Table of Contents
LockBit 3.0, also known as LockBit Black, is a sophisticated and highly adaptable ransomware variant that has quickly become one of the most prevalent and dangerous cyber threats globally. Operating under the Ransomware-as-a-Service (RaaS) model, LockBit 3.0 provides its malicious software to affiliates, who then carry out attacks and share a percentage of the ransom proceeds. This model has allowed LockBit to proliferate rapidly and target a wide range of industries and organizations, making it a significant concern for cybersecurity professionals. This article serves as a deep dive into the threat, aiding security professionals to understand and combat its activities.
Origins & Evolution
LockBit first emerged in September 2019, originally known as ".abcd" ransomware due to the file extension it used for encrypted files. It quickly transitioned to a RaaS model, attracting affiliates and gaining notoriety.
Here's a timeline of LockBit's evolution:
September 2019: ".abcd" ransomware appears, the precursor to LockBit.
January 2020: LockBit 1.0 is officially launched, establishing the RaaS model.
June 2021: LockBit 2.0 (LockBit Red) is released, featuring enhanced speed, anti-analysis capabilities, and the "StealBit" data exfiltration tool.
October 2021: LockBit Linux-ESXi Locker is introduced, expanding targets to include Linux and VMware ESXi systems.
March 2022: LockBit 3.0 (LockBit Black) emerges, incorporating features from BlackMatter and BlackCat/ALPHV ransomware, further improving evasion and anti-analysis techniques.
September 2022: The LockBit 3.0 builder is leaked, allowing anyone to create their own customized versions of the ransomware. This significantly lowers the barrier to entry for malicious actors.
January 2023: LockBit Green is released, incorporating portions of the Conti ransomware source code.
April 2023: Encryptors targeting macOS are seen, signalling a shift in focus.
February 2024: Operation Cronos, a multinational law enforcement effort, disrupts LockBit's infrastructure, seizing websites and servers. However, LockBit has attempted to resurface, demonstrating resilience.
May 2024: US and UK authorities unmask and sanction the alleged leader of LockBit, Dmitry Khoroshev.
While there's no definitive state attribution, many cybersecurity experts believe LockBit is linked to Russian-speaking cybercriminals, although the group itself has claimed to be apolitical and based in the Netherlands. The use of Russian-language forums in its early days and the ransomware's exclusion of systems using certain Eastern European languages further support this suspicion.
The leak of the LockBit 3.0 builder in September 2022 was a pivotal moment. It allowed not only for deeper analysis by security researchers but also for the proliferation of LockBit variants, making tracking and defense even more challenging. The builder allows for a high degree of customization, enabling even relatively unskilled actors to deploy sophisticated attacks. One should understand the importance of Software and data integrity to protect your business.
Tactics & Techniques
LockBit 3.0's success stems from its adaptability and the wide range of tactics, techniques, and procedures (TTPs) employed by its affiliates. This makes it difficult to define a single, consistent attack pattern. However, certain commonalities exist:
Initial Access:
Phishing: Spear-phishing emails with malicious attachments (e.g., weaponized Office documents) or links are a common entry point.
Exploitation of Public-Facing Applications: Vulnerabilities in internet-exposed applications and services, particularly RDP (Remote Desktop Protocol), VPNs, and Citrix, are frequently exploited. Known vulnerabilities like Log4Shell (CVE-2021-44228), Fortinet VPN flaws (CVE-2018-13379), and Citrix Bleed (CVE-2023-4966) have been actively used.
Drive-by Compromise: Users visiting compromised websites may unknowingly download malware.
Abuse of Valid Accounts: Stolen or compromised credentials, often obtained through credential stuffing or purchased on the dark web, are used to gain access.
Purchased Access: LockBit affiliates sometimes buy initial access from other criminals who specialize in breaching networks.
Execution & Infection:
Privilege Escalation: LockBit attempts to gain elevated privileges, often using tools like Mimikatz or exploiting vulnerabilities. It is important to know how to prevent privilege escalation attacks.
Enumeration: The malware gathers information about the system, network, and connected devices.
Process and Service Termination: LockBit attempts to terminate security software, backup processes, and databases to prevent interference with encryption.
Command Execution: PowerShell, Batch scripts, and other command-line tools are used to execute commands and deploy further malware.
Automatic Logon: The ransomware may configure automatic logon to maintain persistence and escalate privileges.
Defense Evasion: Lockbit uses a number of techniques to attempt to avoid detection:
Debugger Evasion: LockBit includes checks to determine if it is running inside a debugger.
Self-Deletion: The ransomware executable may delete itself after execution.
Undocumented Function Calls: LockBit has been observed using undocumented kernel-level Windows functions.
Obfuscation: The builder leak revealed the inclusion of unused GUI code in an attempt to obscure the purpose of the malware. Exploring CyberChef can help in decoding this obfuscation.
Persistence:
Registry Run Keys: LockBit modifies registry keys to ensure it runs on system startup.
Scheduled Tasks: Scheduled tasks are created to maintain persistence.
Installation of system services: Multiple services are installed per execution.
Lateral Movement:
Hardcoded Credentials: The ransomware may contain hardcoded credentials for lateral movement.
Compromised Local Accounts: Accounts with elevated privileges are leveraged.
Group Policy Objects (GPOs): GPOs are modified to deploy the ransomware across the domain.
PsExec: The PsExec utility is often used for remote command execution.
SMB/Windows Admin Shares: Network shares are used to spread the ransomware.
Data Encryption:
AES + RSA Encryption: LockBit 3.0 typically uses a combination of AES and RSA encryption. Symmetric and asymmetric encryption helps for securing the data.
Partial File Encryption: To speed up the encryption process, LockBit may only encrypt a portion of each file.
File Extension: Encrypted files typically receive a ".lockbit" or a unique, randomly generated extension.
Skips Core System Files: System files are generally excluded to prevent rendering the system completely unusable.
Command and Control (C2):
Encrypted Communication: Communication with C2 servers is encrypted, often using TLS.
Data Transmission: Host information, encryption keys, and potentially exfiltrated data are sent to the C2 server.
POST Requests: LockBit uses HTTP POST requests.
Exfiltration:
StealBit: LockBit's custom data exfiltration tool, introduced in LockBit 2.0.
rclone: A legitimate open-source command-line tool for managing cloud storage.
MEGA and other File Sharing Services: Publicly available file-sharing services are used to store stolen data.
FTP: File Transfer Protocol.
Impact:
Data Encryption: Files are rendered inaccessible.
Ransom Note: A ransom note (
<Ransomware ID>.README.txt) is dropped, providing instructions for payment.Wallpaper/Icon Change: The desktop wallpaper and file icons are often changed.
Data Leak Threats: LockBit employs double extortion, threatening to publish stolen data if the ransom is not paid.
Deletion of logs, shadow copies, and recycle bin: Lockbit takes multiple steps to remove any chance of restoring encrypted files.
Command-Line Parameters: LockBit 3.0 can be executed with various command-line parameters, providing flexibility to the attacker:
| Parameter | Description |
|---|---|
-del |
Self-deletion after execution. |
-gdel |
Removes Group Policy update. |
-gspd |
Prevents Group Policy update in safe mode with networking. |
-pass |
Requires a password for execution. |
-path |
Specifies a file or folder path for encryption. |
-psex |
Uses PsExec for remote execution. |
-safe |
Reboots the system into safe mode. |
-wall |
Changes the desktop wallpaper. |
Targets or Victimology
LockBit affiliates have demonstrated a broad and opportunistic approach to targeting, impacting a wide range of industries and organizations globally. However, certain patterns have emerged:
Financial Gain: The primary motivation is financial, targeting organizations perceived as likely to pay a ransom.
Industry Agnostic: While initially focused on healthcare and education, LockBit has expanded to target virtually any industry. Manufacturing, technology, professional services, and government entities are frequently targeted.
Geographic Distribution: Attacks have occurred worldwide, with a high concentration in the United States, Europe, and Asia.
Critical Infrastructure: LockBit has increasingly targeted critical infrastructure organizations, including healthcare, energy, and transportation.
Small and Medium Sized Business (SMB): SMBs are frequently targeted.
Large Enterprises: LockBit affiliates have also successfully targeted large enterprises.
Notable Victims:
Accenture: A major consulting firm.
Boeing: Aerospace and defense giant.
Royal Mail: UK postal service.
Continental AG: Automotive parts manufacturer.
Industrial and Commercial Bank of China (ICBC): One of the world's largest banks.
London Drugs: Canadian retail chain.
Attack Campaigns
LockBit has been behind numerous high-profile attack campaigns:
Accenture (August 2021): LockBit 2.0 was used to steal 6TB of data, with a $50 million ransom demand.
Royal Mail (January 2023): LockBit 3.0 disrupted international postal services.
Boeing (October 2023): Lockbit claimed responsibility for stealing a large amount of sensitive data.
ICBC (November 2023): The attack disrupted US Treasury market trades.
Fulton County, Georgia (January 2024): Government systems were impacted.
Operation Cronos (February 2024): A coordinated international takedown operation that seized servers, websites, and data.
These attacks demonstrate the significant real-world impact of LockBit, causing financial losses, data breaches, and operational disruptions. The attacks also demonstrate LockBit's evolving tactics, expanding target scope, and resilience even after law enforcement actions. To enhance threat detection and response consider using a SOAR solution.
Defenses
Protecting against LockBit 3.0 requires a multi-layered defense strategy, encompassing both proactive prevention and robust detection and response capabilities:
Vulnerability Management: Regularly scan for and patch vulnerabilities, particularly in internet-facing systems (RDP, VPNs, Citrix). Prioritize patching known exploited vulnerabilities (e.g., Log4Shell, Citrix Bleed).
Strong Password Policies: Enforce strong, unique passwords and implement multi-factor authentication (MFA), especially for remote access and privileged accounts. Phishing-resistant MFA is highly recommended.
Email Security: Implement robust email security measures, including spam filtering, attachment scanning, and link analysis. Train users to recognize and report phishing attempts. Implementing SPF is very important to avoid Phishing attacks.
Network Segmentation: Segment networks to limit the lateral movement of ransomware.
Endpoint Detection and Response (EDR): Deploy EDR solutions to detect and respond to malicious activity on endpoints.
Antivirus/Antimalware: Install, update, and enable real-time detection for antivirus software.
Least Privilege: Configure access controls according to the principle of least privilege, limiting user access to only necessary resources.
Data Backup and Recovery: Maintain regular, offline backups of critical data. Test the backup and restoration process regularly. Ensure backups are encrypted and immutable.
Incident Response Plan: Develop and regularly test an incident response plan to effectively contain and recover from ransomware attacks. It is important to create an Incident Response Plan.
Security Awareness Training: Educate users about ransomware threats, phishing techniques, and safe online practices.
Disable Unused Ports and Services: Reduce the attack surface by disabling unnecessary ports and services.
Monitor Network Traffic: Implement network monitoring tools to detect unusual activity, such as large data transfers or communication with known malicious IP addresses.
Restrict Command-Line and Scripting Activities: Limit or disallow the use of PowerShell and other command-line tools.
Time-Based Access: Time-based access can be implemented for accounts running at the admin level.
Active Directory and Domain Controllers: Regularly review domain controllers and Active Directory for any new or unrecognised accounts.
Conclusion
LockBit 3.0 ransomware represents a significant and persistent threat to organizations worldwide. Its RaaS model, sophisticated techniques, and continuous evolution make it a formidable adversary. While law enforcement actions like Operation Cronos have disrupted LockBit's operations, the group has demonstrated resilience and the potential for resurgence. Organizations must adopt a proactive, multi-layered security approach, encompassing vulnerability management, strong authentication, network segmentation, endpoint protection, data backups, and comprehensive incident response planning. Continuous monitoring, threat intelligence, and user education are crucial to staying ahead of this evolving threat. The fight against LockBit, and ransomware in general, requires a collaborative effort between cybersecurity professionals, law enforcement, and organizations across all sectors.
Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this.
You may also like these articles:
• Microsoft Sues Cybercriminals for Bypassing AI Safety Guardrails
• Israeli Court to Hear Extradition Case for LockBit Ransomware Developer
• Ransomware Payments Drop 35% in 2024 as Law Enforcement Disrupts Cybercrime
• RansomHub Ransomware-as-a-Service (RaaS) Group
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
