In the constantly evolving arena of cybersecurity, the digital landscape is fraught with adversaries lurking in the shadows, ready to exploit vulnerabilities and disrupt the operations of organizations. Among these threats, LockBit ransomware has emerged as a formidable player, with a dark history of evolution and a propensity to target large enterprises across diverse sectors.
In this blog, we will delve deep into the realm of LockBit ransomware, exploring its origins, modus operandi, and consequential impact on organizations.
We will also unravel its connection to the shadowy domain of Ransomware-as-a-Service (RaaS) and, most importantly, unveil strategies to mitigate LockBit’s risks, ensuring that your organization remains resilient in the face of this relentless digital threat.
What is Lockbit Ransomware?
Lockbit ransomware is a formidable threat in the ever-evolving realm of cyberattacks. Emerging from the obscure corners of the internet, its origins shrouded in secrecy, identifying its precise source is a formidable challenge. Initially appearing in 2019, Lockbit has evolved over time, morphing into a more destructive and sophisticated ransomware variant.
- Target Selection: Lockbit meticulously selects its targets based on their financial capacity and the potential disruption they can inflict on the organizations. This results in a concentration on large enterprises spanning healthcare, education, financial institutions, and government entities.
- Automated Vetting Process: An automated vetting process aids in the selection of targets, ensuring they meet specific criteria.
- Strategic Avoidance: Surprisingly, Lockbit refrains from targeting organizations within Russia and other Commonwealth countries, likely to evade prosecution.
- Ransomware as a Service (RaaS): Lockbit operates on an RaaS business model, where affiliates license the ransomware. The ransom payments are then split between these affiliates and the Lockbit developer team.
- Empowering Affiliates: Lockbit affiliates receive a range of tools to facilitate their attacks, including an affiliate dashboard, a toolkit to craft customized ransomware payloads, a decryptor generator program, secure cryptocurrency payment channels, and communication channels with the victims. These resources simplify the execution of large-scale attacks, even for novice hackers.
Notable Incidents of Lockbit Ransomware Attacks
Lockbit has wrought havoc across various sectors, leaving a trail of significant cyber incidents in its wake. These incidents have had profound impacts on targeted organizations, often leading to data breaches, financial losses, and operational disruptions.
The malware primarily targets large enterprises, with notable victims hailing from critical sectors such as healthcare, education, financial industries, and government entities. The ransomware’s highly effective tactics and business model have made it a lucrative choice for cybercriminals, escalating its presence and impact in the cybersecurity realm.
Recent Lockbit Ransomware Attacks
Here are some recent Lockbit ransomware attacks:
- In June 2023, the Lockbit ransomware gang claimed to have hacked TSMC (Taiwan Semiconductor Manufacturing Company), the world’s largest chipmaker and demanded $70 million not to release stolen data. However, TSMC denied being hacked.
- In May 2023, Lockbit ransomware infected the network of Managed Care of North America (MCNA) Dental, compromising the personal data of nearly 9 million patients.
- In April 2023, Lockbit affiliates conducted a ransomware attack on an Australian engineering firm, gaining access through an exploited VPN vulnerability.
- In February 2023, Lockbit was reportedly used in the first-ever ransomware attack in New Zealand, targeting a manufacturing company.
- In January 2023, Lockbit deployed ransomware against Canadian real estate company Brookfield Residential, encrypting servers and demanding ransom.
- In December 2022, Lockbit infected the network of Australian aged care provider Regis Healthcare, stealing data before deploying ransomware.
- In November 2022, Florida agricultural company Alico was hit by Lockbit, paying a $6 million ransom after servers and data were encrypted.
- Between 2020-2022, Lockbit conducted thousands of attacks worldwide, becoming the most active ransomware group according to several tracking sources. Critical targets included governments, healthcare, and infrastructure firms.
According to the Federal Bureau of Investigation (FBI), Lockbit ransomware is responsible for 1700 cyberattacks since 2020. (Source: CISA)
The Evolution of Lockbit Ransomware – Lockbit 2.0 and Lockbit 3.0
The evolution of LockBit ransomware has seen it transform from a menace lurking in the dark corners of the internet to a formidable adversary within the cyber threat landscape. This evolution reflects LockBit’s adaptability, demonstrating its ability to exploit vulnerabilities in networks, compromise insider connections, and strategically select large enterprises as lucrative targets.
In this section, we’ll explore the different variations of Lockbit ransomware, their modus operandi, and key characteristics.
How the Original LockBit Ransomware Attacks Work(ed)
LockBit ransomware, in its original iteration, displayed characteristics akin to ransomware strains like LockerGoga and MegaCortex. Just like these malicious counterparts, LockBit exhibits self-spreading capabilities. To infiltrate target systems, LockBit makes use of tools such as Windows PowerShell and Server Message Block (SMB).
The initial attack involving this version targeted Accenture, a prominent tech consultancy firm. The cybercriminals behind LockBit stole a substantial six terabytes of data and demanded a hefty ransom of $50 million. An intriguing aspect of LockBit’s operations is its inclination to hire insiders who assist in breaching target networks. This version of LockBit infiltrated an organization’s IT systems by compromising a user account with a weak password and no Multi-Factor Authentication (MFA), thereby gaining elevated permissions and system rights.
The ransomware attack progressed with the threat actors mapping the entire network and executing a malicious script to propagate to other machines within the organization. Subsequently, all systems were encrypted, and a ransom note was dropped as is customary.
How LockBit 2.0 Ransomware Executes Attacks
In 2021, LockBit evolved into LockBit 2.0, maintaining its reliance on built-in Windows system tools (LoLBins) like Windows PowerShell and SMB for network infiltration. However, this version introduced a double extortion model, departing from mere encryption. Now, LockBit not only encrypted data but also located and exfiltrated sensitive information, compelling victims to pay the ransom to prevent reputational damage and class action lawsuits. Non-compliant victims faced the publication of their data on LockBit’s leak site.
The targets expanded to include manufacturing, construction, professional services, retail, and the food industry, marking a shift from the previous version’s focus. LockBit 2.0 stood out with the following characteristics:
- Compatibility with both Windows and Linux operating systems, including a Linux version dedicated to targeting VMware ESXi hypervisors.
- Employment of elliptic-curve cryptography (ECC) and advanced encryption standard (AES) for data encryption.
- Utilization of various vulnerabilities such as ProxyShell (CVE-2021-34473) and improper SQL sanitization (CVE-2021-20028) for establishing a foothold.
- Leveraging privilege escalation methods like ProxyShell privilege escalation on the Exchange PowerShell Backend (CVE-2021-34523), exploiting Windows Background Intelligent Transfer Service (BITS), and taking advantage of the CMSTPLUA COM interface.
- Integration of Cobalt Strike for command and control, data downloading, and lateral movement.
- Use of the PowerShell module ‘Invoke-GPUpdate’ to update group policies.
- Adoption of scheduled tasks to maintain persistence for the ransomware executable, PsExec, and batch scripts for defense evasion.
- Deployment of StealBit to support LockBit 2.0 RaaS affiliates in data exfiltration.
- Self-propagation through SMB and the capability to clear logs and print ransom notes on network printers until resources are exhausted.
How LockBit 3.0 Ransomware Operates
In 2022, LockBit unveiled its third iteration, LockBit 3.0, rebranded as LockBit Black. Notably, approximately one-third of its victims came from the Banking, Financial Services, and Insurance (BFSI) sector. This latest version optimizes its performance, creating multiple threads that utilize the target machine’s resources for faster encryption. These threads are dedicated to diverse processes, such as system information identification, ransom note creation, services deletion, and file attribute retrieval.
LockBit 3.0 introduces a change in its encryption approach, appending an “HLjkNskOq” file extension to encrypted files, a departure from its older methods. Additionally, the malware now resolves API functions dynamically using a “-pass” command for execution. For effective encryption, LockBit inhibits system restoration after encryption by deleting essential services and Volume Shadow copies through “Win32_ShadowCopy” and enumerates Volume Shadow copies using “select * from Win32_ShadowCopy.”
This version also implements a new extortion mode for selling stolen data, publicly listing it as ‘for sale’ on the threat actor’s website. Key features in LockBit 3.0 comprise:
- Incorporation of a new anti-debugger feature.
- Enhanced evasion techniques and accelerated encryption compared to previous versions.
- Capabilities for tampering with Windows Event Logs and disabling Windows Defender.
- Anti-detection mechanisms for evading Anti-Virus and Endpoint Detection and Response systems (EDR).
LockBit 3.0 follows a meticulously planned attack chain that involves several crucial actions on a server machine:
Checking for Debugger
LockBit conducts an initial check to detect if the malware process is under scrutiny. If a debugger is detected, the program enters an infinite loop.
Performing Language Checks
Default language checking ensues by calling the GetSystemDefaultUILanguage and GetUserDefaultUILanguage functions. Notably, LockBit excludes Russia and neighboring countries from its target list based on language, immediately terminating its operations if the language matches.
Disabling Running Processes and Services
Several essential services, including SQL service, backup service, and MSExchange services, are disabled. LockBit terminates processes related to malware analysis and various others like Process Explorer, Process Monitor, Dumpcap, Wireshark, cmd.exe, Process Hacker, TeamViewer, Notepad, Notepad++, and WordPad to avoid detection.
Attempting Privilege Escalation
LockBit creates a new process by employing CreateProcessAsUserW and duplicates the token using DuplicateTokenEx. Once privilege escalation is achieved, it launches itself under DLLHost.exe, subsequently terminating the original LockBit process.
Bypassing the User Account Control (UAC)
LockBit injects code into dllhost.exe by exploiting CLSIDs of COM objects using USERENV.dll, UACME, or the ICMLuaUtil elevated COM Interface-Object to bypass UAC.
Replicating the LockBit Program
LockBit copies itself to the SYSVOL directory at “c:\windows\sysvol\domain\scripts<LockBit executable>” and creates a Group Policy. It produces XML files required for Group Policy in the directory “C:\Windows\SYSVOL\domain\Policies<policy GUID>.”
Altering the Device’s Configuration
LockBit sets a policy to deactivate Windows Defender and all notifications, disable file submissions, and turn off real-time protection. Additionally, it maps the network drive through Group Policy, disables SQL server-related services, copies a ransomware version from SYSVOL to the desktop, and creates a scheduled task to terminate specific processes.
Lateral Movement in Network
LockBit launches powershell.exe to perform an Active Directory-wide search on all computers and applies the newly created Group Policy through the ‘gpupdate force’ command (gpupdate). It also executes gpupdate on the domain controller where LockBit is running. Furthermore, gpupdate runs to enforce policies based on computer and user configurations.
Reading and Altering Firewall Rules
LockBit utilizes the “FwPolicy2” object of Windows Defender Firewall to read and modify firewall rules.
Deleting Shadow Copies
LockBit deploys VSSADMIN and WMIC commands to erase shadow copies and attempts to disable recovery using BCDEdit. It also deletes Windows event logs with commands: wevtutil cl security, wevtutil cl system, wevtutil cl application.
Performing Encryption on Systems
LockBit encrypts files, appending the .HLjkNskOq file extension.
Dropping Ransom Note
The malware finalizes its attack chain by displaying a ransom note, creating and executing the lockbit.hta file.
Impact of Lockbit Ransomware Attacks on Organizations
Ransomware attacks, such as those orchestrated by LockBit, have inflicted significant repercussions on targeted organizations. The impact can be dissected into two key dimensions:
Financial Consequences of Lockbit Ransomware Attacks
The financial toll of LockBit ransomware attacks is substantial. Victims are often coerced into paying substantial ransoms to regain access to their encrypted data and prevent data leaks. However, complying with ransom demands doesn’t guarantee data recovery, and organizations can suffer a double blow – paying a hefty ransom without retrieving their files.
This financial strain extends further as companies must allocate resources to incident response, data recovery, and fortifying their security infrastructure to prevent future breaches.
How Much Money Have LockBit Ransomware Attacks Cost Globally
It’s difficult to give exact figures for the total ransom payments or financial losses attributed to Lockbit ransomware attacks globally, as many victims do not publicly disclose ransom payments or losses. However, here are some publicly disclosed incidents:
- In 2022 alone, Chainalysis estimated that Lockbit affiliates received over $100 million in ransom payments, making it the most profitable ransomware operation that year.
- According to Coveware’s 2022 ransomware report, the average ransom payment to Lockbit increased from 1.1 million in Q1 2022 to 1.8 million in Q4 2022, reflecting its targeting of larger organizations.
- Affected organizations have reported paying ransoms in the millions of dollars. For example, Alico (agriculture company) paid 6 million, Tulsa County paid 1.2 million, and AdventHealth paid over $1 million.
- In 2021, the UK announced losses of over $200 million to ransomware attacks, with Lockbit being a major contributor according to cybersecurity agencies.
- The FBI estimates total ransomware costs (downtime, recovery, lost revenue etc.) to be 3 – 4 times the actual ransom payment. This suggests total global losses could be in the billions from Lockbit alone.
- Lockbit has attacked thousands of organizations worldwide since 2020 across critical industries like healthcare, transportation, energy, and manufacturing.
While exact aggregated figures are hard to determine, it’s evident that Lockbit attacks have resulted in hundreds of millions, if not billions, in ransom payments and related losses due to their scope and targeting of large enterprises. It remains one of the costliest ransomware operations globally.
Data Security Risks of Lockbit Ransomware Attacks
LockBit attacks entail grave data security risks. When targeted organizations refuse to pay the ransom, threat actors threaten to expose stolen data. Such threats put organizations in a challenging position, as they must evaluate whether to pay the ransom, risk financial loss, or refuse and potentially face reputational damage, legal consequences, and regulatory sanctions.
Furthermore, the breach of confidential and sensitive data can have enduring consequences, eroding trust among customers, partners, and stakeholders, and triggering legal battles and compliance issues.
Lockbit’s Connection to Ransomware-as-a-Service (RaaS)
LockBit, like several other ransomware strains, has adopted a Ransomware-as-a-Service (RaaS) business model, which has fueled its proliferation in the cybercriminal world.
The Business Model
In the RaaS framework, LockBit operates as the central developer, licensing its ransomware technology to affiliates who are responsible for carrying out the attacks. This model serves as a force multiplier, enabling a larger number of malicious actors to leverage LockBit’s destructive capabilities.
Under this business arrangement, the profits derived from successful attacks are shared between the affiliates and the LockBit developer team. LockBit offers a suite of tools to its affiliates, facilitating their criminal activities:
- Affiliate Dashboard: Affiliates gain access to an affiliate dashboard, where they can track the progress of their campaigns, view earnings, and manage their ransomware payloads.
- Toolkit for Custom Payloads: LockBit provides a toolkit that empowers affiliates to craft custom ransomware payloads tailored to their target environments, enhancing the chances of infection.
- Decryptor Generator: To incentivize victims to pay the ransom, LockBit affiliates are equipped with a decryptor generator program, allowing for the decryption of files upon payment.
- Secure Payment Channels: LockBit facilitates the collection of ransom payments by offering secure channels for receiving cryptocurrency, ensuring a degree of anonymity for the attackers.
- Communication with Victims: LockBit affiliates are furnished with communication channels through which they can interact with their victims. This allows for ransom negotiations and payment instructions.
The RaaS model not only streamlines the attack process but also attracts novice cybercriminals who can initiate large-scale campaigns with relative ease, thereby amplifying the overall threat landscape.
Affiliates and Profits
The ecosystem of LockBit’s affiliates is diverse, comprising both experienced and entry-level threat actors. The ransom payments collected through these operations are split, with a significant portion going to the developer team to finance further enhancements of the malware and infrastructure. The rest of the profits are channeled to the affiliates, motivating them to expand the reach of LockBit.
This model of operation has allowed LockBit to cast a wider net, targeting a broad spectrum of organizations, including but not limited to manufacturing, construction, professional services, retail, and the food industry. As a result, LockBit poses a substantial and adaptable threat to businesses across different sectors, perpetuating the ongoing challenge of defending against this potent ransomware variant.
Mitigating LockBit Ransomware Attack Risks
Mitigating the risks posed by LockBit ransomware requires a multi-faceted approach, combining proactive measures to prevent infections and robust strategies for incident response and recovery.
1. Security Awareness Training:
One of the most effective preventive measures is to ensure that all employees are well-informed about cybersecurity threats. Regular security awareness training programs can help educate the workforce about identifying phishing attempts, malicious attachments, and suspicious links. This reduces the likelihood of initial infection vectors.
2. Patch Management:
LockBit often exploits vulnerabilities in systems and networks to infiltrate organizations. Keeping software, operating systems, and applications up to date with the latest security patches and updates can significantly reduce the attack surface, making it harder for the ransomware to gain a foothold.
3. Network Segmentation:
Network segmentation is a vital strategy that isolates different parts of the network to prevent the lateral movement of ransomware once it infiltrates one segment. By limiting the ransomware’s ability to spread, network segmentation can help contain and mitigate its impact.
4. Email Security:
Implement advanced email security solutions, such as anti-phishing and anti-malware tools, to detect and block malicious emails that may deliver LockBit ransomware payloads. Email scanning can provide an additional layer of defense against infection vectors.
5. Multi-Factor Authentication (MFA):
Enforce multi-factor authentication (MFA) for all remote access and administrative accounts. This added layer of security can help protect against stolen credentials, which ransomware attackers may exploit to gain access to systems.
6. Air-Gapped and Immutable Backups:
Implement air-gapped and immutable backup solutions to safeguard critical data. Air-gapped backups are physically isolated from the network, making them impervious to ransomware attacks. Immutable backups prevent data from being modified or deleted for a specific retention period. In case of an infection, these backups can provide a clean, unaffected data source for recovery.
Incident Response and Recovery Strategies
1. Isolation of Infected Systems:
In the event of a LockBit infection, it’s essential to isolate compromised systems to prevent the ransomware from further spreading throughout the network. Disconnecting infected devices or segments can contain the damage.
2. Communication Plan:
Having a well-defined communication plan is crucial. Notify all relevant stakeholders, including IT teams, senior management, and legal counsel. Quick and clear communication is essential in coordinating an effective response.
3. Data Recovery from Backups:
Access to secure and clean backups is invaluable when dealing with a LockBit attack. Air-gapped and immutable backups are especially useful, as they cannot be modified or deleted by the ransomware. Prompt recovery from backups is often the best method to regain access to encrypted data without paying the ransom.
4. Ransom Negotiation:
While not recommended, some organizations opt to negotiate with the attackers and pay the ransom to recover their data. If you choose to take this route, it is advised to use a reputable third party for negotiations, rather than dealing directly with cybercriminals.
5. Legal and Law Enforcement Involvement:
Consider involving legal authorities and law enforcement agencies in case of a LockBit attack. This can lead to the pursuit and potential apprehension of the threat actors, as well as increased visibility into the attack.
LockBit ransomware stands as a persistent and evolving threat in the realm of cybersecurity. Its various versions have demonstrated increasingly destructive capabilities, and its connection to the Ransomware-as-a-Service (RaaS) business model has enabled it to proliferate. However, with the right preventative measures, robust incident response strategies, and the deployment of advanced backup solutions such as air-gapped and immutable backups, organizations can significantly reduce the risks and impact of LockBit attacks.
In an ever-changing digital landscape, vigilance, preparedness, and a proactive stance against LockBit ransomware are essential to safeguarding sensitive data and maintaining business continuity.