Ransomware Spotlight Report 2023 is live!

All about LockBit Ransomware

Posted on Sep 28, 2022 | Updated on September 29, 2022 | By Supriya Aluri

APT Groups IoCs Nexpose Ransomware Cyberwar CISA KEVs

LockBit Ransomware, one of the few ransomware groups employing self-spreading malware technology and double encryption. After its recent attacks on the Italian Revenue Agency and digital security giant, Entrust, LockBit has only gained momentum, as they hunt for their next victim. Read on to learn how to protect your network from LockBit attacks. 

 

One of the most prolific ransomware groups in recent times, LockBit ransomware began its spree of attacks as recently as September 2019. The group is financially motivated and does not shy away from going after bigger, high-profile enterprises and companies. 

 

LockBit is known for many of its unique characteristics - sophisticated technology, triple-extortion method, heavy marketing to affiliates, and high-severity cyber attacks. LockBit’s attack presence is seen globally, with intermediate breaks during which their ransomware technology has received superior upgrades. Their recent attack strategy and frequency makes LockBit a formidable predator in the cyber realm and a determined adversary.

In this blog:

 

LockBit - A Cheat Sheet

LockBit is available as a Ransomware-as-a-Service (RaaS), working with affiliates who carry out attacks-for-hire and split the funds between the LockBit developer team and the affiliates.

 

CVEs

  • The following CVEs are exploited by the LockBit ransomware gang:

CVE-2018-13379 [WebApp Exploit]

  • CVE-2018-13379 is a vulnerability in FortiOS which is caused by path traversal error. Several Advanced Persistent Threat Groups (APT groups) have used this vulnerability to deploy the following ransomware: Pay2Key, Conti, LockBit, Apostle, Cring.

  • There are 5 known exploits for CVE-2018-13379 that can be used to exploit web applications. Since it is an old CVE, more functional exploits are likely to be developed, allowing attackers to wage powerful attacks.

 

CVE-2021-22986 [RCE/PE, WebApp Exploit]

  • CVE-2021-22986 is a critical unauthenticated remote command execution vulnerability in F5’s BIG-IP. 

  • It is rated critical with a CVSS v3 severity score of 9.8. 

  • It is an RCE, PE, and WebApp vulnerability with three known exploits making it very dangerous.,mikm-’--[op0-[ ̣/

  • TA505, the Russian threat actor group, also known as Hive0065, has been using the LockBit ransomware payload in its attacks.    

 

CVE-2021-36942 

  • CVE-2021-36942 is a medium severity Microsoft Windows Server vulnerability.

  • It has a CVSS V3 severity score of 5.30.

  • This vulnerability is exploited by both the LockBit ransomware group and LockFile group.

 

CVE-2020-0787 [RCE, PE, WebApp]

  • This is a Windows Background Intelligent Transfer Service (BITS) vulnerability.

  • It is given a CVSS rating of 7.80 making it a high-severity vulnerability. 

  • It is classified as a RCE, PE, and WebApp exploit with Conti and LockBit ransomware groups using it to gain initial access.

 

CVE-2022-36537

  • CVE-2022-36537 is a critical remote code execution (RCE) vulnerability that affects the Java framework “ZK” Ajax web application framework.

  • There are more than 5,000 exposed server manager backup instances affected by this vulnerability and could potentially expose companies to supply chain risks.

 

CVE-2021-20028

  • CVE-2021-20028 is a critical vulnerability affecting SonicWall products. 

  • It is caused by CWE-89 which is Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection').
  • It is given a CVSS rating of 9.80.

 

CVE-2021-34473 [RCE, PE, WebApp, Other]

  • This is a Microsoft Exchange Server remote code execution vulnerability.

  • It is exploited by ChamelGang, TR, Bronze Starlight, Tropical Scorpius, DEV-0270, OilRig, LookBack APT groups.

  • 12 ransomware groups also exploit this vulnerability.

 

CVE-2021-34523  [RCE, PE, WebApp, Other]

  • CVE-2021-34523 affects 5 Microsoft Exchange products.

  • It is a critical-severity vulnerability with 9.8 CVSS rating.

  • The vulnerability is exploited by Conti, LockBit 2.0, Hive, BianLian, AvosLocker, BlackCat, LockFile, Cuba, Karma, LV, BlackByte, Babuk ransomware groups.

 

CVE-2021-31207  [RCE, PE, WebApp, Other]

  • CVE-2021-31207 is Microsoft Exchange Server security feature bypass vulnerability.

  • It is also a part of the ProxyShell vulnerabilities (CVE-2021-34523, CVE-2021-34473, and CVE-2021-31207).

  • It is currently exploited by the Hive Ransomware group.

  • CISA alerted organizations of this vulnerability in the #StopRansomware campaign.

 

 

Recent Attacks

Let us look at some of the recent attacks staged by this prolific group.

  • Whitworth University: A private university in Washington suffered a LockBit ransomware attack in July 2022, and all its operations were halted for over two weeks. The group claimed to have stolen 715 GB of Whitworth data relating to accounting, marketing, infrastructure, documents, etc.

  • Italian Revenue Agency: The largest cyber attack was perpetrated on the Italian Revenue Agency by the LockBit gang in July 2022. In this attack, 78 GB worth of data was stolen from the agency’s servers. There are on-going talks between the Revenue Agency and LockBit gang regarding ransom payments.

  • Entrust: Security giant Entrust’s network was breached in June 2022 wherein sensitive data was stolen by the LockBit ransomware gang. In an interesting twist, Entrust deployed Denial-of-Service malware on LockBit’s servers preventing them from releasing the stolen data. 

  • Library lending app, Onleihe: The online library faced operational dysfunction after the service provider EKZ was under cyber attack in March 2022. Several affiliated websites, statistics page and the catalog data, and ID-Delivery were impacted in the attack. There is no credible information on what data was stolen in the attack.

  • Accenture: LockBit attacked Accenture in August 2021 and demanded $50M as ransom. During this attack some proprietary information was stolen and released on LockBit’s leak site. For detailed analysis of the attack, check out our blog on how the Accenture attack unfolded.

 

New Variants

LockBit started out as an ABCD crypto virus in 2019. LockBit’s primary targets were private enterprises and government organizations in the United States, China, India, Indonesia, Ukraine, and Europe with crypto as the form of demanded ransom. In 2019 and 2020, Windows systems in healthcare and financial institutions bore the brunt of LockBit attacks. The Ransomware group took a brief hiatus to work on their malware kit and to improve their operations. Thus far, two other LockBit versions have been released with attack methodologies superior to the preceding ones. 

 

LockBit version 2.0

LockBit version 2.0 was released in June 2021 and was used for attacks in Chile, Taiwan, and the UK. In this version, LockBit introduced the double extortion technique and automatic encryption of devices across Windows domains. In October 2021, LockBit began infiltrating Linux servers as well, targeting ESXi servers. 

 

LockBit version 3.0, also known as, LockBit Black

In June 2022, LockBit released yet another upgraded version of the ransomware with a bug bounty program, Zcash payments, and new extortion tactics. The new version derives from other ransomware such as BlackMatter and DarkSide and has anti-analysis techniques to evade detection, passwordless execution, and in-built command-line argument feature. 

 

A desktop wallpaper applied by LockBit 3.0 on a victim’s system

 

This new version of the ransomware was used in the attacks on the Italian Revenue Agency and a county office in Ontario, Canada. In this version, LockBit has included Denial-of-Service attacks as a method to extort from victims in addition to encryption and data leaks.

 

In September 2022, an allegedly disgruntled developer leaked the builder for LockBit 3.0’s encryptor on Twitter. The developer was reportedly unhappy with the group’s leadership and leaked the private data. This is a blow to the ransomware group as the builder data allows anyone to start their own ransomware kit with an encryptor, decryptor, and specialized tools to launch the decryptor in certain ways. 

Update:

Based on the leaked builder, Bl00dy ransomware gang has developed encryptors and has been using them in an attack on an Ukrainian entity in September 2022. 

 

How Dangerous is LockBit Ransomware

Being one of the most active ransomware groups today, LockBit has a variety of tactics and technologies to attack the biggest agencies in any industry. Here are some tools, techniques and procedures that make LockBit a dangerous adversary:

 

  • The threat gang introduced StealBit, a malware tool used for encryption in the LockBit 2.0 version. It is believed to be the fastest and most efficient encryption tool. In the latest version, its encryption techniques have been sharpened. 

  • StealBit spreads to other devices in the network automatically, using tools like Windows Powershell and Server Message Block (SMB), which makes it difficult to confine immediately. 

  • LockBit attacks both Windows and Linux systems with their malware. Initially, they had targeted only Windows systems, but LockBit 2.0 was improvised to attack Linux systems as well.

  • Their evasion tactics are well strategized, making it hard to get flagged by the system defenses.

  • LockBit conducts bug bounty programs to improve their defenses and establish that they are professional hackers. Anyone who finds a flaw in their malware kit is rewarded generously.

  • This ransomware group actively markets to affiliates to join them and carry out attacks. These marketing activities have garnered quite the attention and work well for the group in getting highly-skilled threat actors. 

  • LockBit 3.0 introduced ZCash payment options for collecting ransom from victims, as well as for paying their affiliates, with less disruption from law enforcement.

  • LockBit is known for its double extortion technique wherein they steal data and also encrypt the system data making it harder for victims to recover it. 

  • In August 2022, LockBit announced that it would use triple-extortion on its victims via data leaks, encryption, and DDoS attacks.

  • LockBit 3.0 also checks the victim’s UI language before carrying out an attack. They avoid infecting systems with the following languages:

    • Arabic (Syria)

    • Armenian (Armenia)

    • Azerbaijani (Cyrillic Azerbaijan)

    • Azerbaijani (Latin Azerbaijan)

    • Belarusian (Belarus)

    • Georgian (Georgia)

    • Kazakh (Kazakhstan)

    • Kyrgyz (Kyrgyzstan)

    • Romanian (Moldova)

    • Russian (Moldova)

    • Russian (Russia)

    • Tajik (Cyrillic Tajikistan)

    • Turkmen (Turkmenistan)

    • Tatar (Russia)

    • Ukrainian (Ukraine)

    • Uzbek (Cyrillic Uzbekistan)

    • Uzbek (Latin Uzbekistan)

  • A notable tactic of the third version of LockBit includes a file deletion technique, where instead of using cmd.exe to execute a batch file to perform the deletion, the group drops and executes a .tmp file decrypted from the binary.

 

How does LockBit Ransomware Attack

LockBit has undergone three version-revisions and the latest version uses some sophisticated attack techniques. Let us take a look:

LockBit 2.0 Attack Methodology

 

LockBit Ransomware MITRE ATT&CK Techniques and Sub-techniques

How to Detect LockBit Ransomware in your Environment

We provide a list of Indicators of Compromise(IoCs) that you can use to check your environment for the presence of any LockBit ransomware samples:


 

How Do Organizations Prevent a LockBit Attack
 

  1. Patch CVEs

More often than not, attackers infiltrate networks and gain access to systems via known, unpatched vulnerabilities. Follow advisories from your vendors and the CISA KEV advisories to patch all CVEs at the earliest. To stay ahead of attackers, follow advisories pertaining to CVEs critical to your organization.

 

  1. Set strong passwords

Hackers can break into critical systems that do not implement complex passwords. It is essential that everyone accessing the network enables strong passwords and multi-factor authentication (MFA) to secure their logins.

 

  1. Remove unnecessary permissions

Increase the amount of restrictions on permissions to prevent potential dangers from being ignored. Pay specific attention to those accessible by IT accounts with admin-level permissions and endpoint users.

 

  1. Be vigilant while handling links

Social engineering techniques such as phishing emails are one of the most common methods incorporated by ransomware groups to gain access for malware distribution. Clicking unknown links is always ill-advised.

 

  1. Keep tabs on your attack surface

Employ a solution that can scan your entire attack surface for weaknesses. Know and keep tabs on known and unknown devices connected to your broader network.

 

Organizations can keep attackers at bay by staying vigilant and ensuring that the above steps are strictly followed. A good way to do this is to employ an automated system that regularly scans for vulnerabilities and loopholes, and alerts the Chief Information Security Officers. 

 

Are you unsure of how to check for ransomware vulnerabilities in your network? Afraid that attackers might find a way into your network? Talk to our panel of experts at Securin who will help you identify weak-points and vulnerabilities in your attack surface and remediate them on priority. 

Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!

csw

Secure your environment from cyber-attacks!

Know How

incognito