Ransomware Spotlight: LockBit




LockBit

By Trend Micro Research

The LockBit intrusion set, tracked by Trend Micro as Water Selkie, has one of the most active ransomware operations today. With LockBit’s strong malware capabilities and affiliate program, organizations should keep abreast of its machinations to effectively spot risks and defend against attacks.

Ransomware Spotlight: LockBit Infographic View infographic of "Ransomware Spotlight: LockBit"

(Last update: May 7, 2024) On Feb. 19, 2024, Operation Cronos, a targeted law enforcement action, caused outages on LockBit-affiliated platforms, disrupting the notorious ransomware group's operations. Authorities leveraged the compromised LockBit leak site to distribute information about the group and its operations, announce arrests, sanctions, cryptocurrency seizure, and more. As one of the private partners who contributed to the operation, Trend Micro analyzed LockBit-NG-Dev, an in-development version of the ransomware. Key findings indicated a shift to a .NET core, which allows it to be more platform-agnostic and emphasizes the need for new security detection techniques.

 The leak of LockBit's back-end information offered a glimpse into its internal workings and disclosed affiliate identities and victim data, potentially leading to a drop in trust and collaboration within the cybercriminal network. Contrary to what the group themselves have stated, activities observed post-disruption would indicate that Operation Cronos affected the group’s activities significantly.

LockBit first emerged as the ABCD ransomware on September 2019, which was improved to become one of the most prolific ransomware families today.

Through their professional operations and strong affiliate program, LockBit operators proved that they were in it for the long haul. Thus, being acquainted with their tactics will help organizations fortify their defenses for current and future ransomware attacks.


What do organizations need to know about LockBit?


LockBit uses a ransomware-as-a-service (RaaS) model and consistently conceived new ways to stay ahead of its competitors. Its double extortion methods also adds more pressure to victims, raising the stakes of their campaigns.

One of its notable tactics was the creation and use of the malware StealBit, which automates data exfiltration. This tool was seen with the release of LockBit 2.0, which has been touted by its creators for having the fastest and most efficient encryption among its competition. In October 2021, LockBit also expanded to Linux hosts, specifically ESXi servers, in its release of Linux-ESXI Locker version 1.0. This variant is capable of targeting Linux hosts and could have a big impact on targeted organizations.

Another side of LockBit’s operations is its recruitment of and marketing to affiliates. It has been known to hire network access brokers, cooperate with other criminal groups (such as the now defunct Maze), recruit company insiders, and sponsor underground technical writing contests to recruit talented hackers. Using such tactics, the LockBit group has built itself into one of the most professional organized criminal gangs in the criminal underground.

The tactics we’ve enumerated are evident in their attack on Accenture in 2021. Experts suspect that an insider helped the group gain access to the firm’s network. LockBit also reportedly published a small part of the stolen data from the attack.

LockBit 3.0: Sharpening the saw with a bug bounty program

In late June 2022, the LockBit ransomware gang reportedly launched LockBit 3.0, the latest known variant of the group’s ransomware, after two months of beta testing with the new malware deployed in the attacks. Twitter user @WhichbufferArda found a sample of the LockBit 3.0 ransomware version and noted that the malware uses anti-analysis techniques to hide itself and does not execute without a password like BlackCat. It also contains a command-line argument feature.

Our debugging process found that LockBit 3.0’s code is very similar to that of DarkSide and BlackMatter, which other researchers also noted. The two variants show that they use the same codes to resolve its needed API functions. It also has the same implementation of NtSetInformationThread to hide a thread from a debugger. Both BlackMatter and LockBit 3.0 also used the same method of identifying logical drives. While this is common for some ransomware, the code used in this case is very similar. (we link to the blog in development once published.) The malware observed from the samples were detected by Trend Micro as Ransom.Win32.LOCKBIT.YXCGD for LockBit 3.0 and Ransom.Win32.LOCKBIT.YXCGD for the unpacked sample provided by Twitter user @cPeterr.

The release of LockBit 3.0 is significant because it also launched the group’s bug bounty program, the first initiative of its kind for ransomware operations. The gang urges security researchers to submit vulnerability reports to improve their operations in exchange for remuneration. The group’s reward for the contribution of security researchers ranges from US$1,000 to $1 million. The affiliate manager, referred to as LockBitSupp, has offered $1 million to anyone who can provide the identity of the members of the ransomware group. The hefty reward incentivizes hackers to discover a vulnerability that the gang considers as a warning that their operation is at risk.

Water Selkie is also offering compensation for ideas that can improve their software development and operation. They are looking for vulnerabilities related to TOX messenger, suggesting that the group relies heavily on the platform for communication. Moreover, the gang is seeking vulnerabilities in the Tor network to better ascertain their operation’s security and ensure that their root access servers are not compromised.


LockBit’s timeline of notable activities

Figure 1. LockBit’s timeline of notable activities

Recent LockBit developments

In April 2023, researchers from MalwareHunterTeam discovered LockBit ransomware encryptors targeting Mac devices. It is believed that these encryptors have been active since December 2022. However, upon analysis, it appears that they are likely a test build and lack the functionality to run on Mac devices. Additionally, this test build has some similarities with its Linux counterpart.

The impact of LockBit and insights from Water Selkie

Our investigation into the intrusion set behind LockBit, which we track as Water Selkie, reveals the effectiveness and impact of the tactics we have discussed. The key takeaways are the following:

  • The malware’s performance is a strong selling point. The malware’s speed and capabilities are widely known because the group uses them as selling points. The threat group’s efforts to publicize their malware’s capabilities have established it as the ransomware with one of the fastest and most efficient encryption methods.
  • It considers external pressures and issues faced by its potential targets. Water Selkie’s operators have indicated a preference for victims in Europe who fear breaching EU’s General Data Protection Regulation (GDPR). They continue to also consider the US to have lucrative targets, but see that data privacy laws can affect their chances of getting a successful payout. In general, they are attuned to geopolitical issues that they can use to their advantage.
  • Banks on the strength of its affiliate program. As mentioned earlier, a contributing factor in LockBit’s success is how well it recruits trustworthy and capable affiliates. Evidence also suggests that several of its affiliates are involved in multiple RaaS operations, which helps Water Selkie innovate and keep up with its competition. In return, Water Selkie prides itself on its professional operation that can be trusted by affiliates.
  • It has more in store for the future. Water Selkie clearly ramped up operations in the second half of 2021. We see that the intrusion set will either maintain or increase their level of activity in the first half of 2022. Organizations should also expect more supply chain attacks in the future according to an interview conducted with one of LockBit’s operators.

With LockBit affiliates being likely involved in other RaaS operations, its tactics slipping into those of other ransomware groups isn’t a far-fetched notion. Organizations would therefore benefit from recognizing LockBit’s tactics, techniques, and procedures (TTPs) laid out in the next sections.

Top affected industries and countries

In this section, we discuss Trend Micro™ Smart Protection Network™ data, which are detections of LockBit attempts to compromise organizations. LockBit has been detected all over the globe, with the US seeing most of the attack attempts from June 2021 to January 20, 2022, followed by India and Brazil. Like many ransomware families LockBit avoids Commonwealth of Independent States (CIS) countries.

Countries with the highest number of attack attempts machine for LockBit ransomware (July 1, 2021 to January 20, 2022)

Figure 2. Countries with the highest number of attack attempts per machine for LockBit ransomware (July 1, 2021 to January 20, 2022)
Source: Trend Micro™ Smart Protection Network™ infrastructure

We saw the most LockBit-related detections in the healthcare industry followed by the education sector.  LockBit threat actors have claimed that they do not attack healthcare, educational, and charity institutions. This “contradictory code of ethics,” has been noted by the US Department of Health Services (HHS) who warns the public not to rely on such statements as these tend to dissolve in the face of easy targets.

Industries with the highest number of attack attempts per machine for LockBit ransomware (July 1, 2021 to January 20, 2022)

Figure 3. Industries with the highest number of attack attempts per machine for LockBit ransomware (July 1, 2021 to January 20, 2022) 
Source: Trend Micro Smart Protection Network infrastructure

Overall, we saw increased LockBit-related activity following the release of LockBit 2.0, peaking in November 2021.

LockBit monthly detections per machine (July 1, 2021 to January 20, 2022)

Figure 4. LockBit monthly detections per machine (July 1, 2021 to January 20, 2022) 
Source: Trend Micro Smart Protection Network infrastructure

Targeted regions and sectors according to LockBit leak site

In this section, we examine the number of attacks recorded on LockBit’s leak site, which represents successfully compromised organizations who, as of writing, have refused to pay ransom. In our foray into the leak site of LockBit operators from December 16, 2021 to January 15, 2022, we observed that they had the highest number of recorded victims among active ransomware groups at 41, followed by Conti at 29. Do note, however, that LockBit has been accused of artificially inflating the number of their victims.

Looking into the list of their victims, it appears that more than half of the organizations are based in North America, followed by Europe and Asia Pacific.

Regional distribution of LockBit victims according to the group’s leak site (December 16, 2021 to January 15, 2022)

Figure 5. Regional distribution of LockBit victims according to the group’s leak site (December 16, 2021 to January 15, 2022)

LockBit targets organizations indiscriminately, in that their victims come from many different sectors compared to other groups. In the abovementioned time period, they have victims coming from financial, professional services, manufacturing, and construction sectors, just to name a few. The majority of LockBit’s victims have been either small or small and medium-size businesses (SMBs) – 65.9% and 14.6% respectively, with enterprises only comprising 19.5%. That’s at odds with a group like Conti who victimized 44.8% of enterprises and 34.5% SMBs, and only victimized 20.7% of small businesses.

Sector distribution of LockBit victims according to the group’s leak site (December 16, 2021 to January 15, 2022)

Figure 6. Sector distribution of LockBit victims according to the group’s leak site (December 16, 2021 to January 15, 2022)

In our observation of the activities within the LockBit leak site for the same time period, majority of attacks took place during weekdays, approximately 78% of the total, while 22% happened during the weekend.

Infection chain and techniques

Operating as a RaaS, LockBit infection chains show a variety of tactics and tools employed, depending on the affiliates involved in the attack. Affiliates typically buy access to targets from other threat actors, who typically obtain it via phishing, exploiting vulnerable apps, or brute forcing remote desktop protocol (RDP) accounts. 

Here are some of the observed infection flows of LockBit variants:

A LockBit 1.0 campaign that used PowerShell Empire to perform command and control after gaining access to the system

Figure 7. A LockBit 1.0 campaign that used PowerShell Empire to perform command and control after gaining access to the system

A LockBit 1.0 campaign that used Microsoft RAS to access other systems

Figure 8. A LockBit 1.0 campaign that used Microsoft RAS to access other systems

A LockBit 1.0 campaign that used Meterpreter to perform command and control after gaining access to the system

Figure 9. A LockBit 1.0 campaign that used Meterpreter to perform command and control after gaining access to the system

A LockBit 1.0 campaign that did not involve any network scanning as it directly deployed the payload after gaining access to the system

Figure 10. A LockBit 1.0 campaign that did not involve any network scanning as it directly deployed the payload after gaining access to the system

LockBit 2.0 infection chain that uses StealBit for automated data exfiltration

Figure 11. LockBit 2.0 infection chain that uses StealBit for automated data exfiltration

LockBit 3.0 infection chain that uses Cobeacon and KillAV

Figure 12. LockBit 3.0 infection chain that uses Cobeacon and KillAV


Initial Access

  • LockBit operators mostly gain access via compromised servers or RDP accounts that are usually bought or obtained from affiliates.
  • In some instances, it arrived via spam email or by brute forcing insecure RDP or VPN credentials.
  • It can also arrive via exploiting Fortinet VPN’s CVE-2018-13379 vulnerability.

Execution

  • LockBit is usually executed via command line as it accepts parameters of file path or directories if desired to only encrypt specific paths.
  • It may also be executed via created scheduled tasks. This is usually the case if it is propagated in other machines.
  • There are also reports of it being executed using PowerShell Empire, a pure PowerShell post-exploitation agent.

Credential Access

  • Aside from using credentials obtained from affiliates. LockBit attacks were also observed using Mimikatz to further gather credentials.

Defense Evasion

  • Some infections were observed to have GMER, PC Hunter, and/or Process Hacker. These are tools that are usually used to disable security products.
  • In some observed attacks, a Group Policy was created to disable Windows Defender.

Discovery

  • Network Scanner, Advanced Port Scanner, and AdFind were also used to enumerate connected machines in the network. Probably to locate the Domain Controller or Active Directory server as these are usually the best targets for deploying ransomware with network encryption or propagation.

Lateral Movement

  • LockBit can self-propagate via SMB connection using obtained credentials.
  • Some samples can self-propagate and execute via Group Policy.
  • In some instances, PsExec or Cobalt Strike were used to move laterally within the network.

Exfiltration

  • Uploads stolen files via cloud storage tools like MEGA or FreeFileSync.
  • Sometimes, the StealBit malware (also sold by the threat actors) was used instead to exfiltrate stolen files.

Impact

  • The ransomware payload will proceed with encryption routine upon execution. Encryption includes both local and network encryption.
  • It encrypts files using AES and encrypts AES key with RSA encryption. The AES Key is generated using BCryptGenRandom.
  • For faster encryption, it only encrypts the first 4KB of a file and appends it to “.lockbit.”
  • It will also replace the desktop wallpaper with a note that includes a statement where it tries to recruit insiders or affiliates within companies.

Figure 12. Sample wallpaper used by LockBit

  • LockBit also sends a WoL packet to ensure that network drives are active for its network encryption; this behavior was first observed on the Ryuk ransomware.
  • LockBit also has the capability to print its ransom note using connected printers using WinSpool APIs, which is probably inspired by Egregor ransomware.

MITRE tactics and techniques

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionDiscoveryLateral MovementExfiltrationImpact

T1566 - Phishing
Arrives via phishing emails 

T1190 - Exploit public-facing application
Arrives via any the following exploits: CVE-2018-13379

T1078 - Valid accounts
Has been reported to make use of compromised accounts to access victims via RDP or VPN

T1106 - Execution through API
Uses native API to execute various commands/ routines

T1059  - Command and scripting interpreter
Uses various scripting interpreters like PowerShell and Windows command shell 

T1204 - User execution
User execution is needed to carry out the payload from the spear phishing link or attachments

T1547  - Boot or logon autostart execution

Creates registry run entries

T1134 - Access token manipulation

Use AdjustTokenPrivilege API to modify token attribute to SE_PRIVILEGE_ENABLED 

T1548 - Abuse Elevation Control Mechanism
Makes use of  ucmDccwCOMMethod in UACME, a github collection of UAC bypass techniques

T1140 - Deobfuscate/Decode Files or Information
Strings to be used throughout the routine are encrypted using XOR or Subtraction.

T1562 - Impair defenses
Disables security related services via terminating them. May include using tools like PC Hunter, Process Hacker, KillAV/KillProc 

T1574 - Hijack execution flow
DLL side-loading can also be used as a form of defense evasion

T1218 - Signed Binary Proxy Execution 
Executes mshta to open the ransom note 

T1484 - Domain Policy Modification
It releases group policy update that will be able to terminate AV tools and create scheduled tasks to execute the propagated copies via SMB 

T1070 - Indicator Removal on Host 
It is capable of deleting Windows event logs and its executable file to remove traces 

T1083 - File and directory discovery
Searches for specific files and directory related to its encryption

T1135 - Network Share Discovery
Enumerate network share for its network encryption

T1018 - Remote system discovery
Makes use of tools for network scans

T1057 - Process discovery
Discovers certain processes for process termination

T1570 - Lateral tool transfer
Can make use of RDP, SMB admin shares, or PsExec to transfer the ransomware or tools within the network

T1567 - Exfiltration over web service
Syncs files to a specified cloud storage, such as MegaSync or FreeFileSync

T1041 - Exfiltration Over C2 Channel
Exfiltration using StealBit tool 

T1486 - Data encrypted for impact
Uses a combination of AES and RSA to encrypt the files and key.

Also prints ransom notes on printers using Winspool API

T1489 - Service stop
Contains a list of services to be terminated to ensure encryption

T1491 - Defacement
Replaces the desktop background to display the ransom note

Summary of malware, tools, and exploits used

Security teams can watch out for the presence of the following malware tools and exploits that are typically used in LockBit attacks: 

Initial EntryExecutionDiscoveryLateral MovementDefense EvasionExfiltration
  • Phishing emails
  • RDP/Valid accounts
  • Exploit:
    • CVE-2018-13379
  • Scheduled tasks
  • Windows command-line
  • Network Scanner 
  • Group Policy
  • SMB
  • PsExec
  • KillAV/KillProc
  • PC Hunter
  • Process Hacker
  • StealBit
  • FreeFileSync
  • MegaSync

Recommendations

As mentioned earlier, we expect the LockBit to continue its level of activity, if not increase it in the coming months. From our discussion, LockBit also demonstrates both consistent and versatile operations that adapt to current trends that affect the threat landscape. Organizations therefore should also keep abreast of the latest shifts that could influence their own security measures.  


To help defend systems against similar threats, organizations can establish security frameworks that can allocate resources systematically for establishing a solid defense against ransomware. 


Here are some best practices that can be included in these frameworks:


Audit and inventory

  • Take an inventory of assets and data 
  • Identify authorized and unauthorized devices and software 
  • Make an audit of event and incident logs 

Configure and monitor

  • Manage hardware and software configurations 
  • Grant admin privileges and access only when necessary to an employee’s role 
  • Monitor network ports, protocols, and services 
  • Activate security configurations on network infrastructure devices such as firewalls and routers 
  • Establish a software allow list that only executes legitimate applications 

Patch and update

  • Conduct regular vulnerability assessments
  • Perform patching or virtual patching for operating systems and applications 
  • Update software and applications to their latest versions 

Protect and recover

  • Implement data protection, backup, and recovery measures 
  • Enable multifactor authentication (MFA) 

Secure and defend

  • Employ sandbox analysis to block malicious emails 
  • Deploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and network 
  • Detect early signs of an attack such as the presence of suspicious tools in the system 
  • Use advanced detection technologies such as those powered by AI and machine learning

Train and test

  • Regularly train and assess employees on security skills 
  • Conduct red-team exercises and penetration tests

A multilayered approach can help organizations guard the possible entry points into the system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior could help protect enterprises.

  • Trend Micro Vision One™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools early on before the ransomware can do irreversible damage to the system.
  • Trend Micro Cloud One™ Workload Security protects systems against both known and unknown threats that exploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine learning.
  • Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block malicious emails, including phishing emails that can serve as entry points for ransomware.
  • Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints.

Indicators of Compromise (IOCs)

The IOCs for this article can be found here. Actual indicators might vary per attack.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Veröffentlicht in Ransomware Spotlight, Ransomware