OVERVIEW
LockBit is a ransomware variant that was first seen in September 2019, and has been prevalent in ransomware attacks ever since. The variant encrypts files using AES encryption and demands a large ransom for decryption, however, what sets it apart form other variants is how it functions. The LockBit attack is automated, making it extremely efficient and allows for further propagation without human intervention.
TARGETING
Lockbit has been observed to target commercial and professional services, as well as transportation, software and services, manufacturing, consumer services, energy and food. As far as known regional targets, the variant has been observed in organizations in the United States, China, India, Indonesia, Ukraine, France, United Kingdom and Germany.
DELIVERY
The Ransomware variant can be distributed via phishing, malicious attachments and downloads, application vulnerabilities and exploits, or credential stuffing in order to gain initial footing into a network. They have also been observed to have been distributed via servers that were already compromised previously or access of an unprotected RDP port (potentially purchased from underground black markets).
LOCKBIT INSTALLATION
After gaining access, the LockBit variant has been observed to attempt to identify mission critical systems such as domain controllers, backup servers, NAS devices.
Before encryption, it verifies the location of the compromised system – if the system resides in Russia or in the Commonwealth of Independent States, it will not execute further.
The attack chain after initial access has been seen to include the disabling of security services in the target environment, dropping keyloggers, deleting shadow copies and enumerating all accessible directors and network shares. Any data that has been seen as important or high-value is exfiltrated to hosting services such as MEGA’s cloud platform. Once completed, a unique LockBit sample is executed inside the target system which encrypts files and delivers the ransom note – this note has been seen to be called “Restore-My-Files.txt” and is dropped in all directories (as well as the desktop wallpaper being changed)
LOCKBIT PERSISTENCE
The ransomware achieves persistence through a key in ‘HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\’ called XO1XADpO01.
LOCKBIT COMMUNICATION
After initial access, Lockbit does not require immediate access to a command and control (C2) node in order to proceed. This is due to the automated nature of the process. This makes it unique, as it doesn’t require human interaction to propagate.
Threat Update
LockBit Threat Summary
The LockBit ransomware variant, previously known as the “.abcd” ransomware was first observed and has been active since September of 2019 – seen targeting organizations throughout the world, including the United States, China, India, U.K, and various other countries across Europe and Asia. In early 2021, the evolution of the variant dubbed “LockBit 2.0” began to circulate in Russian-language cybercrime forums, and shortly after was observed attacking manufacturing, retail, and professional services within countries such as Italy, U.K, Taiwan and Chile. Then in August of 2021, Accenture (a large tech services firm) was attacked by the variant – leading to 2,500 computers being compromised and $50 million in ransom demanded for 6 terabytes of data.
LockBit is considered a “ransomware-as-a-service”, meaning the operators provide affiliates the capabilities and access to their developed ransomware. The variant relies on Living off the land binaries (or tools that are native to the operating system) to help achieve their purpose and make it more difficult to detect, due to these tools being utilized on a day-to-day basis. Similarly to other ransomware variants, LockBit encrypts the victim’s system and extorts the victim with ransom demands. However, the variant also identifies and exfiltrates pertinent and sensitive information before the encryption takes place – threatening to publish or sell the obtained data if demands are not met. Due to the variant’s TTPs (Tactics, Techniques and Procedures), LockBit is considered similar to known malware “LockerGoga” and “MegaCortex”.
LockBit Threat Synopsis
In September of 2019, the LockBit ransomware variant (previously known as the .abcd ransomware variant, due to the extension being appended to files during encryption) emerged targeting several countries around the world. The variant evolved to the now infamous LockBit 2.0 in 2021, attacking several companies and organizations, but most notably Accenture in August of the same year. The differences between the versions being attributed to sophistication (less CPU usage, updates ransom note) and the usage of the extension “.lockbit” instead of “.abcd”.
The variant abuses Living off the Land Binaries such as Windows PowerShell and SMB (server message block) in order to disguise activities as “normal” and obfuscate their procedures – they have also have been observed utilizing publicly accessible tools such as Mimikatz. When a machine is compromised, the variant is self spreading, not needing manual interaction for the infection to spread and propagate on a victim’s machine (as well as other hosts that are reachable). The operators of LockBit 2.0 also utilize a method called “double extortion”, which means that the system is not only encrypted, but the pertinent and sensitive data is also exfiltrated before the encryption is completed. Therefore, the operator is capable of not only threatening the loss of data, but the public release or sale of the data as well.
The variant is known to initially breach the network via social engineering (phishing e-mails for example) or the abuse of unpatched vulnerabilities that are taken advantage of. After the initial access vector is achieved, the variant utilizes post exploitation tools to attain escalated privileges (such as Mimikatz) and move laterally – also abusing legitimate windows tools such as “net.exe”, “taskkill.exe” and “wmic.exe” for reconnaissance and execution. Techniques such as UAC Bypass for elevated execution, and Wevutil cleanup for defense evasion purposes can be noted as well. After disabling security programs and disabling recovery options (deleting shadow copies for example), the encryption payload is deployed. Similar to other ransomware variants, LockBit will then sprawl through the system and lock/encrypt files – recent developments also observing the exfiltration of these files before full encryption is achieved with the “Stealbit” application. A ransom note in a text file will also be dropped in ever system folder, giving the victim instructions on decryption.
In February of 2022, the FBI (Federal Bureau of Investigation) released an update to the LockBit report, with recent discovery of the addition of a Linux encryptor being used to target VMware ESXi servers for example. The report also mentions a hidden debug window, as well as a new list of discovered IOCs. With the recent vulnerability developments of the Log4j software library, there is more reason to be aware of potential initial access vectors of ransomware variants such as LockBit.
