The first known ransomware attacks using what would come to be known as LockBit were reported back in 2019. Organizations that were infected with the malicious software had their files encrypted and in order to decrypt them they were forced to pay a large sum for a decryption key. 2021 saw the emergence of LockBit 2.0, featuring a faster encryption software. In one of the most widely reported ransomware attacks of 2021, LockBit attacked the consulting group Accenture and claimed to have stolen six terabytes of data.
LockBit is regarded as the most highly impactful and widely deployed ransomware for the first quarter of 2022, and its victims include many organizations with OT/ICS networks.
Now, the group behind LockBit have announced LockBit 3.0 ransomware, and it’s already causing problems worldwide.
SCADAfence’s analysts expect LockBit to continue and even increase its activity through the end of 2022 and for it to continue to target the industrial sector. Therefore, we’ve put together this history and overview of LockBit, and assembled a list of best practices for staying safe.
Lockbit - Ransom as a Service
LockBit group uses a ransomware-as-a-service (RaaS) business model, which means that they sell their ransomware to be used as a service by other criminal groups. The ransomware leverages double extortion techniques as part of the attack to pressure victims into paying the ransom. This means they exfiltrate the data to their own servers, in addition to encrypting it. In some cases, LockBit operators have performed DDoS attacks on the victims' infrastructure as well as using a leak site, a technique known as triple extortion.
Double extortion used in the Accenture attack (inthecloudtech)
The LockBit group has built itself into one of the most professional organized criminal gangs thanks to its recruitment of affiliates. The group has been known to hire network access brokers, cooperate with other criminal groups, recruit company insiders, and sponsor underground technical writing contests to recruit talented hackers.
LockBit was originally known as ABCD after the file extension .abcd that it left on encrypted files. During its first year of operation, the group remained a relatively small player, as more prominent gangs received greater attention.
LockBit 2.0 relied on tools such as Windows PowerShell and SMB to attack organizations, scanning networks to infect compromised devices. The ransomware primarily used built-in Windows tools (Living off the Land Binaries, or LoLBins), making detection of malicious activity more difficult.
In approximately June, 2022, LockBit operators and affiliates began the shift to LockBit 3.0, also referred to as LockBit Black, a variant which has roots that extend back to BlackMatter and related entities. This version introduces new management features for affiliates and adds Zcash for victim payments in addition to Monero and Bitcoin.
It also claims to have opened a public “bug bounty” program in an effort to improve the quality of the malware, and financially reward those that assist. This program invites security researchers, and hackers (both ethical and unethical) to find flaws in the ransomware project. It also claims to offer a reward between one thousand and one million dollars for those who find and report various issues within the LockBit 3.0 structure.
As explained earlier this year in an article by TrendMicro, LockBit 3.0 works by performing various routines, including, “attempts to log in using credentials from its configuration list with the goal of determining if the compromised system is a part of the domain admin.” Similar to BlackMatter, “it terminates and deletes processes and services from its configuration list, wipes the recycle bin folder on every drive, scans its configuration list for computer name hashes to avoid, connects to the C2 server if the flag is set, and encrypts network shares and Exchange mailboxes if set in its configuration flag”.
It also obtains a list of files, folders, and extensions to be avoided from its configuration list, uses pointed files when encrypting .lnk files, prints the ransom note on any available printers, modifies the desktop wallpaper, and uses the same encryption algorithm as BlackMatter.
The LockBit 3.0 ransomware uses a variety of anti-analysis techniques to hinder static and dynamic analysis, similar to the BlackMatter ransomware. These techniques include code packing, obfuscation and dynamic resolution of function addresses, function trampolines, and anti-debugging techniques. In a recent incident, a LockBit affiliate was observed leveraging VMware command-line utility and Microsoft Defender Antivirus utilities to drop Cobalt Strike payloads, a “living off the land” technique used to evade EDR and AV detection.
LockBit Technical Details
LockBit infection chains show a variety of tactics and tools employed. Affiliates typically buy access to targets from other threat actors, who typically obtain it via phishing, exploiting vulnerable apps, or brute forcing Remote Desktop Protocol (RDP) accounts.
In some instances, it arrived via spam email or by brute forcing insecure RDP or VPN credentials, or by exploiting a Fortinet VPN vulnerability (CVE-2018-13379), ProxyShell (CVE-2021-34473), Log4Shell (CVE-2021-44228), or improper SQL sanitization (CVE-2021-20028).
The SCADAfence Platform detects the use of the Fortinet VPN, ProxyShell and Log4Shell vulnerabilities. Additionally, SCADAfence's User-Activity feature allows users to monitor RDP connections and detect anomalous behavior.
LockBit is typically executed via command line or by creating scheduled tasks. This is usually the case if it is propagated in other machines. It is worth mentioning that execution can be done by the affiliates. For persistence, LockBit changes the Run key in the registry thus allowing execution each time the computer boots up.
The SCADAfence Platform detects remote command line execution and creation of remote scheduled tasks.
Aside from the credentials obtained from affiliates, LockBit was observed using Mimikatz to gather credentials.
The SCADAfence Platform detects the use of Mimikatz across the network.
Some infections were observed to have GMER, PC Hunter, and/or Process Hacker. These tools are typically used to disable security products. In some cases, a Group Policy was created to disable Windows Defender.
Network Scanner, Advanced Port Scanner, and AdFind were used to enumerate connected machines in the network. This technique is often used to locate the Domain Controller or Active Directory server, as these are usually the best targets for deploying ransomware or propagation.
The SCADAfence Platform detects the use of scanners and enumerators across the network as well as common uses of remote Active Directory commands and utilities.
LockBit can self-propagate via SMB connection using obtained credentials, in some attacks it self-propagates and is executed via Group Policy. PsExec or Cobalt Strike were used to move laterally within the network.
The SCADAfence Platform detects the use of PsExec and Cobalt Strike across the network.
Due to its broad usage, LockBit was seen to upload stolen files via cloud storage tools like MEGA or FreeFileSync. In some attacks, the StealBit malware was used instead to exfiltrate stolen files.
The SCADAfence Platform offers the ability to add suspicious domains and IP addresses to its reputation system.
LockBit common techniques to infiltrate and infect systems (trendmicro)
Impact and Damage Associated
LockBit 2.0 is said to be the most impactful and widely deployed ransomware during the first quarter of 2022. The group claims it has demanded ransom from over 12,125 organizations, and that LockBit 2.0 has the fastest encryption routine. According to leak site data analysis done by Palo Alto Networks, it was the most impactful RaaS for five consecutive months, and accounted for 46% of all ransomware events for 2022 shared on leak sites.
The group has also impacted various victims across multiple industries. Its most highly targeted industries include professional services, construction, wholesale and retail, and manufacturing - demanding ransom ranging from tens of thousands to tens of millions dollars. Such organizations include Accenture, Italian tax agency, Yaskawa, Overseas Express and lately also Entrust.
LockBit targets organizations opportunistically. Still, LockBit does seem to have victim limits. The group declared that they would not target organizations that “contribute to the survival of the human race”, such as healthcare facilities, social services, educational institutions, and charitable organizations. However, despite these claims, there have been instances of affiliates undermining these guidelines by targeting sectors such as healthcare and education.
From LockBit to LockBit 3.0, this ransomware gang proved that they are dynamic within the ransomware business. LockBit demonstrates consistent and versatile operations that adapt to current trends.
LockBit has been one of the most active groups in compromising organizations with an ICS/OT network in 2021, and in the first half of 2022. Many organizations have limited visibility into the infrastructure, fail to properly segment network perimeters, have many devices with an external connection, and share credentials between the IT and the OT environment, allowing ransomware attacks to become the number one threat in the industrial sector.
As stated above, we expect LockBit to continue its activity, if not increase it in the coming months.
The best defense against LockBit, or any ransomware strain is a comprehensive cyber security protection solution that can detect the use of the ProxyShell and Log4Shell vulnerabilities used for initial access, as well as command execution using CMD and the creation of scheduled tasks used to execute LockBit.
The SCADAfence Platform has all these capabilities. Moreover, the Platform detects the use of Mimikatz, PsExec, and Cobalt Strike, tools used by LockBit for credential access and lateral movement.
SCADAfence recommends taking the following measures to minimize the risk of exploitation:
- Limit Network Exposure – minimize network exposure for all of your control system devices and/or systems, and ensure they are not accessible from the Internet.
- Monitor Network Traffic - monitor access to the production segments. In your network monitoring tool, create logical groups of the affected devices and define traffic rules to alert on suspicious access to them.
- Monitor User Activity – if you’re a SCADAfence customer, you can use the SCADAfence Platform to monitor access to the affected devices and track all of your user activities using the User Activity View. RDP and SMB connections can be tracked in an attempt to discover LockBit activity.
- Connect to the SCADAfence Cloud – if you’re a customer, connect your SCADAfence Platform to the SCADAfence Cloud to get the latest security updates.
- Best Practices - SCADAfence recommends following the best practices:
- Make sure secure offline backups of critical systems are available and up-to-date.
- Apply the latest security patches on the assets in the network.
- Use unique passwords and multi-factor authentication on authentication paths to OT assets.
- Enable strong spam filters to prevent phishing emails from reaching end users.
- Disable ports and protocols that are not essential.
- Encrypt sensitive data when possible.
- Educate staff about the risks and methods of ransomware attacks and how to avoid infection.
For more information on keeping your ICS/OT systems protected from threats, or to see the SCADAfence platform in action, request a demo now.