Ransomware Group

Lockbit

LockBit, also recognized as LockBit Black or Lockbit 3.0, is one of the largest Ransomware Groups in the world and has orchestrated extensive cyberattacks across various industries, impacting thousands of organizations globally with its relentless and adaptive strategies.

Is Your Organization Safe from Lockbit Ransomware Attacks?

The Origin of Lockbit

Since its inception in September 2019, LockBit has become notorious in the cybercrime world, leveraging its RaaS model and "StealBit" malware to aggressively target businesses and infrastructures.

Progressing through versions LockBit Red to 3.0, each iteration introduced sophisticated features challenging for security analysis. In 2023, LockBit Green emerged, merging features from the defunct Conti ransomware, illustrating the adaptability within cybercrime circles.

However, February 2024's Operation Cronos disrupted LockBit's operations, eroding its credibility and revealing the international efforts to combat ransomware. Despite law enforcement seizing control of Lockbit sites, further attacks were reported, indicating the group's persistence.

Cartography: OCD

Targets

Lockbit's Targets

Countries targeted by Lockbit

Despite Lockbit's assertions of political neutrality, a substantial number of its victims seem to be from NATO member states and their allies.

Approximately 50% of the assaults involving the LockBit 3.0 strain have impacted businesses in the United States. Hackers using Lockbit received more than $91 million in ransom payments from U.S. victims.

Brazil and India are also highly targeted.

Source: SOCRadar

Industries Targeted by Lockbit

Manufacturing is frequently attacked by LockBit, yet no single industry is consistently singled out, underscoring the group's indiscriminate targeting.

While typically preying on small to medium-sized businesses, even large firms like IT giant Accenture are not immune to LockBit's reach.

Source: SOCRadar

Industries Targeted by Lockbit

Manufacturing is frequently attacked by LockBit, yet no single industry is consistently singled out, underscoring the group's indiscriminate targeting.

While typically preying on small to medium-sized businesses, even large firms like IT giant Accenture are not immune to LockBit's reach.

Source: SOCRadar

Lockbit's Victims

To date, more than 1661 victims have fallen prey to Lockbit’s malicious operations.

Source: Ransomware.live

Demo

See How Vectra AI Detects a Ransomware Attack

TTPs & Tools

Lockbit’s Attack Method

A shadowy figure casting a wide net over a digital landscape filled with various devices such as computers, smartphones, and tablets. The net symbolizes the attacker's attempts to find vulnerabilities or use phishing techniques to gain unauthorized access.

LockBit 3.0 participants access networks by:

  • compromising existing account credentials
  • utilizing RDP breaches
  • exploiting vulnerabilities in public-facing systems
  • navigating to malicious websites during normal browsing
  • conducting phishing attacks
A digital ladder extending upwards from a basic user icon towards a crown symbolizing administrative privileges. This represents the attacker's efforts to gain higher-level access within the system.

LockBit 3.0 seeks to gain higher access levels when current permissions are inadequate and uses auto login features to elevate privileges.

A chameleon blending into a digital background, with zeroes and ones flowing around it. This represents the attacker's ability to avoid detection by security measures, changing tactics to blend in with normal network traffic.

LockBit 3.0 conceals its activity by encrypting communications to control servers and self-deleting after execution, and will proceed with decryption only when the correct password is supplied.

To remain embedded within a network, LockBit 3.0 manipulates compromised user accounts and configures systems for automatic login.

A thief with a lockpick toolkit working on a giant keyhole shaped like a login form, representing the attacker's efforts to steal user credentials to gain unauthorized access.

LockBit 3.0 utilizes ProDump from Microsoft Sysinternals to extract process memory contents from LSASS.exe.

A magnifying glass moving over a digital map of a network, highlighting files, folders, and network connections. This image represents the phase where attackers explore the environment to understand the structure and where valuable data resides.

LockBit 3.0 scans networks using SoftPerfect Network Scanner, gathers detailed system and domain data, and avoids infecting systems with specific language settings.

A series of interconnected nodes with a shadowy figure moving stealthily between them. This illustrates the attacker's movements within the network, seeking to gain control of additional systems or spread malware.

For internal network penetration, LockBit 3.0 leverages Splashtop remote-desktop software.

A large vacuum sucking up files, data icons, and folders into a bag held by a shadowy figure. This image symbolizes the process of gathering valuable data from the target network.
A command prompt window open in front of a digital background, with malicious code being typed out. This represents the phase where attackers execute their malicious payload within the compromised system.

LockBit 3.0 sets up command and control using FileZilla and automates secure shell interactions via Plink on Windows systems. During its operation, LockBit 3.0 executes commands and employs Chocolatey, a Windows package manager, for software management.

A series of files being funneled through a covert channel out of a computer to a cloud labeled with a skull, symbolizing the unauthorized transfer of data to a location controlled by the attacker.

LockBit 3.0 employs its bespoke tool Stealbit and popular cloud services to siphon data from networks.

A cracked screen with a digital cityscape in chaos behind it, symbolizing the destructive impact of the cyberattack, such as service disruption, data destruction, or financial loss.

LockBit 3.0 disrupts operations by erasing logs, clearing the recycle bin, encrypting data, halting processes and services, deleting shadow copies, and altering the infected system's appearance with its own imagery.

A shadowy figure casting a wide net over a digital landscape filled with various devices such as computers, smartphones, and tablets. The net symbolizes the attacker's attempts to find vulnerabilities or use phishing techniques to gain unauthorized access.
Initial Access

LockBit 3.0 participants access networks by:

  • compromising existing account credentials
  • utilizing RDP breaches
  • exploiting vulnerabilities in public-facing systems
  • navigating to malicious websites during normal browsing
  • conducting phishing attacks
A digital ladder extending upwards from a basic user icon towards a crown symbolizing administrative privileges. This represents the attacker's efforts to gain higher-level access within the system.
Privilege Escalation

LockBit 3.0 seeks to gain higher access levels when current permissions are inadequate and uses auto login features to elevate privileges.

A chameleon blending into a digital background, with zeroes and ones flowing around it. This represents the attacker's ability to avoid detection by security measures, changing tactics to blend in with normal network traffic.
Defense Evasion

LockBit 3.0 conceals its activity by encrypting communications to control servers and self-deleting after execution, and will proceed with decryption only when the correct password is supplied.

To remain embedded within a network, LockBit 3.0 manipulates compromised user accounts and configures systems for automatic login.

A thief with a lockpick toolkit working on a giant keyhole shaped like a login form, representing the attacker's efforts to steal user credentials to gain unauthorized access.
Credential Access

LockBit 3.0 utilizes ProDump from Microsoft Sysinternals to extract process memory contents from LSASS.exe.

A magnifying glass moving over a digital map of a network, highlighting files, folders, and network connections. This image represents the phase where attackers explore the environment to understand the structure and where valuable data resides.
Discovery

LockBit 3.0 scans networks using SoftPerfect Network Scanner, gathers detailed system and domain data, and avoids infecting systems with specific language settings.

A series of interconnected nodes with a shadowy figure moving stealthily between them. This illustrates the attacker's movements within the network, seeking to gain control of additional systems or spread malware.
Lateral Movement

For internal network penetration, LockBit 3.0 leverages Splashtop remote-desktop software.

A large vacuum sucking up files, data icons, and folders into a bag held by a shadowy figure. This image symbolizes the process of gathering valuable data from the target network.
Collection
A command prompt window open in front of a digital background, with malicious code being typed out. This represents the phase where attackers execute their malicious payload within the compromised system.
Execution

LockBit 3.0 sets up command and control using FileZilla and automates secure shell interactions via Plink on Windows systems. During its operation, LockBit 3.0 executes commands and employs Chocolatey, a Windows package manager, for software management.

A series of files being funneled through a covert channel out of a computer to a cloud labeled with a skull, symbolizing the unauthorized transfer of data to a location controlled by the attacker.
Exfiltration

LockBit 3.0 employs its bespoke tool Stealbit and popular cloud services to siphon data from networks.

A cracked screen with a digital cityscape in chaos behind it, symbolizing the destructive impact of the cyberattack, such as service disruption, data destruction, or financial loss.
Impact

LockBit 3.0 disrupts operations by erasing logs, clearing the recycle bin, encrypting data, halting processes and services, deleting shadow copies, and altering the infected system's appearance with its own imagery.

MITRE ATT&CK Mapping

TTPs used by Lockbit

LockBit employs TTPs (Tactics, Techniques, and Procedures) that are more modular and evasive than its predecessors, reflecting shared characteristics with the BlackMatter and BlackCat ransomware families.

TA0001: Initial Access
T1566
Phishing
T1190
Exploit Public-Facing Application
T1189
Drive-by Compromise
T1133
External Remote Services
T1078
Valid Accounts
TA0002: Execution
No items found.
TA0003: Persistence
T1547
Boot or Logon Autostart Execution
T1546
Event Triggered Execution
T1078
Valid Accounts
TA0004: Privilege Escalation
T1547
Boot or Logon Autostart Execution
T1546
Event Triggered Execution
T1078
Valid Accounts
TA0005: Defense Evasion
T1480
Execution Guardrails
T1027
Obfuscated Files or Information
T1070
Indicator Removal
T1078
Valid Accounts
TA0006: Credential Access
T1003
OS Credential Dumping
TA0007: Discovery
T1614
System Location Discovery
T1082
System Information Discovery
T1046
Network Service Discovery
TA0008: Lateral Movement
T1072
Software Deployment Tools
TA0009: Collection
No items found.
TA0011: Command and Control
No items found.
TA0010: Exfiltration
No items found.
TA0040: Impact
T1486
Data Encrypted for Impact
Platform Detections

How to Detect Lockbit with Vectra AI

List of the Detections available in the Vectra AI Platform that would indicate a ransomware attack.

FAQs

What is LockBit ransomware?

LockBit is a Ransomware-as-a-Service (RaaS) that encrypts an organization's data and demands a ransom for the decryption key. It's known for its stealth, speed, and the use of a double extortion scheme.

How does LockBit gain initial access to networks?

LockBit often gains initial access through various means, including exploiting remote desktop protocols (RDP), phishing, spear-phishing, and using credentials from previously breached accounts.

What makes LockBit 3.0 different from its previous versions?

LockBit 3.0 is more modular and evasive, with improved encryption and the ability to customize the attack payload. It has incorporated features from other ransomware like BlackMatter and BlackCat.

Has LockBit been involved in any significant cyber incidents?

Yes, LockBit has been responsible for numerous attacks on businesses globally, including high-profile incidents involving large multinational corporations.

What sectors does LockBit typically target?

LockBit does not target a specific sector. It has been known to target a wide range of industries, including healthcare, education, and manufacturing.

How does LockBit handle the ransom process?

LockBit typically leaves a ransom note with payment instructions within the compromised system. Payment is usually demanded in cryptocurrency, and negotiations are sometimes conducted on the dark web.

What defensive measures can be effective against LockBit?

Regularly updating and patching systems, implementing robust access controls, conducting frequent security awareness training, using advanced threat detection tools, and maintaining offline backups are critical defenses.

Are there decryption tools available for LockBit encrypted files?

If you have been impacted by LockBit, the National Crime Agency (NCA) has acquired 1,000 decryption keys from LockBit's site that can assist in decrypting stolen data.

What is the best course of action if my network is compromised by LockBit?

Isolate the affected systems, initiate an incident response plan, and contact law enforcement and cybersecurity professionals. Avoid paying the ransom, as it does not guarantee data recovery and may fund further criminal activity.

What is known about the operators behind LockBit?

The operators are believed to be a part of a sophisticated cybercriminal group that operates with a RaaS model, recruiting affiliates to spread the ransomware while remaining hidden and maintaining anonymity.