What is Lockbit 3.0? Who is Behind It? How to Protect From Lockbit Ransomware?

As crime grows in the digital world, cyber criminals try to make their malware more sophisticated. Ransomware is one such malware that tries to lock the victim’s data by encrypting and making them inaccessible by the victim and demand for ransom to unlock it. In this blog, we will see the most prevalent Ransomware of 2022, which is Lockbit Ransomware. Lockbit was first caught in September 2019, and after that, it has seen a lot of improvement with the release of Lockbit 2.0 in 2021 and Lockbit 3.0 in mid of 2022. Since Lockbit 3.0 is the currently running version of the Lockbit family, let’s dive into learning what is Lockbit 3.0, who is behind it, how Lockbit 3.0 works and its stages of the attack, its victims, IOCs, and finally, how to protect from Lockbit 3.0 ransomware, in this post.

What is Ransomware and Ransomware as a Service (RaaS)

Ransomware is nothing but malicious software (Malware) that lock the system by encrypting the files and demanding a ransom for releasing it. Ransomware as a service (Raas) is a business model which uses an already developed ransomware tool and provide it as a service for attackers in exchange for financial compensation.

The most common RaaS revenue models are

The most widely exploited Ransomware of the year 2022 is Lockbit 3.0. In this post, we will look into what is Lockbit 3.0 and how to protect from Lockbit ransomware.

What is Lockbit 3.0? Who is Behind It?

Lockbit 3.0 is the latest strain of malware released by the popular Lockbit ransomware family. Lockbit ransomware was First observed in September 2019. However, the Lockbit gang became prevalent through Lockbit 2.0 in 2021.

Lockbit ransomware gang targets multiple organizations all around the world. This family of ransomware programs is self-spreading. The main target of this group are organizations that are able to pay a large ransom. This ransomware family uses Ransomware as a service(RaaS) operating model where users can pay and get the ransomware services as a subscription. It is also suspected that Lockbit ransomware gang has roots in the black matter threat actors. 

After successful years of using Lockbit 2.0, by late 2022, the ransomware family released a more powerful strain of the ransomware program Lockbit 3.0 aka Lockbit black. To make things worse, they also adopted a double extortion model, which means they not only encrypt the files but do exfiltration as well. These files are shared to another device, making it scarier for the victim and urging them to pay the ransom.

How Lockbit 3.0 Works?

Like every other attacker group, Lockbit ransomware group also has some specific features, one of the most remarkable features of this Ransomware is its ability to self-propagate. There are multiple predefined automated processes set in the code of Lockbit, which makes it unique from other ransomware groups which are driven manually, which helps in completing recon much faster.

After infecting a single host, Lockbit ransomware can propagate itself and find other accessible hosts without any human intervention. One of the other notable features used by the Lockbit ransomware is the tools in a pattern that is native to an operating system which makes it more difficult for the endpoints to detect any suspicious behavior. They also hide the executable file in a .PNG format to deceive the defense mechanism.

Stages of Lockbit Attack

Lockbit attack can be roughly divided into three stages

Exploit:

The initial stage of a ransomware attack is by exploiting a weakness in a network. This initial exploitation can be via multiple methods, which may include phishing, social engineering, and other tactics as well. The attacker can also utilize weak password policies or other vulnerabilities, zero days, and misconfigurations in the network to gain initial access. It’sIt’s RaaS module recruits Initial Access Brokers (IAB) to obtain stolen credentials for Remote Desktop Protocol (RDP) or Virtual Private Network (VPN) access.

Once the initial foothold is established, the Ransomware prepares itself to be spread across multiple devices in the network. Before that, the threat actor makes sure all requirements are in place.

Infiltrate:

Once the Ransomware is in the network, the attacker tries to download C2 tools on the compromised environment. Lockbit uses Red Team framework tools like Cobalt Strike Beacon, MetaSploit, and Mimikatz to infiltrate further to make the system ready for attack. As previously mentioned, the Lockbit program has multiple automated processes, which helps it to propagate independently to gain access by privilege escalations and lateral movement.

In this stage, the Ransomware prepares the system by disabling security programs or any other defensive mechanism so that they can deploy the encryption portion of the Ransomware safely.

The main goal of this stage is to make the victim helpless in recovering the encrypted files unassisted, hence urging them to pay ransom to restore the operations.

Deploy:

Once the exploit and infiltrate stages are completed successfully the Ransomware installs itself in the Windows Registry to maintain persistence and releases its encryption payload, which travels effortlessly through the network and starts encrypting or putting a lock on all the system files. It uses a pair of ECC (Curve25519) session keys, with the private key encrypted with an ECC public key stored in the Windows Registry. The deploy stage is much easier as a single system with high privilege can do complete damage.

Once the encryption is completed, all system files will be locked from the victim, which can be only unlocked by a custom key created by Lockbit’s proprietary decryption tool. The attacker also makes sure to leave a ransom note which provides instructions on what can be done to access the file back. It may also include a threatening blackmailing note.

After all the stages are completed, the rest is up to the victim. They may pay the ransom for restoring the files by following their demands. However, this is not advised as the victim has no guarantee of what the attackers may request.

What Did Security Researchers Find About Lockbit 3.0 in Their Analysis?

{04830965-76E6-6A9A-8EE1-6AF7499C1D08}.exe -k LocalServiceNetworkRestricted -pass db66023ab2abcb9957fb01ed50cdfa6a

On Sep 2022, An unknown user, @ali_qushji published that his team had hacked the Lockbit servers, and he made the malware build available on GitHub. Please check out the post published on VMware blogs for more technical details about the Lockbit Black. 

Ransome note (Soruce: Trend Micro)

The desktop wall paper applied by Lockbit 3.0 (Source: Trend Micro)

Who Can Be Affected by Lockbit 3.0?

If we talk about the operating system platforms, Lockbit predominantly targets the windows platform. However, it is also seen that the new version of Lockbit has evolved to target Linux systems, including virtual environments such as VMWare ESXi. 

When you look at the geo-locations, the malware has tried victimizing the United States, Canada, Europe, Asia, and Latin America. And also, it has been observed that the group has been seen ignoring the countries from Eastern Europe region and the Commonwealth of Independent States except for Ukraine. 

When you look at the Organization list, Lockbit most likely targeted small to mid-sized businesses. This doesn’t mean that large-sized organizations should ignore this malware. All organizations must be very vigilant in such kinds of ransomware attacks. As per the statistics shared by BlackBerry, at least 478 blocks on the Lockbit malware family are observed, which makes it almost five attempts per day worldwide, including all Lockbit versions

Source: Blackberry

Indicator Of Compromise IOC

Hash

Yara Rules to Detect Lockbit Black

import "pe" 
rule LockBit_3_dll 
{ 
   meta:  
        author = "VMware TAU" //bdana  
        date = "2022-Oct-12"  
        description = "Identifies LockBit 3.0 DLL encryptor by exported function names."  
        rule_version = “1”  
        yara_version = "4.2.3"  
        exemplar_hash = “c2529655c36f1274b6aaa72911c0f4db7f46ef3a71f4b676c4500e180595cac6” 
   condition: 
      pe.exports("del") and 
      pe.exports("gdel") and 
      pe.exports("gdll") and 
      pe.exports("gmod") and 
      pe.exports("pmod") and 
      pe.exports("sdll") and 
      pe.exports("wdll") 
} 
  
rule LockBit_3_exe 
{ 
   meta: 
        author = "VMware TAU" //bdana 
        date = "2022-Oct-12" 
        description = "Identifies LockBit 3.0 exe encryptor section names, and artifact section names." 
        rule_version = “1” 
        yara_version = "4.2.3" 
        exemplar_hash = “5202e3fb98daa835cb807cc8ed44c356f5212649e6e1019c5481358f32b9a8a7” 
  strings: 
      $text = ".text" ascii wide 
      $itext = ".itext" ascii wide 
      $data = ".data" ascii wide 
      $rdata = ".rdata" ascii wide 
      $idata = ".idata" ascii wide 
      $xyz = ".xyz" ascii wide 
      $reloc = ".reloc" ascii wide 
      $bss = ".bss" ascii wide 
  condition: 
      #text > 2 and 
      #itext > 1 and  
      #data > 1 and 
      #rdata > 2 and 
      #idata > 3 and 
      $reloc and  
      $bss and $xyz and not 
      for any i in (0..pe.number_of_sections-1) : (  
           pe.sections[i].name == ".xyz" or 
           pe.sections[i].name == ".bss" 
      ) 
}

How to Protect From Lockbit 3.0?

After we learn what is lockbit 3.0, now it’s time to know how to protect from Lockbit 3.0 malware. We have listed a few guidelines that help you protecting your assets from Lockbit 3.0.

Conclusion

As technology is advancing, methods to exploit are also increasing exponentially. Every organization or individual must be prepared against this kind of ransomware attack. We hope this post helped you understand what is Lockbit 3.0 and how to protect from Lockbit ransomware attacks.

If you find this information valuable, please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.