In August 2023, the notorious LockBit ransomware gang ramped up their attacks, targeting organizations across multiple sectors, including finance, healthcare, and government agencies. While LockBit is well-known for deploying devastating ransomware, this latest wave of attacks revealed a key strategy that helped them maintain control over their victims' networks: web shells.
What is LockBit Ransomware?
LockBit is a ransomware-as-a-service (RaaS) operation, meaning attackers lease their ransomware to affiliates, who then carry out attacks in exchange for a cut of the ransom. LockBit has been active for several years, but in 2023, they became even more dangerous, leveraging web shells to increase their attack efficiency and persistence.
How Did Web shells Play a Role?
In the August 2023 attacks, web shells were a crucial part of LockBit's multi-stage attack strategy. Here’s how they were used:
1. Initial Access via Vulnerabilities
LockBit affiliates exploited vulnerabilities in web applications and unpatched servers to gain initial access to victims' networks. Once inside, they were quick to upload web shells—small pieces of malicious code that allowed them to control the infected systems remotely.
Common Targets: Vulnerable Microsoft Exchange servers, Fortinet firewalls, and WordPress websites with outdated plugins.
2. Stealth and Persistence
Web shells provided persistent access to compromised systems, even after the initial vulnerabilities were patched. This allowed LockBit attackers to come and go as they pleased, without needing to re-exploit the same vulnerability. With the web shells in place, they could:
Steal sensitive data
Escalate privileges to gain broader access across the network
Deploy ransomware at the perfect moment
3. Lateral Movement
Using web shells, LockBit attackers could move laterally through networks, identifying critical systems and deploying additional malware. Web shells essentially acted as a backdoor, allowing them to target more machines with the ransomware once they were ready.
The Consequences
In August, several organizations reported being hit by LockBit ransomware, with web shells playing a major role in the attacks. Victims experienced:
Data exfiltration: Sensitive files were stolen and used as leverage in double extortion tactics—if the ransom wasn’t paid, the data would be leaked online.
System downtime: Entire networks were locked down, causing massive disruptions to business operations.
Financial losses: Many organizations faced huge costs, not just from ransom payments, but also from recovery efforts and reputational damage.
How to Defend Against Web shells
Web shells are sneaky and dangerous, but organizations can take steps to protect themselves:
Patch vulnerabilities: Regularly update web applications, servers, and firewalls to prevent attackers from exploiting known flaws.
Monitor for unusual activity: Use intrusion detection systems (IDS) to spot abnormal behavior that could indicate a web shell is present.
Use firewalls and segmentation: Restrict access to critical assets and limit the damage attackers can do if they gain access to your network.
Use web shell security software: Security solutions like UMV's Web Server Safeguard (WSS) specifically target web shells by detecting file uploads and changes in real-time. Incorporating a web shell-targeting component to your cybersecurity suite is an effective way to prevent web shell-based attacks.
Final Thoughts
The LockBit ransomware attacks in August 2023 showed just how dangerous web shells can be when used in combination with ransomware. By maintaining long-term access to networks, attackers can carefully plan their strikes, making the damage even more severe. Staying proactive with security patches and monitoring is essential to prevent falling victim to these types of attacks.
Stay safe, and keep your systems secure!
Comments