LockBit Ransomware Makes Use of Windows Defender to Load Payload

LockBit ransomware has been around since 2019, and it has most likely targeted thousands of organisations.

Cybercriminals encrypt victims’ files, steal valuable information, and threaten to make it public if a ransom is not paid.

Threat actors used a legitimate VMware command-line utility called ‘VMwareXferlogs.exe’ in April to side-load a Cobalt Strike payload.

In another attack, the hackers decrypted and loaded post-exploitation payloads using ‘MpCmdRun.dll.’

The LockBit 3.0 leak website lists more than 60 victims, with cybercriminals demanding millions of dollars to keep their files private.

The attack began with the use of the Log4Shell vulnerability against a Horizon Server instance.

Products such as VMware and Windows Defender are widely used in the enterprise and have a high utility to threat actors.