LockBit Ransomware: An In-Depth Look
LockBit is a prominent cybercriminal group known for its ransomware-as-a-service (RaaS) operation. The group develops ransomware software and leases it to affiliates who carry out attacks. These attacks typically involve encrypting the victim's data and demanding a ransom for its decryption. LockBit also threatens to publicly leak the stolen data if the ransom is not paid. This "double extortion" tactic has made LockBit a significant threat in the digital landscape.
Evolution and Rise to Prominence
Since its first appearance in September 2019 as "ABCD ransomware", LockBit has continuously evolved its tactics and software. The group's rise to the top of the ransomware world can be attributed to several factors:
- Affiliate-Based Model: LockBit operates on an affiliate model, allowing individuals with varying skill levels to carry out ransomware attacks using their software and infrastructure. This approach has allowed LockBit to significantly expand its reach and impact.
- Innovative Payment Structure: Unlike traditional RaaS models where affiliates receive payment only after the core group takes its cut, LockBit gives affiliates full control over negotiations and payments. Affiliates collect ransoms directly from victims and pay a 20% commission to the core LockBit team. This attractive model has made LockBit a preferred choice for many affiliates.
- Continuous Innovation: LockBit has consistently updated its ransomware, making it more potent and harder to combat. The group released LockBit 2.0 in 2021, which included "StealBit", a tool designed for automated data exfiltration. In 2022, LockBit 3.0 emerged with a more modular design and sophisticated evasion techniques.
- Publicity Stunts: LockBit has employed unconventional publicity stunts to attract affiliates and gain notoriety. These include hosting an essay competition with cash prizes, offering a reward for getting a LockBit tattoo, and placing a bounty on information leading to the identification of LockBit’s leader.
These factors have contributed to LockBit becoming one of the most prolific ransomware groups worldwide. In 2022 alone, LockBit was responsible for 913 ransomware attacks globally, surpassing all other ransomware groups. The group has impacted various sectors, including healthcare, education, financial services, and government institutions.
Technical Details and TTPs
LockBit, predominantly written in C and C++ programming languages, uses various methods to gain initial access to computer systems, including:
- Exploiting Vulnerabilities: LockBit exploits known vulnerabilities in software and systems, such as those found in Remote Desktop Protocol (RDP) servers, VPNs, and other public-facing applications.
- Phishing Campaigns: The group utilizes phishing emails containing malicious attachments or links to trick users into installing the ransomware.
- Brute-Force Attacks: LockBit attempts to gain access to systems by brute-forcing weak RDP or VPN passwords.
- Purchased Access: The group may purchase access to already compromised systems from other cybercriminals.
- Insider Threats: LockBit has been known to leverage insider threats, potentially involving employees or individuals with access to target networks.
Once LockBit gains access to a system, it employs a range of tactics to maximize its impact and evade detection:
- Privilege Escalation: LockBit attempts to escalate its privileges within the compromised system to gain higher-level access and control.
- Data Exfiltration: The group utilizes tools like "StealBit" to steal sensitive data from the victim's network before encrypting it.
- Data Encryption: LockBit employs strong encryption algorithms to encrypt files on the victim's system, rendering them inaccessible.
- Ransom Note: After encryption, LockBit leaves a ransom note with instructions on how to pay the ransom and recover the encrypted data.
- Defense Evasion: LockBit incorporates various techniques to evade detection by security software, such as obfuscating its code, deleting log files, and disabling security processes.
- Lateral Movement: The ransomware spreads to other systems and devices within the network using techniques like SMB file sharing and exploiting compromised credentials.
Law Enforcement and Future Challenges
LockBit's large-scale operations have attracted the attention of global law enforcement agencies.
- In November 2022, a LockBit affiliate was arrested in Canada and is awaiting extradition to the United States.
- In February 2024, law enforcement agencies seized control of LockBit's dark web infrastructure, disrupting their operations.
- In May 2024, the alleged developer of LockBit was indicted by the United States Department of Justice.
Despite these efforts, LockBit remains a persistent threat. The group has shown resilience and adaptability, with reports of continued attacks even after the takedown of their dark web infrastructure. Additionally, the decentralized nature of the RaaS model makes it challenging to completely dismantle the group, as affiliates can continue operating independently or align with other ransomware groups.
The future of ransomware, including groups like LockBit, presents ongoing challenges for cybersecurity. As technology advances, ransomware groups will likely develop more sophisticated tactics and tools. The increasing use of encryption, double extortion tactics, and targeting of critical infrastructure underscore the evolving threat landscape. Combating these threats requires a multi-faceted approach involving:
- Collaboration: Sharing information and coordinating efforts between governments, cybersecurity organizations, and private companies is crucial to effectively track, disrupt, and prosecute ransomware operators.
- Cybersecurity Awareness and Training: Educating users about phishing scams, suspicious links, and the importance of strong passwords can significantly reduce the success rate of ransomware attacks.
- Robust Security Measures: Implementing strong cybersecurity measures, including multi-factor authentication, regular software updates, robust backup and recovery solutions, and endpoint detection and response systems, is essential to prevent and mitigate ransomware attacks.
- Zero-Trust Security Model: Adopting a zero-trust security model, where access to data and systems is granted on a need-to-know basis, can help limit the impact of a potential ransomware infection.
LockBit ransomware affiliates use a wide array of tactics, techniques, and procedures (TTPs) in their attacks, making it difficult for organizations to defend themselves. Because there are so many LockBit affiliates operating independently, the exact TTPs used in any single attack can vary significantly . Some of the most common TTPs are discussed below.
Initial Access
LockBit affiliates will use various techniques to gain initial access to a victim's network. Some common methods include:
- Exploiting vulnerabilities in public-facing applications such as Microsoft Exchange servers, Fortigate SSL VPNs, F5 BIG-IPs, ESXi servers, and Microsoft RDP.
- Phishing emails: Sending phishing emails with malicious attachments or links to trick victims into downloading malware or giving up their credentials.
- Brute-forcing credentials: Using brute force techniques to guess weak passwords for Remote Desktop Protocol (RDP) servers or VPNs.
- Purchasing access from Initial Access Brokers (IABs): LockBit affiliates may purchase access to already compromised networks from IABs rather than gaining access themselves.
Lateral Movement
Once they gain access to a network, LockBit affiliates will attempt to move laterally to other systems and gain elevated privileges. Some common techniques for lateral movement include:
- Exploiting Remote Desktop Protocol (RDP): LockBit commonly exploits vulnerabilities in RDP to gain access to and control victim networks.
- Using stolen credentials: LockBit will leverage compromised credentials to gain access to other accounts on a victim's network.
- Spreading through SMB file sharing: LockBit uses Server Message Block (SMB) file-sharing connections to spread laterally within a network.
- Compromising Group Policy Objects: LockBit can modify Group Policy Objects to distribute the ransomware and execute commands on multiple systems at once.
- Using tools like PsExec and Cobalt Strike: These tools allow the threat actors to execute commands on remote systems and provide various features for lateral movement.
Data Exfiltration and Encryption
LockBit actors will typically steal sensitive data before encrypting files. This "double extortion" technique allows them to demand payment to both decrypt the data and prevent it from being leaked online. Some common tools and techniques for data exfiltration and encryption include:
- StealBit: LockBit developed a custom tool called StealBit, which automates the process of transferring data to the attackers.
- Rclone, MEGA, and other file-sharing services: In addition to StealBit, LockBit actors utilize legitimate file-sharing services such as Rclone, MEGA, and FreeFileSync to exfiltrate data. See sources and for a list of file-sharing sites used by LockBit affiliates.
- AES and RSA encryption: LockBit utilizes strong encryption algorithms like AES and RSA to encrypt files on the victim's system. They often encrypt only the first few kilobytes of each file to speed up the encryption process.
- Appending and prepending file extensions: After encrypting files, LockBit typically adds a random string of characters as an extension to the file name.
Defense Evasion
To avoid detection, LockBit employs several techniques, such as:
- Disabling security tools: LockBit disables antivirus and endpoint detection and response (EDR) products using tools like Backstab, Defender Control, GMER, PCHunter, PowerTool, Process Hacker, and TDSSKiller.
- Bypassing PowerShell execution policy: LockBit uses tools like Bat Armor to bypass execution restrictions placed on PowerShell, which is commonly used by system administrators and security products.
- Deleting log files: LockBit attempts to cover its tracks by deleting log files that could be used to investigate the attack.
- Using anti-debugging techniques: These techniques are used to make it more difficult for security researchers to analyze the malware and understand how it works.
Other Notable TTPs
- Targeting specific language settings: LockBit ransomware is designed to check the language settings of a target machine. If the language matches a predefined exclusion list, the ransomware will not infect the system. The exclusion list includes languages such as Romanian, Arabic, and Tatar.
- Exploitation of managed service providers: LockBit actors may target companies that manage IT services for other businesses. This tactic allows the attackers to potentially deploy ransomware to multiple downstream victims through a single compromise.
It is important to remember that these are just some of the most common tactics, techniques, and procedures used by LockBit ransomware affiliates. The specific TTPs employed in any given attack may vary depending on the target, the affiliate, and other factors. Organizations should stay informed about the latest threats and vulnerabilities and take proactive steps to strengthen their security posture.
LockBit Ransomware Timeline:
2019:
- September: LockBit ransomware first emerges.
2020:
- January: LockBit ransomware, previously known as ".abcd", appears on Russian-language cybercrime forums.
- January 5: First LockBit activity observed in the United States.
- March: First recorded instance of LockBit activity in Canada.
2021:
- March: First recorded incident involving LockBit ransomware in New Zealand.
- June: LockBit 2.0 (also known as LockBit Red), is released, featuring StealBit, a built-in information-stealing tool. LockBit 2.0 gains traction as other RaaS operations shut down.
- October: LockBit releases Linux-ESXi Locker version 1.0, targeting Linux hosts, particularly VMware ESXi servers.
2022:
- June: LockBit 3.0 (also known as LockBit Black) emerges, boasting a more modular architecture and sophisticated evasion techniques.
- July: LockBit ransomware gang releases LockBit Green.
- September: LockBit attempts to further publicize itself by hosting an essay competition with cash prizes and offering rewards for tattoos of their logo.
- December: Japanese police successfully decrypt some files encrypted by LockBit.
2023:
- March 16: CISA releases an advisory on LockBit 3.0.
- June: The United States Department of Justice announces criminal charges against Ruslan Magomedovich Astamirov, a Russian national, for alleged involvement with the LockBit ransomware campaign as an affiliate.
- June 14: CISA releases an updated advisory on LockBit, covering versions 2.0, 3.0, Green, and Linux-ESXi Locker.
- July: LockBit attacks the Port of Nagoya in Japan, disrupting container operations.
- October: LockBit claims to have stolen sensitive data from Boeing. Boeing acknowledges a cyber incident impacting parts of its business but does not confirm LockBit's involvement.
- November: LockBit targets and compromises the world's largest bank, forcing them to resort to using USB sticks for trading due to system disruption.
- November 10: LockBit publishes data allegedly stolen from Boeing.
- November 17: LockBit compromises a US financial firm and threatens to leak its data. They also revamp their ransomware negotiation tactics due to a decrease in payments.
2024:
- February: Fulton County, Georgia experiences a ransomware attack by LockBit.
- February 19: Law enforcement agencies, including the National Crime Agency, Europol, and the FBI, seize control of LockBit’s darknet infrastructure, seizing their source code and obtaining decryption keys. They arrest one person in Ukraine, one in Poland, and two in the United States. Two Russians are also named but not apprehended. A decryptor for LockBit 3.0 is released for free use on No More Ransom.
- February 26: Despite the takedown, LockBit resurfaces, taunting law enforcement and threatening to leak sensitive documents. Reports suggest that some affiliates are still active.
- May 7: The United States, United Kingdom, and Australia sanction Dmitry Yuryevich Khoroshev, an alleged senior leader and developer of LockBit. The US Department of Justice unseals an indictment against Khoroshev.
- May 21: LockBit claims responsibility for an attack on Canadian retail chain London Drugs, demanding a $25 million ransom. London Drugs refuses to pay.
- June: LockBit takes credit for a major breach of Evolve Bank & Trust, a partner bank to many financial technology companies. They threaten to leak data from the US Federal Reserve, but the leaked data seems to originate directly from Evolve.
- July 2: A Croatian hospital has its data leaked on the dark web following a LockBit ransomware attack. The government refuses to negotiate with the criminals.
Cast of Characters:
LockBit Group:
- Dmitry Yuryevich Khoroshev (LockBitSupp, LockBit, putinkrab): Alleged leader and developer of the LockBit ransomware, responsible for its development, administration, and financial gains. He allegedly managed affiliates, upgraded infrastructure, and recruited developers.
LockBit Affiliates:
- Ruslan Magomedovich Astamirov: Russian national charged in June 2023 for alleged involvement in LockBit ransomware attacks. Awaiting trial.
- Mikhail Vasiliev: Dual Russian-Canadian national arrested in November 2022 for alleged participation in the LockBit ransomware group. Awaiting extradition to the United States.
- Mikhail Matveev (Wazawaka, m1x, Boriselcin, Uhodiransomwar): Charged in May 2023 with using various ransomware variants, including LockBit. Subject of a $10 million reward offered by the U.S. Department of State’s Transnational Organized Crime Rewards Program.
- Artur Sungatov: Russian national charged in February 2024 with deploying LockBit against numerous victims in the United States.
- Ivan Kondratyev (Bassterlord): Russian national charged in February 2024 with deploying LockBit against numerous victims in the United States.
Law Enforcement and Cybersecurity Organizations:
- Cybersecurity and Infrastructure Security Agency (CISA): U.S. government agency providing cybersecurity resources and advisories, including multiple reports on LockBit.
- Federal Bureau of Investigation (FBI): U.S. federal law enforcement agency investigating and pursuing cybercrime, including LockBit activities.
- Multi-State Information Sharing and Analysis Center (MS-ISAC): Organization facilitating cybersecurity information sharing among U.S. state and local governments, including collaboration on LockBit defense.
- Australian Cyber Security Centre (ACSC): Australian government agency responsible for cybersecurity.
- National Cyber Security Centre (NCSC-UK): UK government organization providing cybersecurity guidance and support.
- Canadian Centre for Cyber Security (CCCS): Canadian government agency focusing on cybersecurity.
- Agence nationale de la sécurité des systèmes d'information (ANSSI): French national cybersecurity agency.
- Bundesamt für Sicherheit in der Informationstechnik (BSI): German Federal Office for Information Security.
- CERT NZ: New Zealand’s Computer Emergency Response Team.
- National Cyber Security Centre (NCSC-NZ): New Zealand’s national cybersecurity agency.
- National Crime Agency (NCA): UK's national law enforcement agency, instrumental in the February 2024 takedown of LockBit infrastructure.
- Europol: European Union's law enforcement agency, cooperating in the international effort against LockBit.
Other Entities:
- Trend Micro: Cybersecurity company providing research and analysis on LockBit, including reports on their evolution and tactics.
- Sophos: Cybersecurity company researching and publishing analyses of LockBit's capabilities and connections to other ransomware families.
- VMware: Software company whose ESXi servers have been targeted by LockBit. They have also published research analyzing LockBit’s functionalities.
- Packt: Cybersecurity training and information provider.
This timeline and cast of characters offer a glimpse into the evolving landscape of the LockBit ransomware and the ongoing battle against cybercrime. Please note that this information is based on the provided excerpts and might not encompass the complete picture of events.
In conclusion, LockBit's rapid rise to prominence and its continued operation, even in the face of law enforcement actions, demonstrate the evolving threat of ransomware. Understanding LockBit's tactics, techniques, and overall impact is essential for individuals and organizations to bolster their cybersecurity posture and mitigate the risks posed by this dangerous group.
LockBit 3.0 Ransomware FAQ
What is LockBit 3.0?
LockBit 3.0, also known as "LockBit Black," is a type of ransomware, which is a malicious software used by cybercriminals to encrypt data on a victim's computer system. The criminals then demand a ransom payment in exchange for decrypting the data. LockBit 3.0 is particularly dangerous because it is more modular and evasive than previous versions, making it difficult to detect and prevent. It also employs a "triple extortion" model, meaning that victims may be subject to:
- Data encryption: Making their files inaccessible.
- Data exfiltration: Stealing sensitive information and threatening to release it publicly.
- Data auction: Selling the stolen data to the highest bidder.
How does LockBit 3.0 infect systems?
LockBit 3.0 affiliates gain initial access to victim networks through a variety of methods, including:
- Exploiting vulnerabilities in Remote Desktop Protocol (RDP): This allows remote access to a computer.
- Drive-by downloads: Visiting compromised websites that automatically download the malware.
- Phishing campaigns: Deceptive emails or messages that trick users into clicking malicious links or opening infected attachments.
- Abuse of valid accounts: Using stolen credentials to access systems.
- Exploitation of public-facing applications: Taking advantage of security flaws in software used by organizations.
What are some of the indicators of a LockBit 3.0 infection?
Some common signs that a system has been infected with LockBit 3.0 include:
- Files are renamed with the extension ".lockbit."
- A ransom note appears on the desktop or is printed to connected printers.
- The desktop background is changed to a LockBit 3.0 branded image.
- System performance slows down significantly.
- Unusual processes running in the background.
How does LockBit 3.0 spread within a network?
LockBit 3.0 can spread laterally across a network using a number of techniques:
- Compromised user accounts: Once an account is compromised, the malware can use those credentials to access other machines.
- Group Policy Objects: These allow administrators to manage multiple computers, but LockBit 3.0 can modify them to execute malicious commands.
- PsExec: A tool that allows remote command execution on Windows systems.
What is unique about LockBit's approach to publicity?
LockBit is known for its unconventional publicity stunts. Some examples include:
- Essay competitions with cash prizes for winners.
- Offering rewards to individuals who get tattoos of the LockBit logo.
What are law enforcement agencies doing about LockBit?
LockBit's operations have attracted significant attention from law enforcement around the world. Here are some notable actions:
- Global operation to disrupt LockBit's infrastructure: This included seizing control of their websites and servers, obtaining decryption keys to help victims, and arresting several key members.
- Publicly identifying and sanctioning LockBit leaders: This aims to disrupt their financial operations and make it harder for them to operate.
What is LockBit's "Ransomware-as-a-Service" (RaaS) model?
LockBit operates as a RaaS, meaning they develop and maintain the ransomware software and infrastructure, but they lease it to other cybercriminals (affiliates). These affiliates then carry out the actual attacks. This model allows LockBit to:
- Profit from ransomware attacks without directly conducting them.
- Expand their reach by leveraging the skills and resources of various affiliates.
How can I protect my organization from LockBit 3.0 and similar threats?
While no system is completely immune to attacks, there are essential steps to strengthen your defenses against LockBit 3.0:
- Prioritize patching known vulnerabilities: Regularly update your software and operating systems.
- Train users to identify and report phishing attempts: Educate employees on recognizing suspicious emails and links.
- Enable and enforce multi-factor authentication (MFA): This adds an extra layer of security beyond just passwords.
- Regularly back up your data: Ensure you have offline and secure backups to restore data if needed.
- Implement strong security software: Use reputable antivirus, anti-malware, and endpoint detection and response (EDR) tools.