Lockbit (ABCD) – Threat Actor

Overview

Common targets

LockBit targets a wide range of sectors including healthcare, financial services, manufacturing, government, and critical infrastructure. They do not discriminate by geography, attacking organizations worldwide.

Attack Vectors

LockBit seeks initial access to target networks primarily through purchased access, unpatched vulnerabilities, insider access, and zero-day exploits.

How they operate

LockBit operates as a sophisticated ransomware-as-a-service (RaaS) group, utilizing a combination of advanced tactics and techniques to execute their malicious campaigns. Here’s an overview of how LockBit works: Initial Access: LockBit gains initial access to target networks through various means, including exploiting vulnerabilities in public-facing applications, compromising remote services like Remote Desktop Protocol (RDP), or using stolen credentials obtained from affiliates or brokers. Execution: Once inside a network, LockBit deploys its ransomware payload. This executable file encrypts files and data on compromised systems using strong encryption algorithms such as AES and RSA, rendering them inaccessible to users. Persistence: To maintain access and ensure continued operation, LockBit establishes persistence on compromised systems. This may involve creating scheduled tasks, modifying registry keys, or implanting backdoors for remote access. Privilege Escalation: LockBit attempts to escalate privileges within the network to gain higher levels of access and control. This can include exploiting vulnerabilities in software or leveraging compromised credentials to move laterally to more critical systems. Defense Evasion: To evade detection and hinder response efforts, LockBit employs various evasion techniques. This includes disabling security tools, using obfuscated code, or employing process injection methods to hide its presence from security solutions. Credential Access: LockBit focuses on acquiring additional credentials within the network to expand its reach and capabilities. This involves techniques such as credential dumping, brute-forcing passwords, or stealing session cookies from web applications. Lateral Movement: Once inside the network, LockBit moves laterally to identify and compromise other systems and devices. This is typically done using tools like Remote Desktop Protocol (RDP) or exploiting vulnerabilities in network shares and administrative protocols. Data Encryption and Threat: LockBit encrypts files on compromised systems, appending a specific file extension to indicate encryption. They then present a ransom note, demanding payment in cryptocurrency from the victim in exchange for decryption keys. They also threaten to publicly leak sensitive data if the ransom demands are not met, increasing pressure on victims to comply. Exfiltration and Threat: To increase leverage, LockBit may exfiltrate sensitive data from compromised networks before encrypting files. They use tools like StealBit for automated data exfiltration, threatening to release this data if their ransom demands are not met, potentially causing further reputational and financial damage to victims. Impact: The ultimate impact of a LockBit attack is severe disruption to business operations, financial loss due to ransom payments, potential data exposure leading to regulatory issues, and reputational damage. Recovering from such attacks often involves significant time, resources, and coordination with cybersecurity experts.

Mitigations

Mitigating the threat posed by ransomware attacks, particularly from sophisticated groups like LockBit, requires a multifaceted approach involving proactive cybersecurity measures, robust policies, and preparedness strategies. Here are some key mitigation methods: Regular Software Patching and Updates: Ensure all software and operating systems are regularly updated to mitigate vulnerabilities that ransomware often exploits for initial access. Strong Authentication and Access Control: Implement multi-factor authentication (MFA) and strong password policies to prevent unauthorized access through stolen credentials, a common tactic used by ransomware groups. Network Segmentation: Divide networks into segments with different access levels and security protocols. This limits the spread of ransomware in case of a successful breach. Backup and Recovery: Maintain regular backups of critical data and ensure they are stored securely offline or in a segregated network environment. Regularly test backups to ensure they can be restored quickly in case of an attack. Security Awareness Training: Educate employees about phishing attacks, suspicious links, and other common tactics used in ransomware campaigns. Human error remains a significant entry point for ransomware. Endpoint Protection: Deploy and maintain endpoint detection and response (EDR) solutions that can detect and respond to suspicious activities and malware on endpoints. Network Monitoring and Intrusion Detection: Implement continuous monitoring of network traffic and behavior analytics to detect and respond to anomalies that may indicate ransomware activity. Incident Response Plan: Develop and regularly update an incident response plan that outlines steps to contain, mitigate, and recover from a ransomware attack. Conduct regular drills to test the effectiveness of the plan. Access Controls and Least Privilege: Restrict user permissions to only what is necessary for their roles (least privilege principle). This limits the impact of compromised accounts on critical systems. Cybersecurity Collaboration and Information Sharing: Participate in threat intelligence sharing initiatives and collaborate with industry peers and cybersecurity experts to stay informed about emerging threats and effective mitigation strategies. Legal and Compliance Considerations: Ensure compliance with data protection regulations and legal requirements regarding data breaches and ransomware incidents. This includes reporting requirements and breach notifications where applicable.

MITRE tactics and techniques

Initial Access

• Exploit Public-Facing Application (T1190)
• Valid Accounts (T1078)
• External Remote Services (T1133)

Execution

• Command-Line Interface (T1059)
• Scheduled Task (T1053)
• PowerShell (T1059.001)
• PowerShell Empire (T1086)

Persistence

• Scheduled Task (T1053)
• Registry Run Keys / Startup Folder (T1060)

Privilege Escalation

• Valid Accounts (T1078)
• Credential Dumping (T1003)
• Exploitation of Vulnerability (T1068)

Defense Evasion

• Disabling Security Tools (T1089)
• Process Injection (T1055)
• Obfuscated Files or Information (T1027)

Credential Access

• Credential Dumping (T1003)
• Brute Force (T1110)
• Steal Web Session Cookie (T1539)

Discovery

• Remote System Discovery (T1018)
• System Network Configuration Discovery (T1016)
• Account Discovery (T1087)

Lateral Movement

• Remote Desktop Protocol (T1076)
• SMB/Windows Admin Shares (T1021)
• Remote File Copy (T1105)

Collection

• Data from Local System (T1005)
• Data from Network Shared Drive (T1039)

Exfiltration

• Exfiltration Over Command and Control Channel (T1041)
• Exfiltration Over Alternative Protocol (T1048)

Impact

• Data Encrypted for Impact (T1486)
• Inhibit System Recovery (T1490)
• Service Stop (T1489)

Significant Malware Campaigns

• The LockBit ransomware gang may not be the most wildly unhinged of these criminal groups, but its callous persistence, effectiveness, and professionalism make it sinister in its own way. (Jan 2023)

References:

• Understanding Ransomware Threat Actors: LockBitThe rise of RansomHub: Uncovering a new ransomware-as-a-service operation
• What Is LockBit Ransomware?