Origin: September 2019
Alias: LockBit 2.0, ABCD
Infection Vectors: Phishing, Unprotected RDP Port, Spam Emails, Vulnerability Exploitation
Targeted Sectors: Information Technology, Government, Manufacturing, Healthcare, Automotive, and Finance
Targeted Regions: North America, South America, Western Europe, Africa, South-East Asia, Eastern Asia
Motive: Data Theft, Financial Gains (via Ransom), Operations Disruption
A brief about LockBit
LockBit, formerly known as ABCD ransomware, is active since September 2019 and offered as RaaS (Ransomware-as-a-Service) in the underground marketplaces. The ransomware has since been evolving to become one of the most calamitous strains of malware that cripples larger organizations. It can automatically find valuable targets, infect them, and encrypt systems. To date, it has compromised hundreds of organizations, including top firms from across the globe; the $50 million ransomware attack on Accenture being one of them. The strengths of LockBit operators are the double extortion technique and, as it claims, the fastest encryption speed among all ransomware available in the market currently. In one of the incidents, the ransomware affiliate encrypted 25 servers and 225 workstations in just three hours. Though the RaaS group was first found advertising its affiliate program in January 2020, its infections rose exponentially mid-year 2021 onward when it announced another similar program. In June 2021, LockBit operators posted a page on their leak site (bigblog[.]at) announcing the launch of LockBit 2.0, along with a recruitment program for their new affiliates.
Evolution of LockBit Variants
There are three known variants of LockBit ransomware V1 (.abcd), V2 (.LockBit), and V3 (LockBit 2.0).
The initial variant contained ransom instructions in Restore-My-Files[.]txt file, attached to each encrypted folder on the victim’s system. The variant used COM interface task scheduling as well as Windows registry to maintain persistence in the target system. The infected devices displayed a high usage of CPU during the encryption process.
This version mostly exhibited the same traits as the previous version. The variant would add the .LockBit extension to encrypted files. The ransom instructions inside variant 2 tell the victim to download the Tor browser for communication. This was a packed variant with digital signatures and used dynamic mutex instead of static.
LockBit 2.0, the newest version of LockBit, does not use the Tor browser in its ransom instructions. This version rather sends victims to an alternate website using traditional internet access. It came with several enhancements, such as faster encryption, UAC bypass capabilities, Wake-on-Lan feature, and new desktop wallpaper.
The ransomware is still evolving. Two minor updates, released in August 2021, included renaming the registry key where the RSA public session key is stored and the creation of a file used as a mutex during encryption. Afterwards, two major additions were released in September 2021 including the deployment at Active Directory clients using Group Policy Objects and physical printing of ransom notes. In addition, just a few weeks ago, a new variant was observed targeting Linux and VMware ESXi, which has been named LockBit Linux-ESXi Locker. It uses a combination of Advanced Encryption Standard (AES) and elliptic-curve cryptography algorithms for data encryption.
LockBit 2.0 Technical Details
The ransomware payload in the latest variant LockBit 2.0 is small in size, only 855KB, but heavily obfuscated. This version uses bitwise operations to decode strings and load any required modules for bypassing detection. After being executed, the variant decodes required strings and import code by finding out if the process has admin privileges or not. If the required privileges are not there, it attempts to escalate the privileges. Then, the ransomware tries to find out system and user language settings. If an Eastern European language is identified, the program exits without any infection. When the infection begins, the LockBit 2.0 deletes shadow copies and log files on disk. It collects system information such as host configuration, hostname, domain information, remote shares, mounted external storage devices, and local drive configuration. Further, the ransomware tries to encrypt data saved on any local/remote device. However, it avoids the files related to the core system.
Infection and Propagation
For gaining the initial access, the LockBit ransomware attack is carried out directly by an attacker having access to an unprotected RDP port by sending a phishing email to get remote access into a network using an employee’s computer, attachments, downloads, vulnerabilities, or application exploits to obtain network access.
Moreover, initial access brokers have been working in tandem with the ransomware groups. In LockBit’s case, it was Babam that aided the group in obtaining the remote access credentials of potential victims. In return, Babam was given positive feedback on its cybercrime forum, Exploit. Let’s understand how affiliates work through LockBit to target victims.
After execution, LockBit 2.0 looks for the local sub-networks in an attempt to spread laterally using a worm-like functionality. To propagate within the infected network, the ransomware carries out tasks such as reconnaissance and spreads further during the encryption process, subsequently allowing faster and maximum damage in comparison to other manual approaches.
LockBit 2.0 compromises genuine tools such as PC Hunter and Process Hacker to end processes and services running inside the victim system. Additionally, the LockBit 2.0 gains access to the domain controller, creates and distributes new group policies to every device on the network. These policies disable Windows Defender, propagate and run the ransomware binary on every Windows system connected to the network.
For data exfiltration, the ransomware comprises a built-in information-stealing trojan called StealBit, which is used for establishing access and automatically exfiltrating data. Before starting the encryption, LockBit affiliates use the StealBit trojan to steal files of their choices. Yes, it can be set by the affiliates. A hacker may configure the trojan to target a certain file path that is copied to a server using HTTP controlled by an attacker. Due to the affiliate model used by the LockBit 2.0, some attackers use commercially available tools such as rclone/MEGAsync. LockBit 2.0 actors often use publicly available file-sharing services such as anonfiles[.]com, privatlab[.]net, fex[.]net, transfer[.]sh, send.exploit[.]in, and sendspace[.]com. The data are saved in packages and uploaded to cloud services, such as MEGA.
For encryption, the LockBit 2.0 uses a hybrid AES/RSA encryption approach. It adds the .lockbit extension to every encrypted file and drops a ransom note into the encrypted directory for double extortion. For all the compromised systems, the desktop wallpapers of the devices are changed to a recruitment ad, which also contains information regarding how victims can pay the ransom. After that, the LockBit 2.0 deletes itself from the disk, and persistence is created at startup.
According to Digital Shadows, the LockBit ransomware had listed 203 victims on its leak site by Oct 2021, almost triple the Conti’s score of 71 victims. The top targeted industries include consumer goods, gas utilities, automotive, chemicals, diversified consumer, professional and financial services, air freight and logistics, construction and engineering, internet software, and services. However, the group’s attacks are not limited to these. Some of the major and well-known organizations targeted in 2021 include BTC-Alpha, Bangkok Airways, Accenture, Edoardo Raffinerie Garrone, and Merseyrail. In 2020, Kopter Group AG, Press Trust of India, Yaskawa Electric Corporation, Overseas Express, and others.
As for the targeted region, the ransomware has been spotted in North America ( U.S., Canada, Mexico), South America (Brazil, Peru, Argentina), Western Europe ( UK, Spain, Italy, Turkey, South Africa (Sudan, Angola, RSA), and Asia (India, China, Malaysia, Philippines, Japan). It has more than 50 victims in these regions. This threat excludes the target systems located in Soviet Union countries.
What a mix, LockBit!
Often it takes years to learn about threat actors that operate such a large criminal infrastructure. According to different researchers, the LockBit could be a part of the LockerGoga and MegaCortex malware family. It shares behavioral similarities with these established ransomware families such as self-propagation within a network, targeted specific, and the use of similar tools like Windows Powershell and Server Message Block (SMB). But, some have found that the LockBit 2.0 version shows inspiration from infamous ransomware groups such as Ryuk and Egregor. There are two notable overlaps, as highlighted by Trend Micro. The first is the Wake-on-LAN feature of Ryuk ransomware to send the Magic Packet “0xFF 0xFF 0xFF 0xFF 0xFF 0xFF” to wake offline devices. The second is the print bombing capability of the ransom note using the network printers of victims, as observed in Egregor’s behavior, to gain the attention of victims.
Moving on to another interesting incident that occurred in June 2020 when the Maze ransomware group hosted and promoted information stolen by other ransomware groups on its website, Maze News. One of the posted information belonged to the SmithGroup, which was the victim of LockBit.
How to stay protected?
Owing to the Lockbit’s fast speed of infection, the best defense against ransomware would be stopping this threat at the initial level. Keep all unused RDP ports closed, use a host-based firewall, enable protected files in the Windows OS, and ensure the use of multi-factor authentication for all password-based login accounts, which will automatically remove the unrequired access at the administrative level. Include security solutions to detect malicious codes in the most common business document formats that are sent as attachments in emails, a common method used by LockBit operators. Besides, invest more in robust anti-ransomware solutions with a multi-layered platform that uses Indicators of Behavior (IOBs) to detect phishing emails and other tricks.
Recently, an alert from the FBI regarding the LockBit 2.0 attacks outlined that private organizations must consider sharing Indicators of Compromises (IOCs) and intelligence data with the federal body (It was also a key point in President Biden’s Executive Order). Additionally, organizations should segment networks, investigate abnormal activity using a network monitoring tool, implement time-based access for accounts, disable command-line and scripting activities and permissions, and maintain offline encrypted backups of data.
The LockBit 2.0 is growing aggressively as it continues to recruit more affiliates via its RaaS model. What’s more horrifying is that the group also approaches corporate insiders for its mission. Sharing intel will help in prior detection and further understanding of this threat, which will eventually buy some time to experts working on developing a good defense strategy.
Indicators of Compromise
Encrypted Files Extension
00260c390ffab5734208a7199df0e4229a76261c3f5b7264c4515acb8eb9c2f8 0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049 2ba9fab56458fe832afecf56aae37ff89a8b9a494f3c2570d067d271d3b97045 4de287e0b05e138ab942d71d1d4d2ad5fb7d46a336a446f619091bdace4f2d0a 743ecc953dcd83a48140c82d8a7dcac1af28e0839aed16628ddfc9454bec8dfa 8155c6bea7c1112f022e9c70279df6759679295bd4d733f35b6eea6a97d3598f 856d5253f68bebcba161bc8f8393f34c806717faa6297c669c75fb13b17f8d03 9bca4fe6069de655467e59929325421b93617bccfdf23e9fba02615d36d60881 a98ffa66c07f634d19dc014bb2d63fa808d7af5dc9fb9b33aa19a8b944608816 acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c b3faf5d8cbc3c75d4c3897851fdaf8d7a4bd774966b4c25e0e4617546109aed5 dd8fe3966ab4d2d6215c63b3ac7abf4673d9c19f2d9f35a6bf247922c642ec2d ea028ec3efaab9a3ce49379fef714bef0b120661dcbb55fcfab5c4f720598477 f32e9fb8b1ea73f0a71f3edaebb7f2b242e72d2a4826d6b2744ad3d830671202 f3e891a2a39dd948cd85e1c8335a83e640d0987dbd48c16001a02f6b7c1733ae