Navigating the threat landscape of LockBit

Imagine a virtual phantom slipping through digital shadows, silently locking away data, and leaving a haunting message demanding a ransom. That is LockBit ransomware, the stealthy troublemaker in the world of cybersecurity. In this blog, let’s unpack the mysteries of LockBit: how it sneaks in and wreaks havoc and why businesses should be on high alert. 

What is LockBit?

The LockBit gang is a Ransomware as a Service (RaaS) group that encrypts files and demands a ransom for their release. Operating in the shadows, the LockBit gang remains elusive, utilizing a RaaS model and employing sophisticated techniques in high-profile cyberattacks targeting organizations worldwide. The group infiltrates systems through vulnerabilities, encrypts files, and leaves victims with a ransom note demanding cryptocurrency payments in exchange for file decryption. Known for its stealth and evolution, LockBit has been involved in various cybersecurity incidents.

The anatomy of a LockBit ransomware attack (LockBit 3.0)

1. Initial access

The first stage in a LockBit ransomware attack involves gaining initial access to a target system. LockBit 3.0 affiliates executing the ransomware secure entry into victims’ networks using various methods, including exploiting Remote Desktop Protocol (RDP), engaging in drive-by compromise, conducting phishing campaigns, abusing valid accounts, and taking advantage of vulnerabilities in public-facing applications. Notably, during the installation phase, LockBit 3.0 makes attempts to escalate privileges if the initially acquired ones prove insufficient.

2. Encryption

LockBit 3.0 infiltrates networks using preconfigured credentials or compromised local accounts. It spreads through Group Policy Objects and PsExec via the Server Message Block protocol. The ransomware encrypts data, excluding core system files. It then leaves a ransom note, alters the device’s appearance with LockBit 3.0 branding, and transmits the encrypted information to a command-and-control server. After completing its tasks, LockBit 3.0 may delete itself and remove Group Policy updates, depending on the compilation configuration.

3. Exfiltration

Exfiltration is a common technique employed by LockBit 3.0 affiliates, often via StealBit, a proprietary exfiltration tool inherited from LockBit 2.0. Additionally, they use rclone, an open-source cloud storage tool, along with accessible file sharing tools like MEGA. These tools enable affiliates to extract company data files before initiating the encryption process.

Variants of LockBit

LockBit 2.0

LockBit 2.0, an upgraded RaaS variant that surfaced in June 2021, succeeded LockBit and its predecessor ABCD ransomware, which was initially detected in September 2019. Through active recruitment on underground forums, LockBit 2.0 gained prominence in Q3 2021. Boasting the fastest encryption software among contemporaries, it continued operations when other RaaS programs disappeared in 2021.

LockBit 3.0

Also referred to as LockBit Black, this ransomware emerged in March 2022 when the LockBit gang announced its plan to release nonpaying victims’ data online in a user-friendly, searchable format. Targeting crucial data in the United States, the United Kingdom, and Germany, LockBit relies on weak passwords and the absence of MFA for admin account access. LockBit 3.0’s introduction of a bug bounty program signals technological advancement, encouraging hackers to identify its vulnerabilities.

LockBit commences its attacks by taking advantage of application vulnerabilities, attempting to guess RDP passwords, and employing phishing techniques. Attackers then carry out the execution of the ransomware, eradication of logs, and encryption of data on both local and remote devices through PowerShell Empire.

LockBit Green

LockBit Green is a recent addition to the array of LockBit ransomware variants. Unveiled on Jan. 27, 2023 through screenshots shared on social media by a research team named vx-underground, this variant seems to follow the typical pattern of targeting Windows environments with its ransomware capabilities.

LockBit for Mac

In April 2023, the LockBit ransomware gang marked a significant shift in its operations by developing encryptors specifically designed to target macOS for the first time. This discovery was made by cybersecurity researchers MalwareHunterTeam, who identified a ZIP archive on VirusTotal containing what seemed to be a collection of newly created LockBit encryptors.

A recent LockBit attack

In February 2023, The Guardian reported that Royal Mail rejected an $80 million ransom demand from hackers connected to Russia amid a ransomware cyberattack that began in January 2023. The LockBit gang infiltrated the company’s software, encrypted crucial files, and disrupted international shipments. Dark web transcripts attributed to LockBit revealed contentious negotiations where Royal Mail resisted increasingly aggressive demands. After two weeks, the hackers set the ransom at $80 million, asserting this was 0.5% of the company’s revenue, for file decryption.

Detecting LockBit with a SIEM solution

Detecting LockBit ransomware using a SIEM solution involves leveraging comprehensive log analysis and behavioral monitoring. Here’s how ManageEngine Log360 can be employed for effective detection:

1. Behavioral anomalies
   Log360 monitors for unusual behavioral patterns, instantly detecting deviations in file access attempts, system interactions, or network traffic that indicate LockBit ransomware activity.

2. User anomalies
   Log360’s UEBA identifies suspicious user behavior, such as privilege escalation or unusual data access attempts, aiding in the early detection of LockBit infiltration.

3. Endpoint monitoring
   The SIEM solution monitors endpoints for unusual processes or file modifications, providing real-time alerts on activities associated with LockBit ransomware.

4. Network traffic analysis
   The SIEM solution analyzes network traffic for patterns consistent with LockBit’s lateral movement, helping swiftly identify and contain the ransomware’s spread.

5. MITRE ATT&CK® mapping                                                                                   
   Log360 aligns its detection and response mechanisms with the MITRE ATT&CK framework to focus on techniques commonly associated with LockBit ransomware, like lateral movement.

6. File integrity monitoring
   The SIEM solution uses file integrity checks to detect unauthorized modifications signaling potential LockBit attacks, enabling prompt response and mitigation.

Essential security measures

1. Regularly back up critical data and ensure that backups are stored offline or in a secure, isolated environment.

2. Employ reputable antivirus, antimalware, and SIEM solutions to detect and block ransomware before it can execute.

3. Use email filtering solutions to identify and block suspicious emails.

4. Implement endpoint protection solutions to monitor and control devices connected to the network in order to detect and prevent malicious activities.

5. Segment the network to limit the spread of ransomware. Restrict lateral movement by separating critical systems from less sensitive ones.

6. Enforce MFA for access to sensitive systems and data to add an extra layer of security, making it harder for unauthorized users to gain access.

7. Participate in threat intelligence sharing to stay informed about the latest developments and the techniques used by LockBit and other ransomware variants.

8. Ensure compliance with the relevant laws regarding data protection and cybersecurity.