Lockbit
LockBit, also recognized as LockBit Black or Lockbit 3.0, is one of the largest Ransomware Groups in the world and has orchestrated extensive cyberattacks across various industries, impacting thousands of organizations globally with its relentless and adaptive strategies.
The Origin of Lockbit
Since its inception in September 2019, LockBit has become notorious in the cybercrime world, leveraging its RaaS model and "StealBit" malware to aggressively target businesses and infrastructures.
Progressing through versions LockBit Red to 3.0, each iteration introduced sophisticated features challenging for security analysis. In 2023, LockBit Green emerged, merging features from the defunct Conti ransomware, illustrating the adaptability within cybercrime circles.
However, February 2024's Operation Cronos disrupted LockBit's operations, eroding its credibility and revealing the international efforts to combat ransomware. Despite law enforcement seizing control of Lockbit sites, further attacks were reported, indicating the group's persistence.
Cartography: OCD
Targets
Lockbit's Targets
Countries targeted by Lockbit
Despite Lockbit's assertions of political neutrality, a substantial number of its victims seem to be from NATO member states and their allies.
Approximately 50% of the assaults involving the LockBit 3.0 strain have impacted businesses in the United States. Hackers using Lockbit received more than $91 million in ransom payments from U.S. victims.
Brazil and India are also highly targeted.
Source: SOCRadar
Industries Targeted by Lockbit
Manufacturing is frequently attacked by LockBit, yet no single industry is consistently singled out, underscoring the group's indiscriminate targeting.
While typically preying on small to medium-sized businesses, even large firms like IT giant Accenture are not immune to LockBit's reach.
Source: SOCRadar
Industries Targeted by Lockbit
Manufacturing is frequently attacked by LockBit, yet no single industry is consistently singled out, underscoring the group's indiscriminate targeting.
While typically preying on small to medium-sized businesses, even large firms like IT giant Accenture are not immune to LockBit's reach.
Source: SOCRadar
Lockbit's Victims
To date, more than 1661 victims have fallen prey to Lockbit’s malicious operations.
Source: Ransomware.live
Attack Method
Lockbit’s Attack Method
LockBit 3.0 participants access networks by:
- compromising existing account credentials
- utilizing RDP breaches
- exploiting vulnerabilities in public-facing systems
- navigating to malicious websites during normal browsing
- conducting phishing attacks
LockBit 3.0 seeks to gain higher access levels when current permissions are inadequate and uses auto login features to elevate privileges.
LockBit 3.0 conceals its activity by encrypting communications to control servers and self-deleting after execution, and will proceed with decryption only when the correct password is supplied.
To remain embedded within a network, LockBit 3.0 manipulates compromised user accounts and configures systems for automatic login.
LockBit 3.0 utilizes ProDump from Microsoft Sysinternals to extract process memory contents from LSASS.exe.
LockBit 3.0 scans networks using SoftPerfect Network Scanner, gathers detailed system and domain data, and avoids infecting systems with specific language settings.
For internal network penetration, LockBit 3.0 leverages Splashtop remote-desktop software.
LockBit 3.0 sets up command and control using FileZilla and automates secure shell interactions via Plink on Windows systems. During its operation, LockBit 3.0 executes commands and employs Chocolatey, a Windows package manager, for software management.
LockBit 3.0 employs its bespoke tool Stealbit and popular cloud services to siphon data from networks.
LockBit 3.0 disrupts operations by erasing logs, clearing the recycle bin, encrypting data, halting processes and services, deleting shadow copies, and altering the infected system's appearance with its own imagery.
Initial Access
LockBit 3.0 participants access networks by:
- compromising existing account credentials
- utilizing RDP breaches
- exploiting vulnerabilities in public-facing systems
- navigating to malicious websites during normal browsing
- conducting phishing attacks
Privilege Escalation
LockBit 3.0 seeks to gain higher access levels when current permissions are inadequate and uses auto login features to elevate privileges.
Defense Evasion
LockBit 3.0 conceals its activity by encrypting communications to control servers and self-deleting after execution, and will proceed with decryption only when the correct password is supplied.
To remain embedded within a network, LockBit 3.0 manipulates compromised user accounts and configures systems for automatic login.
Credential Access
LockBit 3.0 utilizes ProDump from Microsoft Sysinternals to extract process memory contents from LSASS.exe.
Discovery
LockBit 3.0 scans networks using SoftPerfect Network Scanner, gathers detailed system and domain data, and avoids infecting systems with specific language settings.
Lateral Movement
For internal network penetration, LockBit 3.0 leverages Splashtop remote-desktop software.
Collection
Execution
LockBit 3.0 sets up command and control using FileZilla and automates secure shell interactions via Plink on Windows systems. During its operation, LockBit 3.0 executes commands and employs Chocolatey, a Windows package manager, for software management.
Exfiltration
LockBit 3.0 employs its bespoke tool Stealbit and popular cloud services to siphon data from networks.
Impact
LockBit 3.0 disrupts operations by erasing logs, clearing the recycle bin, encrypting data, halting processes and services, deleting shadow copies, and altering the infected system's appearance with its own imagery.
MITRE ATT&CK Mapping
TTPs used by Lockbit
LockBit employs TTPs (Tactics, Techniques, and Procedures) that are more modular and evasive than its predecessors, reflecting shared characteristics with the BlackMatter and BlackCat ransomware families.
TA0001: Initial Access
T1566
Phishing
T1190
Exploit Public-Facing Application
T1189
Drive-by Compromise
T1133
External Remote Services
T1078
Valid Accounts
TA0002: Execution
No items found.
TA0003: Persistence
T1547
Boot or Logon Autostart Execution
T1546
Event Triggered Execution
T1078
Valid Accounts
TA0004: Privilege Escalation
T1547
Boot or Logon Autostart Execution
T1546
Event Triggered Execution
T1078
Valid Accounts
TA0005: Defense Evasion
T1480
Execution Guardrails
T1027
Obfuscated Files or Information
T1070
Indicator Removal
T1078
Valid Accounts
TA0006: Credential Access
T1003
OS Credential Dumping
TA0007: Discovery
T1614
System Location Discovery
T1082
System Information Discovery
T1046
Network Service Discovery
TA0008: Lateral Movement
T1072
Software Deployment Tools
TA0009: Collection
No items found.
TA0011: Command and Control
No items found.
TA0010: Exfiltration
No items found.
TA0040: Impact
T1486
Data Encrypted for Impact
Platform Detections
How to Detect Lockbit with Vectra AI
List of the Detections available in the Vectra AI Platform that would indicate a ransomware attack.
FAQs
What is LockBit ransomware?
LockBit is a Ransomware-as-a-Service (RaaS) that encrypts an organization's data and demands a ransom for the decryption key. It's known for its stealth, speed, and the use of a double extortion scheme.
How does LockBit gain initial access to networks?
LockBit often gains initial access through various means, including exploiting remote desktop protocols (RDP), phishing, spear-phishing, and using credentials from previously breached accounts.
What makes LockBit 3.0 different from its previous versions?
LockBit 3.0 is more modular and evasive, with improved encryption and the ability to customize the attack payload. It has incorporated features from other ransomware like BlackMatter and BlackCat.
Has LockBit been involved in any significant cyber incidents?
Yes, LockBit has been responsible for numerous attacks on businesses globally, including high-profile incidents involving large multinational corporations.
What sectors does LockBit typically target?
LockBit does not target a specific sector. It has been known to target a wide range of industries, including healthcare, education, and manufacturing.
How does LockBit handle the ransom process?
LockBit typically leaves a ransom note with payment instructions within the compromised system. Payment is usually demanded in cryptocurrency, and negotiations are sometimes conducted on the dark web.
What defensive measures can be effective against LockBit?
Regularly updating and patching systems, implementing robust access controls, conducting frequent security awareness training, using advanced threat detection tools, and maintaining offline backups are critical defenses.
Are there decryption tools available for LockBit encrypted files?
If you have been impacted by LockBit, the National Crime Agency (NCA) has acquired 1,000 decryption keys from LockBit's site that can assist in decrypting stolen data.
What is the best course of action if my network is compromised by LockBit?
Isolate the affected systems, initiate an incident response plan, and contact law enforcement and cybersecurity professionals. Avoid paying the ransom, as it does not guarantee data recovery and may fund further criminal activity.
What is known about the operators behind LockBit?
The operators are believed to be a part of a sophisticated cybercriminal group that operates with a RaaS model, recruiting affiliates to spread the ransomware while remaining hidden and maintaining anonymity.