LockBit 3.0 Ransomware

September 2019: ".abcd" ransomware appears, the precursor to LockBit.

January 2020: LockBit 1.0 is officially launched, establishing the RaaS model.

June 2021: LockBit 2.0 (LockBit Red) is released, featuring enhanced speed, anti-analysis capabilities, and the "StealBit" data exfiltration tool.

October 2021: LockBit Linux-ESXi Locker is introduced, expanding targets to include Linux and VMware ESXi systems.

March 2022: LockBit 3.0 (LockBit Black) emerges, incorporating features from BlackMatter and BlackCat/ALPHV ransomware, further improving evasion and anti-analysis techniques.

September 2022: The LockBit 3.0 builder is leaked, allowing anyone to create their own customized versions of the ransomware. This significantly lowers the barrier to entry for malicious actors.

January 2023: LockBit Green is released, incorporating portions of the Conti ransomware source code.

April 2023: Encryptors targeting macOS are seen, signalling a shift in focus.

February 2024: Operation Cronos, a multinational law enforcement effort, disrupts LockBit's infrastructure, seizing websites and servers. However, LockBit has attempted to resurface, demonstrating resilience.

May 2024: US and UK authorities unmask and sanction the alleged leader of LockBit, Dmitry Khoroshev.

Phishing: Spear-phishing emails with malicious attachments (e.g., weaponized Office documents) or links are a common entry point.

Exploitation of Public-Facing Applications: Vulnerabilities in internet-exposed applications and services, particularly RDP (Remote Desktop Protocol), VPNs, and Citrix, are frequently exploited. Known vulnerabilities like Log4Shell (CVE-2021-44228), Fortinet VPN flaws (CVE-2018-13379), and Citrix Bleed (CVE-2023-4966) have been actively used.

Drive-by Compromise: Users visiting compromised websites may unknowingly download malware.

Abuse of Valid Accounts: Stolen or compromised credentials, often obtained through credential stuffing or purchased on the dark web, are used to gain access.

Purchased Access: LockBit affiliates sometimes buy initial access from other criminals who specialize in breaching networks.

Privilege Escalation: LockBit attempts to gain elevated privileges, often using tools like Mimikatz or exploiting vulnerabilities. It is important to know how to prevent privilege escalation attacks.

Enumeration: The malware gathers information about the system, network, and connected devices.

Process and Service Termination: LockBit attempts to terminate security software, backup processes, and databases to prevent interference with encryption.

Command Execution: PowerShell, Batch scripts, and other command-line tools are used to execute commands and deploy further malware.

Automatic Logon: The ransomware may configure automatic logon to maintain persistence and escalate privileges.

Defense Evasion: Lockbit uses a number of techniques to attempt to avoid detection:

Registry Run Keys: LockBit modifies registry keys to ensure it runs on system startup.

Scheduled Tasks: Scheduled tasks are created to maintain persistence.

Installation of system services: Multiple services are installed per execution.

Hardcoded Credentials: The ransomware may contain hardcoded credentials for lateral movement.

Compromised Local Accounts: Accounts with elevated privileges are leveraged.

Group Policy Objects (GPOs): GPOs are modified to deploy the ransomware across the domain.

PsExec: The PsExec utility is often used for remote command execution.

SMB/Windows Admin Shares: Network shares are used to spread the ransomware.

AES + RSA Encryption: LockBit 3.0 typically uses a combination of AES and RSA encryption. Symmetric and asymmetric encryption helps for securing the data.

Partial File Encryption: To speed up the encryption process, LockBit may only encrypt a portion of each file.

File Extension: Encrypted files typically receive a ".lockbit" or a unique, randomly generated extension.

Skips Core System Files: System files are generally excluded to prevent rendering the system completely unusable.

Encrypted Communication: Communication with C2 servers is encrypted, often using TLS.

Data Transmission: Host information, encryption keys, and potentially exfiltrated data are sent to the C2 server.

POST Requests: LockBit uses HTTP POST requests.

StealBit: LockBit's custom data exfiltration tool, introduced in LockBit 2.0.

rclone: A legitimate open-source command-line tool for managing cloud storage.

MEGA and other File Sharing Services: Publicly available file-sharing services are used to store stolen data.

FTP: File Transfer Protocol.

Data Encryption: Files are rendered inaccessible.

Ransom Note: A ransom note (<Ransomware ID>.README.txt) is dropped, providing instructions for payment.

Wallpaper/Icon Change: The desktop wallpaper and file icons are often changed.

Data Leak Threats: LockBit employs double extortion, threatening to publish stolen data if the ransom is not paid.

Deletion of logs, shadow copies, and recycle bin: Lockbit takes multiple steps to remove any chance of restoring encrypted files.

Financial Gain: The primary motivation is financial, targeting organizations perceived as likely to pay a ransom.

Industry Agnostic: While initially focused on healthcare and education, LockBit has expanded to target virtually any industry. Manufacturing, technology, professional services, and government entities are frequently targeted.

Geographic Distribution: Attacks have occurred worldwide, with a high concentration in the United States, Europe, and Asia.

Critical Infrastructure: LockBit has increasingly targeted critical infrastructure organizations, including healthcare, energy, and transportation.

Small and Medium Sized Business (SMB): SMBs are frequently targeted.

Large Enterprises: LockBit affiliates have also successfully targeted large enterprises.

Accenture: A major consulting firm.

Boeing: Aerospace and defense giant.

Royal Mail: UK postal service.

Continental AG: Automotive parts manufacturer.

Industrial and Commercial Bank of China (ICBC): One of the world's largest banks.

London Drugs: Canadian retail chain.

Vulnerability Management: Regularly scan for and patch vulnerabilities, particularly in internet-facing systems (RDP, VPNs, Citrix). Prioritize patching known exploited vulnerabilities (e.g., Log4Shell, Citrix Bleed).

Strong Password Policies: Enforce strong, unique passwords and implement multi-factor authentication (MFA), especially for remote access and privileged accounts. Phishing-resistant MFA is highly recommended.

Email Security: Implement robust email security measures, including spam filtering, attachment scanning, and link analysis. Train users to recognize and report phishing attempts. Implementing SPF is very important to avoid Phishing attacks.

Network Segmentation: Segment networks to limit the lateral movement of ransomware.

Endpoint Detection and Response (EDR): Deploy EDR solutions to detect and respond to malicious activity on endpoints.

Antivirus/Antimalware: Install, update, and enable real-time detection for antivirus software.

Least Privilege: Configure access controls according to the principle of least privilege, limiting user access to only necessary resources.

Data Backup and Recovery: Maintain regular, offline backups of critical data. Test the backup and restoration process regularly. Ensure backups are encrypted and immutable.

Incident Response Plan: Develop and regularly test an incident response plan to effectively contain and recover from ransomware attacks. It is important to create an Incident Response Plan.

Security Awareness Training: Educate users about ransomware threats, phishing techniques, and safe online practices.

Disable Unused Ports and Services: Reduce the attack surface by disabling unnecessary ports and services.

Monitor Network Traffic: Implement network monitoring tools to detect unusual activity, such as large data transfers or communication with known malicious IP addresses.

Restrict Command-Line and Scripting Activities: Limit or disallow the use of PowerShell and other command-line tools.

Time-Based Access: Time-based access can be implemented for accounts running at the admin level.

Active Directory and Domain Controllers: Regularly review domain controllers and Active Directory for any new or unrecognised accounts.