimized system to delete local shadow copies via the Windows Volume Shadow Copy Service (VSSADMIN) – as a means of preventing data restoration.
7. LockBit is self propagating – and will infect any machine it can touch, placing a “lock” on all the system files through its encryption process. The specific aim with this ransomware is to make either unassisted recovery impossible, or so slow enough that paying the ransom becomes the only viable solution.
8. Significantly, as a key indicator of Russian involvement, the LockBit ransomware is programmed to avoid infecting any systems located in the Commonwealth of Independent States, which include Russia, Azerbaijan, Belarus, Kazakhstan, Kyrgyzstan, Armenia, Moldova, Tajikistan, and Uzbekistan.

Cybercriminals have become increasingly aggressive in their extortion tactics, including more adopting the “double extortion” tactic to threaten the targeted victim by leaking stolen data if the ransom is not paid. Cyber threat actors have also escalated their tactics to include:

• Conducting distributed denial of service (DDoS) attacks to disrupt functioning and operations of the targeted entities.
• Publicizing the network breach and data compromise by disseminating email messages alerting employees, contractors, and customers that the targeted organization has suffered a ransomware attack.
• Expanding extortion by threatening to notify stock exchanges of the breach – undermining confidence in the targeted organization and, for publicly traded companies, causing declines in stock value, at least for the short-term.
• Leveraging social media advertisements and call centers to harass and pressure victimized organizations into paying the ransom demanded.

In this instance, the LockBit operators emailed Merseyrail’s employees, alerting them to the successful ransomware attack and seeking leverage them as a source of pressure on the railway’s management. Timely payment is cast as the only way to prevent publication by the perpetrators of personal and sensitive financial data on workers and customers and of other forms of proprietary information. Widespread publication escalates dramatically the risk of identity theft, fraud, and expanded malicious cyber attacks. As an additional form of pressure, the perpetrators emailed several British news media outlets, expanding publicity of the successful ransomware attack in a further effort to shame Merseyrail. Despite these aggressive tactics, the British railway company has reportedly declined to pay the demanded ransom.