Lockbit
LockBit, also recognized as LockBit Black or Lockbit 3.0, is one of the largest Ransomware Groups in the world and has orchestrated extensive cyberattacks across various industries, impacting thousands of organizations globally with its relentless and adaptive strategies.
The Origin of Lockbit
Since its inception in September 2019, LockBit has become notorious in the cybercrime world, leveraging its RaaS model and "StealBit" malware to aggressively target businesses and infrastructures.
Progressing through versions LockBit Red to 3.0, each iteration introduced sophisticated features challenging for security analysis. In 2023, LockBit Green emerged, merging features from the defunct Conti ransomware, illustrating the adaptability within cybercrime circles.
However, February 2024's Operation Cronos disrupted LockBit's operations, eroding its credibility and revealing the international efforts to combat ransomware. Despite law enforcement seizing control of Lockbit sites, further attacks were reported, indicating the group's persistence.
Countries targeted by Lockbit
Despite Lockbit's assertions of political neutrality, a substantial number of its victims seem to be from NATO member states and their allies.
Approximately 50% of the assaults involving the LockBit 3.0 strain have impacted businesses in the United States. Hackers using Lockbit received more than $91 million in ransom payments from U.S. victims.
Brazil and India are also highly targeted.
Industries Targeted by Lockbit
Manufacturing is frequently attacked by LockBit, yet no single industry is consistently singled out, underscoring the group's indiscriminate targeting.
While typically preying on small to medium-sized businesses, even large firms like IT giant Accenture are not immune to LockBit's reach.
Source: SOCRadar
Lockbit's Victims
Lockbit’s Attack Method
LockBit 3.0 participants access networks by:
- compromising existing account credentials
- utilizing RDP breaches
- exploiting vulnerabilities in public-facing systems
- navigating to malicious websites during normal browsing
- conducting phishing attacks
LockBit 3.0 seeks to gain higher access levels when current permissions are inadequate and uses auto login features to elevate privileges.
LockBit 3.0 conceals its activity by encrypting communications to control servers and self-deleting after execution, and will proceed with decryption only when the correct password is supplied.
To remain embedded within a network, LockBit 3.0 manipulates compromised user accounts and configures systems for automatic login.
LockBit 3.0 utilizes ProDump from Microsoft Sysinternals to extract process memory contents from LSASS.exe.
LockBit 3.0 scans networks using SoftPerfect Network Scanner, gathers detailed system and domain data, and avoids infecting systems with specific language settings.
For internal network penetration, LockBit 3.0 leverages Splashtop remote-desktop software.
LockBit 3.0 sets up command and control using FileZilla and automates secure shell interactions via Plink on Windows systems. During its operation, LockBit 3.0 executes commands and employs Chocolatey, a Windows package manager, for software management.
LockBit 3.0 employs its bespoke tool Stealbit and popular cloud services to siphon data from networks.
LockBit 3.0 disrupts operations by erasing logs, clearing the recycle bin, encrypting data, halting processes and services, deleting shadow copies, and altering the infected system's appearance with its own imagery.
LockBit 3.0 participants access networks by:
- compromising existing account credentials
- utilizing RDP breaches
- exploiting vulnerabilities in public-facing systems
- navigating to malicious websites during normal browsing
- conducting phishing attacks
LockBit 3.0 seeks to gain higher access levels when current permissions are inadequate and uses auto login features to elevate privileges.
LockBit 3.0 conceals its activity by encrypting communications to control servers and self-deleting after execution, and will proceed with decryption only when the correct password is supplied.
To remain embedded within a network, LockBit 3.0 manipulates compromised user accounts and configures systems for automatic login.
LockBit 3.0 utilizes ProDump from Microsoft Sysinternals to extract process memory contents from LSASS.exe.
LockBit 3.0 scans networks using SoftPerfect Network Scanner, gathers detailed system and domain data, and avoids infecting systems with specific language settings.
For internal network penetration, LockBit 3.0 leverages Splashtop remote-desktop software.
LockBit 3.0 sets up command and control using FileZilla and automates secure shell interactions via Plink on Windows systems. During its operation, LockBit 3.0 executes commands and employs Chocolatey, a Windows package manager, for software management.
LockBit 3.0 employs its bespoke tool Stealbit and popular cloud services to siphon data from networks.
LockBit 3.0 disrupts operations by erasing logs, clearing the recycle bin, encrypting data, halting processes and services, deleting shadow copies, and altering the infected system's appearance with its own imagery.
TTPs used by Lockbit
How to Detect Lockbit with Vectra AI
List of the Detections available in the Vectra AI Platform that would indicate a ransomware attack.
FAQs
What is LockBit ransomware?
LockBit is a Ransomware-as-a-Service (RaaS) that encrypts an organization's data and demands a ransom for the decryption key. It's known for its stealth, speed, and the use of a double extortion scheme.
How does LockBit gain initial access to networks?
LockBit often gains initial access through various means, including exploiting remote desktop protocols (RDP), phishing, spear-phishing, and using credentials from previously breached accounts.
What makes LockBit 3.0 different from its previous versions?
LockBit 3.0 is more modular and evasive, with improved encryption and the ability to customize the attack payload. It has incorporated features from other ransomware like BlackMatter and BlackCat.
Has LockBit been involved in any significant cyber incidents?
Yes, LockBit has been responsible for numerous attacks on businesses globally, including high-profile incidents involving large multinational corporations.
What sectors does LockBit typically target?
LockBit does not target a specific sector. It has been known to target a wide range of industries, including healthcare, education, and manufacturing.
How does LockBit handle the ransom process?
LockBit typically leaves a ransom note with payment instructions within the compromised system. Payment is usually demanded in cryptocurrency, and negotiations are sometimes conducted on the dark web.
What defensive measures can be effective against LockBit?
Regularly updating and patching systems, implementing robust access controls, conducting frequent security awareness training, using advanced threat detection tools, and maintaining offline backups are critical defenses.
Are there decryption tools available for LockBit encrypted files?
If you have been impacted by LockBit, the National Crime Agency (NCA) has acquired 1,000 decryption keys from LockBit's site that can assist in decrypting stolen data.
What is the best course of action if my network is compromised by LockBit?
Isolate the affected systems, initiate an incident response plan, and contact law enforcement and cybersecurity professionals. Avoid paying the ransom, as it does not guarantee data recovery and may fund further criminal activity.
What is known about the operators behind LockBit?
The operators are believed to be a part of a sophisticated cybercriminal group that operates with a RaaS model, recruiting affiliates to spread the ransomware while remaining hidden and maintaining anonymity.