Understanding LockBit Ransomware

LockBit ransomware is a significant threat with a history dating back to September 2019 when it first emerged as “ABCD Ransomware” before adopting the name “LockBit.” Since then, it has evolved with various versions and tactics. Here’s a summary of its evolution:

• September 2019: LockBit’s journey begins as “ABCD Ransomware,” later rebranded as “LockBit.”
• June 2021: LockBit 2.0 emerges, introducing the dual-extortion strategy and automatic encryption across Windows domains.
• October 2021: LockBit starts targeting Linux servers, especially ESXi servers, and introduces “StealBit” for encryption.
• June 2022: LockBit 3.0, also known as LockBit Black, appears, featuring a ransomware bug bounty program, new extortion tactics, and payment options using Zcash cryptocurrency. Its code shares similarities with BlackMatter and DarkSide ransomware.
• September 2022: A disgruntled developer leaks LockBit 3.0’s encryptor builder, enabling others to create ransomware kits. This leads to attacks by groups like Bl00dy.
• January 2023: LockBit Green emerges, based on the leaked source code of Conti ransomware.
• April 2023: Reports surface of LockBit ransomware targeting macOS, marking a significant expansion.

LockBit 2.0 Attack Strategy

LockBit 2.0 attacks are infamous for employing a dual-extortion strategy, intended to pressure victims into making two payments as quickly as possible. The urgency stems from the fact that LockBit not only encrypts the data locally, but also infiltrates it to the malware operators even before the ransom demand is issued.

The first payment is required to regain control over the encrypted files, while the second aims to prevent the public exposure of the stolen data. In cases where LockBit operates as a Ransomware-as-a-Service (RaaS), a crucial figure known as the Initial Access Broker (IAB) comes into play. The IAB’s role involves deploying initial-stage malware or gaining unauthorised access to an organisation’s infrastructure. This access is then monetised by selling it to the primary LockBit operator, who proceeds with the second-stage exploitation.

For uncooperative victims or those who refuse to meet ransom demands, LockBit’s menacing response is to publish the victim’s data on its ominous “Leaked Data” site, which resides on the dark web at hxxp[:]//lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd[.]onion.

LockBit 3.0 Attack Techniques

LockBit 3.0 epitomises a new era of ransomware, blending data destruction, encryption, defacement, and system disruption for maximum impact. Its versatility in targeting various devices and employing advanced techniques elevates it as a significant cybersecurity threat. Now, let’s delve into LockBit 3.0’s key techniques:

1. Data Destruction: LockBit 3.0 excels in erasing digital footprints efficiently. It employs the Data Destruction technique, wiping log files and emptying the recycle bin. This not only conceals its tracks but also hinders victim traceability.
2. Data Encryption for Impact: LockBit 3.0’s core mission is to disrupt system and network resources. Using the Data Encryption for Impact technique, it encrypts data on target systems. This ruthless encryption renders data inaccessible and paralyses operations, profoundly affecting victims. LockBit affiliates adeptly encrypt various devices, including Windows and Linux systems, as well as VMware instances.
3. Internal Defacement: LockBit 3.0 goes beyond destruction and encryption. It executes internal defacement through the Internal Defacement technique, altering the host system’s wallpaper and icons with its branding. This not only insults the victim but also serves as a chilling reminder of the breach.
4. Inhibition of System Recovery: Victims often rely on system recovery to restore operations during an attack. LockBit 3.0 is well-prepared to counter these efforts, using the Inhibition of System Recovery technique to delete volume shadow copies on the disk. By eliminating recovery points, it cuts off victims’ escape routes, making recovery an arduous task.
5. Service Termination: LockBit 3.0’s ruthless assault extends to terminating critical processes and services with the Service Termination technique. This strategic move disrupts system functionality, intensifying the chaos and compounding the attack’s impact.

LockBit Ransomware Target

LockBit primarily targets Windows computers, although newer versions have been modified to attack specific types of computer setups using Linux. These setups are commonly found in large data centres, such as VMWare ESXi virtual machines.

LockBit often focuses on medium-sized organisations. This preference may be due to their use of a method called Ransomware-as-a-Service (RaaS). This means that someone within the organisation can act as an intermediary, set their own ransom price, and collect the ransom directly.

LockBit Expands to macOS

The LockBit ransomware group has introduced encryptors specifically designed for Mac computers, signifying a significant development. This move positions LockBit as potentially the first prominent ransomware operation to target macOS exclusively in 2023.

The existence of these new ransomware encryptors came to light when cybersecurity researcher MalwareHunterTeam discovered a ZIP archive on VirusTotal. This archive contained what appears to be a collection of LockBit encryptors, including newly adapted versions for macOS.

While some samples, like the macOS variant, require additional configuration and lack proper signatures, it’s evident that LockBit is actively experimenting with its ransomware across various platforms. This suggests an imminent expansion of their attack capabilities. This underscores the critical need for robust cybersecurity measures across all platforms and a heightened level of awareness within businesses.

For a detailed technical analysis of the new Mac encryption, refer to Wardle’s report on Objective See.

How Can We Protect Against LockBit Ransomware?

The escalating threat of LockBit Ransomware necessitates a proactive cybersecurity approach. To shield yourself and your organisation from its malevolent reach, consider these recommendations from ArmourZero:
1. Effective Backup Strategy
Foiling a successful LockBit attack requires robust cybersecurity measures and a comprehensive backup strategy, including encrypted offline and offsite backups.
2. Regular Patching
Ensure the security of your systems and software by consistently applying patches. ArmourZero offers Patch Management as a service powered by Automox. Automox is the only cloud-native patching platform that fully automated patch management across Windows, macOS, Linux, and third-party software, including Adobe, Java, Firefox, Chrome, and Windows. It seamlessly operates on both computers and servers, designed to support remote workforces.