Companies worldwide are the target of LockBit cyber attacks, one of the most successful Ransomware-as-a-Service (RaaS) operations in history. This type of ransomware threatens organizations with operations disruption, extortion, data theft and illegal publication.
LockBit accounted for 15% of ransomware attacks during the first quarter of 2022, second only to Conti with 16%. But LockBit has been growing dramatically in its impact, and was responsible for 40% of the ransomware attacks in the second quarter of this current year.
Based on data from LockBit's data leak site, almost half of the victim organizations were based in the US, followed by Italy, Germany, Canada, France and the UK. Still, organizations in Asia are increasingly being targeted, and Blackpanda has seen an enormous rise in LockBit ransomware cases in the past few weeks.
The most impacted industry verticals have been professional and legal services, construction, government, real estate, retail, technology, and manufacturing. Interestingly, the malware contains code that prevents it from being executed on systems configured with Eastern European language settings, which strongly points towards the assumption that the LockBit criminals are based in this region and operate with Russian interests.
When was LockBit created?
The ransomware group now known as LockBit was originally called ABCD because it left encrypted files with an extension .abcd. In early 2020, RaaS launched the affiliate program, and later that year, data leak extortion was added to the program.
As it began its operation, LockBit remained a relatively small player, while other high profile gangs, such as Ryuk, REvil, Maze, and others, were more successful. Following the launch of LockBit 2.0 in the second half of 2021 and the closure of other gangs, LockBit began to gain traction.
This came with the lauch of its RaaS model, whichl allows the LockBit creators to sell access to the ransomware program and its infrastructure to third-party cyber criminals, known as affiliates. The affiliates then break into networks and deploy it on systems for a cut of up to 75% of the money paid by victims in ransoms. In addition to exfiltrating data from victim organizations, LockBit's affiliates also threaten to publish it on the internet, as is the case with most other RaaS gangs.
A 2021 public interview with an alleged LockBit gang member claimed the group avoided targeting healthcare, education, charities, and social services organizations. Nevertheless, LockBit affiliates have later attacked healthcare and education organizations, going against their statements.
There are 850 victims listed on the LockBit 2.0 site, but the gang claims it has ransomed over 12,125 organizations.
How does LockBit work?
Some of the typical characteristics of ransomware also apply to LockBit. These include being self-spreading–such that once it penetrates the organization’s network, it contaminates all active endpoints without requiring manual direction– and targeted–such that it is launched by attackers onto specific organizations rather than targeting random users on the internet.
1st stage: Vulnerability exploitation
Since many affiliates distribute LockBit, the access vectors they use are varied: from spear-phishing emails with malicious attachments to exploiting vulnerabilities in publicly facing applications and using stolen VPN and RDP credentials. It is known that LockBit affiliates also purchase access from other parties.
2nd stage: Infiltration into company networks
To expand their access to other systems after gaining initial network access, LockBit affiliates deploy various tools, including:
- Credential dumpers like Mimikatz
- Privilege escalation tools like ProxyShell
- Tools used to disable security products and various processes such as GMER, PC Hunter and Process Hacker
- Network and port scanners to identify active directory domain controllers
- Remote execution tools like PsExec or Cobalt Strike for lateral movement
- Obfuscated PowerShell and batch scripts and rogue scheduled tasks for persistence.
By using SMB connections and Active Directory group policies, LockBit ransomware can also spread to other systems once it has been deployed. As soon as the ransomware is executed, it disables Windows volume shadow copies and deletes various log files related to system and security.
3rd stage: Payload deployment
After collecting information from the system, such as the hostname and domain information, the local drive configuration, remote shares, and mounted storage devices, the malware encrypts all data on both local and remote devices. The malware only encrypts the first 4KB of each file and appends the ".lockbit" extension to them.
The group claims that LockBit 2.0 has the fastest encryption routine. Whilst this is not an accurate claim in terms of pure encryption speed, LockBit is still able to complete its encryption operations incredibly efficiently thanks to partial encryption. As mentioned, LockBit 2.0 only encrypts the first 4KB of each file, which is enough to render them unreadable and unusable, whilst also allowing the attack to be quickly completed, so that inexperienced users do not have time to shut down systems and isolate them from the network.
LockBit also leverages insider threat to conduct its criminal activities. In its ransom notes, the gang offers financial rewards to insiders who can access networks and organizations and in its bug bounty program, rewards are also offered for ideas on how to improve the ransomware's operation, software, and infrastructure.
Beyond Lockbit 2.0
The LockBit gang also developed a few other separate malware programs. One of them is StealBit, used to automate the exfiltration of data. This tool uploads the data to LockBit's servers upon infection.
Another one is the LockBit Linux-ESXi Locker, used to encrypt Linux servers and VMware ESXi virtual machines.
A new version of LockBit's affiliate program and malware was released in June, after two months of beta testing. Bug bounty programs have also been launched by the gang, rewarding vulnerability hunters between USD 1,000 and USD 1 million for finding vulnerabilities in its ransomware programs and infrastructure, including its Tor-hosted website, secure messaging system, and more.
It even launched a USD 1 million challenge for anyone who can identify the person running its affiliate program.
What to do when attacked by Lockbit ransomware?
The best way to respond to ransomware is to contact a professional incident response team.
Where possible, having an ongoing relationship with an incident response team such as Blackpanda can reduce the risk of falling victim to ransomware–thanks to proactive cyber security measures including compromise assessments and tabletop exercises–as well as drastically speeding up response times, Falling victim to ransomware can be both stressful and emotional. An experienced IR company such as Blackpanda provides invaluable help in containing the attack, eradicating the malware, and restoring business as usual, all whilst managing PR, negotiating with the attackers, and ensuring safety and legality throughout.
Blackpanda is Asia’s Premier Digital Forensics and Incident Response provider, and we support our clients by conducting regular compromise assessments to check for active threats in the network, managing security configurations, preparing tabletop exercises and incident response plans to boost employee awareness, and responding to incidents promptly with Special Forces Expertise.
To learn more about our ransomware preparation services, or to report a breach, contact Blackpanda.
