Originally Published on Mar 23, 2022.
LockBit Ransomware is one of the few ransomware groups employing self-spreading malware technology and double encryption. After its recent attacks on the Aerospace giant, Boeing, the Italian Revenue Agency and digital security giant, Entrust, LockBit has only gained momentum, as they hunt for their next victim. Read on to learn how to protect your network from LockBit attacks.
One of the most prolific ransomware groups in recent times, LockBit ransomware began its spree of attacks as recently as September 2019. The group is financially motivated and does not shy away from going after bigger, high-profile enterprises and companies. Their latest attack weapon is the CitrixBleed vulnerability (CVE-2023-4966) using which the group waged attacks on Industrial and Commercial Bank of China (ICBC), DP World, Allen & Overy, and Boeing, among many others.
LockBit is known for many of its unique characteristics – sophisticated technology, extortion methods, and high-severity cyber attacks. The group is backed by hundreds of affiliates who take care of the ‘breakin in’ phase, aka, infiltration into vulnerable networks. Thereon, LockBit operators depend on their ransomware code, which has today become one of the best for stealthily creeping through networks, before adopting multiple effective extortion strategies.
LockBit’s attack presence is seen globally, including Australia, Canada, New Zealand and the United States. Intermittently, the attack spree pauses for a brief period during which their ransomware technology receives superior upgrades, ready to combat advancements in a company’s defense. Their recent attack strategy and frequency makes LockBit a formidable predator in the cyber realm and a determined adversary.
In This Blog:
How Dangerous is LockBit Ransomware?
Being one of the most active ransomware groups today, LockBit has a variety of tactics and technologies to attack the biggest agencies in any industry. Here are some tools, techniques, and procedures that make LockBit a dangerous adversary:
-
StealBit: The threat gang introduced StealBit, a malware tool used for encryption in the LockBit 2.0 version. It is believed to be the fastest and most efficient encryption tool.
-
Spreads Fast: StealBit spreads to other devices in the network automatically, using tools like Windows Powershell and Server Message Block (SMB), which makes it difficult to confine immediately.
-
Attacks Windows and Linux: Initially, they had targeted only Windows systems, but LockBit 2.0 was improvised to attack Linux systems as well.
-
Evasion Tactics: Their evasion tactics are well strategized, making it hard to get flagged by the system defenses.
-
Bug Bounty: LockBit conducts bug bounty programs to improve their defenses and establish that they are professional hackers. Anyone who finds a flaw in their malware kit is rewarded generously.
-
Marketing: They actively market towards affiliates to join them and carry out attacks. These marketing activities have garnered quite the attention and work well for the group in getting highly-skilled threat actors.
- ZCash: LockBit 3.0 introduced ZCash payment options for collecting ransom from victims, as well as for paying their affiliates, with less disruption from law enforcement.
Double Extortion: LockBit is known for its double extortion technique wherein they steal data and also encrypt the system data making it harder for victims to recover it.
Triple Extortion: In August 2022, LockBit announced that it would use triple extortion on its victims via data leaks, encryption, and DDoS attacks.
File Deletion: A notable tactic of the third version of LockBit includes a file deletion technique, where instead of using cmd.exe to execute a batch file to perform the deletion.
Exfiltrator-22: A new attack framework was created by affiliates of the former LockBit 3.0 operation that includes features found commonly in other post-exploitation toolkits, but has added features that enhance ransomware deployment and data theft. The EX-22, as it is referred to, is designed to spread ransomware quickly in corporate networks while evading detection.
AV and EDR: The LockBit ransomware group started a campaign in early January 2023, that used combinations of techniques effective against AV and EDR solutions.
Exfiltrate Data: In a recent campaign, the LockBit gang introduced a new method to allow it to exfiltrate data from high-profile organizations by bypassing the Mark of The Web (MOTW) protection mechanism.
- Avoids Certain Languages: LockBit 3.0 also checks the victim’s UI language before carrying out an attack. They avoid infecting systems with the following languages:
- Arabic (Syria)
- Armenian (Armenia)
- Azerbaijani (Cyrillic Azerbaijan)
- Azerbaijani (Latin Azerbaijan)
- Belarusian (Belarus)
- Georgian (Georgia)
- Kazakh (Kazakhstan)
- Kyrgyz (Kyrgyzstan)
- Romanian (Moldova)
- Russian (Moldova)
- Russian (Russia)
- Tajik (Cyrillic Tajikistan)
- Turkmen (Turkmenistan)
- Tatar (Russia)
- Ukrainian (Ukraine)
- Uzbek (Cyrillic Uzbekistan)
- Uzbek (Latin Uzbekistan)
Ransowmare Variants
LockBit started out as an ABCD crypto virus in 2019. LockBit’s primary targets were private enterprises and government organizations in the United States, China, India, Indonesia, Ukraine, and Europe with crypto as the form of demanded ransom. In 2019 and 2020, Windows systems in healthcare and financial institutions bore the brunt of LockBit attacks. The Ransomware group took a brief hiatus to work on their malware kit and to improve their operations. Thus far, two other LockBit versions have been released with attack methodologies superior to the preceding ones.
LockBit version 2.0
LockBit version 2.0 was released in June 2021 and was used for attacks in Chile, Taiwan, and the UK. In this version, LockBit introduced the double extortion technique and automatic encryption of devices across Windows domains. In October 2021, LockBit began infiltrating Linux servers as well, targeting ESXi servers.
LockBit version 3.0 (LockBit Black)
In June 2022, LockBit released yet another upgraded version of the ransomware with a bug bounty program, Zcash payments, and new extortion tactics. The new version derives from other ransomware such as BlackMatter and DarkSide and has anti-analysis techniques to evade detection, passwordless execution, and in-built command-line argument feature.
A desktop wallpaper applied by LockBit 3.0 on a victim’s system
This new version of the ransomware was used in the attacks on the Italian Revenue Agency and a county office in Ontario, Canada. In this version, LockBit has included Denial-of-Service attacks as a method to extort from victims in addition to encryption and data leaks.
In September 2022, an allegedly disgruntled developer leaked the builder for LockBit 3.0’s encryptor on Twitter. The developer was reportedly unhappy with the group’s leadership and leaked the private data. This is a blow to the ransomware group as the builder data allows anyone to start their own ransomware kit with an encryptor, decryptor, and specialized tools to launch the decryptor in certain ways. Based on the leaked builder, Bl00dy ransomware gang has developed encryptors and has been using them in an attack on an Ukrainian entity in September 2022.
How Does LockBit Ransomware Attack?
LockBit has undergone three version revisions; the latest version uses sophisticated attack techniques. Let us take a look:
LockBit 2.0 Attack Methodology
LockBit Ransomware MITRE ATT&CK Techniques
LockBit: A Cheat Sheet
LockBit is available as a Ransomware-as-a-Service (RaaS), working with affiliates who carry out attacks-for-hire and split the funds between the LockBit developer team and the affiliates. Here is a look into LockBit’s vulnerability arsenal:
- LockBit has the means to exploit 14 CVEs overall which exist in popular products such as FortiOS, F5 Big IP, Microsoft Windows Server, and Microsoft Exchange, among others.
- 6 vulnerabilities can be exploited via public or external networks and used to run arbitrary code remotely
- 6 vulnerabilities can be used to escalate privileges and gain access to unauthorized areas of the exposed network
- 7 vulnerabilities allow for network infiltration through web applications
- The vulnerability arsenal includes the popular ProxyShell exploit chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), the PaperCut exploit (CVE-2023-27350), and the Citrix Bleed vulnerability (CVE-2023-4966) that is recently seeing massive exploitation.
- CVE-2022-22279 is a post-authentication vulnerability impacting end-of-life SonicWall Secure Remote Access (SRA) products and older firmware versions of Secure Mobile Access (SMA) 100 series. This calls to attention how discontinued products and often overlooked assets might pose a danger to organizations.
Many of these vulnerabilities including CVE-2021-31207 and CVE-2023-4966 have been warned about by CISA in the #StopRansomware campaign owing to multiple attacks by LockBit and other ransomware groups.
Recent Attacks
- Maximum Industries: This manufacturer makes rocket parts for SpaceX. The LockBit gang boasted about stealing 3,000 proprietary schematics as well as other blueprints in an attack in mid-March 2023.
- Essendant: A wholesale distributor of office goods had a significant cyber attack in March 2023. The LockBit group claimed responsibility on March 14.
- Housing Authority of the City of Los Angeles (HACLA): The state-chartered agency providing affordable housing to low-income individuals and families for the City of Los Angeles, warned of a cyber incident that was later attributed to the LockBit ransomware group.
- Aguas do Porto: A Portuguese municipal water utility company, Aguas do Porto, was hit by the ransomware group in February 2023. The company manages full water cycles inclusive of water supply and waste water drainage, public lighting and photovoltaic parks.
- Royal Mail: In early January 2023, the LockBit ransomware group breached systems of UK’s leading mail delivery service, Royal Mail, that led to disruption of package deliveries.
- Whitworth University: A private university in Washington suffered a LockBit ransomware attack in July 2022, and all its operations were halted for over two weeks. The group claimed to have stolen 715 GB of Whitworth data relating to accounting, marketing, infrastructure, and documents.
- Italian Revenue Agency: The largest cyberattack was perpetrated on the Italian Revenue Agency by the LockBit gang in July 2022. In this attack, 78 GB worth of data was stolen from the agency’s servers. There are ongoing talks between the revenue agency and LockBit gang regarding ransom payments.
- Entrust: Security giant, Entrust’s network was breached in June 2022 and sensitive data was stolen by the LockBit ransomware gang. In an interesting twist, Entrust deployed Denial-of-Service malware on LockBit’s servers preventing them from releasing the stolen data.
- Library Lending App, Onleihe: The online library faced an operational dysfunction after the service provider, EKZ, became a victim of a cyberattack in March 2022. Several affiliated websites, statistics pages, catalog data, and ID-Deliveries were impacted in the attack. There is no credible information on what data was stolen in the attack.
- Accenture: LockBit attacked Accenture in August 2021 and demanded $50 million as ransom. During this attack, some proprietary information was stolen and released on LockBit’s leak site. For a detailed analysis of the attack, check out our blog on how the Accenture attack unfolded.
How to Detect LockBit Ransomware in your Environment
How Do Organizations Prevent a LockBit Attack?
- Patch CVEs: More often than not, attackers infiltrate networks and gain access to systems via known, unpatched vulnerabilities. Follow advisories from your vendors and the CISA KEV advisories to patch all CVEs at the earliest. To stay ahead of attackers, follow advisories pertaining to CVEs critical to your organization.
- Set Strong Passwords: Hackers can break into critical systems that do not implement complex passwords. It is essential that everyone accessing the network enables strong passwords and multi-factor authentication (MFA) to secure their logins.
- Remove Unnecessary Permissions: Increase the amount of restrictions on permissions to prevent potential dangers from being ignored. Pay specific attention to those accessible by IT accounts with admin-level permissions and endpoint users.
- Be Vigilant Handling Links: Social engineering techniques such as phishing emails are one of the most common methods incorporated by ransomware groups to gain access for malware distribution. Clicking unknown links is always ill-advised.
- Keep Tabs on your Attack Surface: Employ a solution that can scan your entire attack surface for weaknesses. Know and keep tabs on known and unknown devices connected to your broader network.
Organizations can keep attackers at bay by staying vigilant and ensuring that the above steps are strictly followed. A good way to do this is to employ an automated system that regularly scans for vulnerabilities and loopholes, and alerts the Chief Information Security Officers.
Our security experts regularly conduct research analysis of the ransomware families and the CVEs they target. The latest analysis is published in our Ransomware Report. Read the report to find out which ransomware families are an active threat to your business.