LockBit Ransomware Gang Increasingly Targeting RMM Software to Establish Network Presence

Dark Reading has written an article discussing LockBit ransomware group and a recently observed evolution of its tactics to include the use of remote monitoring and management (RMM) software to expand its presence once on a victim’s network.

LockBit, which has been one of the most prolific ransomware actors in 2023, has been observed targeting and controlling RMM software once it establishes a network foothold. Both AnyDesk and ConnectWise have been observed being targeted, with LockBit going so far as to install a second instance of ConnectWise on a victim’s network when it was unable to steal their credentials. The article discusses a few mitigations against this tactic, including applying multi-factor authentication to their RMM software and establishing stricter access controls. Members are also encouraged to review CISA’s recently published Remote Monitoring and Management (RMM) Cyber Defense Plan, which is a valuable resource for organizations determining where to start defending their RMM software. Read more at Dark Reading.