LockBit (Ransomware) – Malware

Overview

Ransomware has emerged as one of the most pervasive and damaging forms of cyber threat in recent years, with variants like LockBit 3.0 showcasing the evolution and sophistication of these malicious programs. LockBit 3.0 operates on a simple yet devastating premise: to encrypt a victim’s data and demand payment for its decryption. First observed in 2019, LockBit 3.0 has since become notorious for its speed and reliability in data encryption, earning a reputation as one of the fastest ransomware strains in the criminal ecosystem. At its core, LockBit 3.0 employs robust encryption techniques, typically using Advanced Encryption Standard (AES) encryption, to lock victims out of their own files and systems. Once deployed within a network, it swiftly identifies and encrypts valuable data stored on local drives and network shares, rendering it inaccessible without the decryption key held by the attackers. This encryption process is designed to be irreversible without the decryption tool provided upon payment of the ransom, often demanded in cryptocurrencies like Bitcoin to anonymize transactions. Beyond encryption, LockBit 3.0 is distinguished by its aggressive tactics to maximize impact and coerce victims into compliance. It typically issues a ransom note, warning victims that failure to pay within a specified timeframe will result in the exfiltration and publication of their encrypted data on the dark web. This dual threat of data loss and reputational damage amplifies the urgency for victims to comply, making it a potent tool for cyber extortion. The distribution and deployment of LockBit 3.0 often rely on well-established vectors such as phishing emails, exploit kits targeting unpatched vulnerabilities, and Remote Desktop Protocol (RDP) exploits. Once inside a network, the ransomware spreads laterally, targeting as many devices and servers as possible to maximize its impact and potential ransom earnings. Its operators are known to adapt quickly to security measures, making detection and containment challenging for organizations unprepared to defend against such attacks.

Targets

Information Public Administration Manufacturing Health Care and Social Assistance Retail Trade Accommodation and Food Services

How they operate

LockBit 3.0 employs various initial access methods to breach network defenses. These include exploiting vulnerabilities in external-facing services such as Remote Desktop Protocol (RDP) or leveraging phishing attacks to trick unsuspecting users into granting access. Once inside a network, the ransomware swiftly executes its malicious payloads, often using tools like software deployment utilities and direct command execution. This execution phase marks the beginning of its destructive path, aiming to establish persistence and escalate privileges to gain deeper access within the compromised environment. Persistence is crucial for LockBit 3.0, enabling it to maintain long-term access to infected systems. The ransomware achieves this by modifying autostart registry keys and creating new services, ensuring that even if initial access points are detected and mitigated, it can continue to operate undetected. Privilege escalation further enhances its capabilities, allowing it to move laterally across networks and access sensitive data or critical systems. By exploiting weaknesses in access controls and abusing system privileges, LockBit 3.0 can spread rapidly within an organization, increasing the scope of its impact. To evade detection and hinder response efforts, LockBit 3.0 employs sophisticated defense evasion tactics. These include obfuscating files and information to conceal its presence, clearing event logs to erase traces of its activities, and employing encryption to obfuscate communications with its command and control (C2) servers. These measures make it challenging for traditional security measures to detect and mitigate the ransomware effectively. Command and control (C2) is facilitated through various channels, including HTTP and FTP protocols, enabling attackers to remotely manage infected systems and issue commands. This capability allows LockBit 3.0 operators to orchestrate the encryption of targeted files and the exfiltration of sensitive data, maximizing the ransomware’s disruptive potential. Finally, by encrypting critical data and deleting backups, LockBit 3.0 imposes significant operational and financial burdens on its victims, compelling them to consider paying the ransom to recover their encrypted data. MITRE Tactics and Techniques

Initial Access (TA0001):

Tactic Description: This tactic covers the methods by which adversaries gain initial access to a victim’s environment. For LockBit 3.0, common techniques include exploiting vulnerabilities in external-facing services like Remote Desktop Protocol (RDP), phishing, and exploiting public-facing applications.

Execution (TA0002):

Tactic Description: This involves techniques used by adversaries to execute malicious code on a victim’s system. LockBit 3.0 achieves execution through software deployment tools, scripting, and direct command execution.

Persistence (TA0003):

Tactic Description: Persistence techniques enable adversaries to maintain access to a compromised system across reboots or system changes. LockBit 3.0 uses techniques like modifying autostart registry keys (T1547.001) and creating new services (T1543.003) to maintain persistence.

Privilege Escalation (TA0004):

Tactic Description: This tactic involves techniques used to obtain higher-level permissions on a system or network. LockBit 3.0 attempts privilege escalation through techniques like exploiting vulnerabilities (T1068), abusing Windows access tokens (T1134), and manipulating access control mechanisms (T1548).

Defense Evasion (TA0005):

Tactic Description: Defense evasion techniques enable adversaries to avoid detection or hinder response efforts from security tools and processes. LockBit 3.0 employs tactics such as obfuscated files or information (T1027) and clearing event logs (T1070.004) to evade detection.

Credential Access (TA0006):

Tactic Description: Techniques in this tactic involve stealing or obtaining credentials to gain further access within the network. LockBit 3.0 utilizes methods such as credential dumping (T1003) and using compromised credentials (T1078) to escalate privileges and move laterally.

Discovery (TA0007):

Tactic Description: Discovery techniques allow adversaries to gather information about the victim’s environment, such as network configuration and installed software. LockBit 3.0 performs discovery using tools like network scanning (T1046) and querying system information (T1082).

Lateral Movement (TA0008):

Tactic Description: Lateral movement techniques enable adversaries to move through a network to access additional systems. LockBit 3.0 uses methods like remote desktop protocol (T1021.001) and exploiting remote services (T1210) for lateral movement.

Command and Control (TA0009):

Tactic Description: This involves techniques used by adversaries to communicate with compromised systems to control and coordinate their actions. LockBit 3.0 establishes command and control channels using protocols like HTTP and FTP (T1071) and automated SSH actions (T1572).

Exfiltration (TA0010):

Tactic Description: Exfiltration techniques involve unauthorized transfer of data from a victim’s network to the attacker’s controlled infrastructure. LockBit 3.0 exfiltrates data using techniques like exfiltration over web service (T1567) and encrypting data for impact (T1486).

Impact (TA0040):

Tactic Description: Impact tactics refer to actions taken by adversaries that affect the availability and integrity of victim systems and data. LockBit 3.0 impacts systems by encrypting files (T1486), deleting backups (T1490), and disrupting system operations to pressure victims into paying ransom.

Impact / Significant Attacks

• Proofpoint observed high-volume campaigns with millions of messages facilitated by the Phorpiex botnet and delivering LockBit Black ransomware. This is the first time Proofpoint researchers have observed samples of LockBit Black ransomware (aka LockBit 3.0) being delivered via Phorpiex in such high volumes. (May 2024)

References

• Security Brief: Millions of Messages Distribute LockBit Black Ransomware
• #StopRansomware: LockBit 3.0
• LockBit 3.0 (LockBit Black)
• LockBit 3.0 Ransomware Unlocked
• New LockBit Black Campaign Observed