Threat Intelligence Lab

Lockbit cybercrime gang

Lockbit Breakdown: Cyber operations, evolution, and impacts

Written by

Reza Rafati
— in

ThreatIntelligenceLab.com

Lockbit is a notorious ransomware group known for its aggressive and sophisticated attacks. Originating in 2019, this group has rapidly become a significant threat, targeting corporations and government entities worldwide.

They organize their operations meticulously, establishing themselves as formidable threat actors in cyberspace.

Who is Lockbit?

Lockbit is a cybercriminal group engaged in deploying ransomware attacks.

They are responsible for numerous high-profile cybersecurity breaches, impacting businesses across various sectors.

The group operates on a ransomware-as-a-service (RaaS) model, allowing affiliates1 to use their ransomware in exchange for a cut of the ransom payments. This structure has rapidly expanded their reach and impact.

Lockbit Ransomware
Lockbit Ransomware

How Does Lockbit Operate?

Initially, they gain access to a victim’s network through methods like phishing, exploiting vulnerabilities, or purchasing access from other criminals. Once inside, they move laterally across the network, identifying and encrypting valuable data.

The ransomware presents victims with a ransom note demanding payment for data decryption.

Lockbit evolution

The LockBit ransomware family has undergone a remarkable evolution since its initial emergence, demonstrating the adaptability and increasing sophistication of cyber threats.

Here’s a timeline outlining the major developments in the LockBit ransomware lineage:

September 2019: ABCD Ransomware Emergence

LockBit’s roots can be traced back to the appearance of ABCD ransomware. This ransomware laid the foundational code for future iterations of LockBit.

ABCD ransomware - Laid the foundation for the Lockbit Ransomware
ABCD ransomware – Laid the foundation for the Lockbit Ransomware

January 2020: LockBit Emergence

Discussions regarding a ransomware explicitly named “LockBit” began to surface on Russian-language cybercrime forums, marking the official introduction of this threatening malware into the cybercrime ecosystem.

June 2021: LockBit 2.0 (LockBit Red) Launch

LockBit evolved into its second major version, introducing StealBit, a tool designed for exfiltrating information before encryption, enhancing the double extortion threat.

October 2021: Linux-ESXi Locker Version 1.0 Release

LockBit expanded its attack vectors by developing a version capable of targeting Linux and VMware ESXi systems2, thereby broadening its potential victim base.

March 2022: LockBit 2.0 Bugs Discovered

Identifying critical vulnerabilities in LockBit 2.0 prompted the developers to work on an updated version to address these flaws.

June 2022: LockBit 3.0 (LockBit Black) Debut

LockBit Black, the third iteration, addressed the issues identified in LockBit 2.0. It was launched, showing influences from BlackMatter and Alphv ransomware, and showcasing improved evasion capabilities.

September 2022: Builder Leak

LockBit faced a setback as the builder for LockBit 3.0 was leaked3, allowing non-affiliated cybercriminals access to the ransomware, which potentially led to a wider spread of the malware.

January 2023: LockBit Green Introduction

This version marked the integration of source code4 from Conti ransomware, indicating a trend of ransomware groups borrowing from each other to enhance their malicious toolsets.

April 2023: macOS Targeting

A significant development in LockBit’s capabilities was observed with the malware now targeting macOS systems5, reflecting the continuous expansion of its target spectrum.

LockBit 3.0: Enhanced Evasiveness and Modularity

What sets LockBit 3.0 apart is its customizable nature; it allows for a multitude of behaviors tailored at the compilation stage6, which can be further fine-tuned through command-line arguments upon execution.

This feature enables specific functionalities like intricate lateral movements and the initiation of Safe Mode during attacks.

A standout feature is its execution conditions. These include a mandatory password for affiliates who lack direct access to the ransomware.

This password acts as a cryptographic key. It renders the malware inactive and indecipherable without the correct input. This complicates detection and analysis by cybersecurity defenses.

The encrypted nature of the executable ensures that traditional signature-based detections are less effective. This occurs because each instance of the malware generates a unique cryptographic hash.

Moreover, it exhibits selectiveness in its targets based on system language settings. It avoids systems with languages from a predefined exclusion list, such as Romanian (Moldova), Arabic (Syria), and Tatar (Russia).

This tactic likely aims to sidestep systems in certain geographical regions. It reflects a strategic choice to avoid attention from specific countries’ law enforcement agencies.

Tactics for Initial Access and Spread

LockBit 3.0’s strategies for infiltrating networks are diverse. They leverage vulnerabilities through remote desktop protocol (RDP) exploitation, phishing, valid account misuse, and public-facing application vulnerabilities.

Once inside, the ransomware escalates privileges if necessary. It also conducts extensive reconnaissance to understand the environment fully before initiating its malicious activities.

The ransomware disrupts system operations by terminating relevant processes and services and manipulating system configurations to maintain control. It uses a mix of hardcoded credentials and compromised local accounts to spread through the network. It employs mechanisms like Group Policy Objects and PsExec in conjunction with the SMB protocol for efficient distribution.

Exfiltration and Encryption

Before locking files, LockBit 3.0 exfiltrates valuable data using tools such as Stealbit7 and rclone8. It uses publicly available services like MEGA, for data theft.

Operation Cronos

The operation, announced in February 20249, resulted in the seizure of LockBit’s infrastructure and the indictment of its members, marking a substantial blow to one of the most active ransomware groups worldwide.

Notably, this disruption has enabled the retrieval of decryption keys, offering a lifeline to the over 2,000 victims10 worldwide affected by LockBit’s ransom demands, which cumulatively ran into hundreds of millions of dollars.

The operation led to the arrest of two members in Poland and Ukraine, and the seizure of LockBit’s servers11.

Ivan Kondratyev12 and Artur Sungatov13, were charged with conspiring to commit LockBit powered ransomware attacks.

The indictment unveiled the identities of the alleged perpetrators, erasing the veil of anonymity associated with cyber attacks. It sends a resounding message14 that online actions leave a digital trail, with consequences awaiting those involved.

FAQs

What should I do if I am under attack?

If you suspect a Lockbit attack, disconnect affected systems from the network immediately to prevent further spread. Contact cybersecurity professionals to assess and mitigate the damage. It’s crucial to notify law enforcement to help track and combat these threats.

What should I do if my files have been encrypted?

Do not rush to pay the ransom. First, consult with cybersecurity experts who can analyze the situation and determine if data recovery is possible without giving in to the demands. Also, check for available decryption tools as cybersecurity communities often develop free tools to help victims of ransomware.

Should I buy crypto to pay Lockbit?

Paying the ransom should be a last resort. Payment does not guarantee data recovery and can fund further criminal activities. Seek professional advice and explore all other options before considering payment.

How big is the chance the decryption will work?

The success rate of decryption varies. If you possess backups, the chance of restoring your data is high. However, decryption tools provided by attackers or third parties may not always work as expected. Professional assessment is essential for understanding your situation.

  1. https://www.cisa.gov/sites/default/files/2023-06/aa23-165a_understanding_TA_LockBit_0.pdf ↩︎
  2. https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html ↩︎
  3. https://analyst1.com/ransomware-diaries-volume-1/ ↩︎
  4. https://cybernews.com/security/lockbit-ransomware-gang-releases-lockbit-green-version/ ↩︎
  5. https://www.wired.com/story/apple-mac-lockbit-ransomware-samples/ ↩︎
  6. https://www.cisa.gov/sites/default/files/2023-03/aa23-075a-stop-ransomware-lockbit.pdf ↩︎
  7. https://www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool ↩︎
  8. https://rclone.org/ ↩︎
  9. https://www.justice.gov/opa/pr/us-and-uk-disrupt-lockbit-ransomware-variant ↩︎
  10. https://www.aha.org/news/headline/2024-02-20-agencies-seize-lockbit-ransomware-servers-offer-encryption-keys ↩︎
  11. https://www.reuters.com/technology/cybersecurity/us-indicts-two-russian-nationals-lockbit-cybercrime-gang-bust-2024-02-20/ ↩︎
  12. https://www.justice.gov/usao-ndca/media/1338976/dl?inline ↩︎
  13. https://www.justice.gov/usao-nj/media/1338926/dl?inline ↩︎
  14. https://www.justice.gov/usao-nj/media/1338931/dl?inline ↩︎

Written by

Reza Rafati
Reza Rafati is an experienced cyber security professional. He is the founder of Threat Intelligence Lab. He has extensive experience in the field of cyber threat intelligence, cyber takedowns, and cyber threat landscapes.