The LockBit ransomware gang has been operational since 2019. In June 2021, the gang deployed a newer version of the ransomware, dubbed LockBit 2.0 by its developers, was seen by researchers making a stir on underground forums. Now, a report published by Trend Micro details how the new version has been deployed in recent campaigns starting in July of this year.
The campaigns targeted organizations in Chile, Italy, Taiwan, and the U.K making use of the newer version.
Chile received the brunt of the gang’s attacks, amounting to 85% of the attacks during this period. LockBit recently made international headlines when it successfully attacked Accenture with Trend Micro researchers noting,
“The group behind LockBit 2.0 recently conducted a highly publicized attack, so it should go without saying that organizations need to keep a wary eye on this ransomware variant. LockBit 2.0 is especially tricky for its fast encryption. We also assume that this group will continue to make a scene for a long time, especially since it’s currently recruiting affiliates and insiders, making it more capable of infecting many companies and industries. It would also be wise to assume and prepare for upgrades and further developments in LockBit 2.0, especially now that many companies are aware of its capabilities and how it works.”
LockBit 2.0 has several new features designed to improve the effectiveness of the malware. When this is combined with the group's already well-developed ransomware-as-a-service operations with affiliates handling the infiltration and the exfiltration of data, to conduct a double extortion campaign, makes LockBit a threat to many an organization.
Summarising the improvements made to the code base, researchers noted,
“In contrast to LockBit’s attacks and features in 2019, this version includes automatic encryption of devices across Windows domains by abusing Active Directory (AD) group policies, prompting the group behind it to claim that it’s one of the fastest ransomware variants in the market today. LockBit 2.0 prides itself on having one of the fastest and most efficient encryption methods in today’s ransomware threat landscape. Our analysis shows that while it uses a multithreaded approach in encryption, it also only partially encrypts the files, as only 4 KB of data are encrypted per file.”
As for techniques used to gain access to targets' infrastructure, the gang will not only make use of affiliates but will also attempt to recruit insiders, those working for or have privileged access to a target’s infrastructure, to gain privileged access. Insiders are promised to be paid handsomely for credentials, while guaranteeing their anonymity, which allows access to the infrastructure, typically via RDP connections.
Researchers believe that this may be a more favorable arrangement to LockBit’s developers rather than solely relying on affiliates. The tactic has been described as effectively removing the “middleman” as attackers no longer require the cooperation of other threat groups and hackers.
Improved Infection Routine
The change in recruitment tactics has also been supported by an improvement in how LockBit operators will go about infecting a targeted network. In the past RDP, abuse was favored in gaining initial access, this has not changed, and securing RDP ports is still a valid defense measure to be taken against LockBit attacks.
While the method of gaining access has changed very little, the operators developed a tool to assist those deploying the malware. Called StealBit it is a trojan that facilitates the granting of access and the exfiltration of data. StealBit is provided to LockBit’s partners in crime to help facilitate initial access.
Once access is gained LockBit 2.0 boasts a variety of tools that can be used for network discovery and revealing what treasures the target has been hiding. The tools include a network scanner that creates a picture of the network and finds domain controllers.
It also uses multiple batch files for various purposes, including terminating security tools, enabling RDP connections, clearing Windows Event logs, and making sure that crucial processes, such as Microsoft Exchange, MySQL, and QuickBooks, are unavailable.
It also stops Microsoft Exchange and disables other related services. LockBit will also make use of legitimate tools including Process Hacker and PC Hunter to further assist in fully discovering the infrastructure. Researchers noted,
“Once in the domain controller, the ransomware creates new group policies and sends them to every device on the network. These policies disable Windows Defender, and distribute and execute the ransomware binary to each Windows machine.”
Once the attacker has discovered all they want to and exfiltrated data the encryption module will be executed. Victims can easily determine they have fallen prey to LockBit as all encrypted files will have .lockbit appended to the end of file names. Then, it drops a ransom note into every encrypted directory threatening to release stolen data if the ransom is not paid, commonly referred to as the double extortion tactic.
The final step for LockBit 2.0 is changing the victims’ desktop wallpapers into a recruitment ad, just in case a disgruntled employee also wants to get in on the action, which also includes instructions on how victims can pay the ransom.
Taking Inspiration from Others
LockBit 2.0 has also taken some inspiration from both Ryuk and Egregor by including features used by the other ransomware gangs. These include, Wake-on-LAN feature inspired by Ryuk ransomware, sending the Magic Packet “0xFF 0xFF 0xFF 0xFF 0xFF 0xFF” to wake offline devices and Print bombing of the ransom note onto the victim’s network printers, similar to Egregor’s technique of attracting the victim’s attention. It uses Winspool APIs to enumerate and print a document on connected printers.
Those behind LockBit are believed to have worked with Maze, pioneers of the double extortion tactic, and have since retired. The announcement meant that LockBit was to go it alone but with a wealth of lessons and experience, particularly when it comes to the development of ransomware and maintaining a ransomware-as-a-service business model.
To mitigate against LockBit 2.0, the Center of Internet Security and the National Institute of Standards and Technology has provided a list of best practices. These include:
- Audit and inventory: Take an inventory of all organizational assets and data, and identify authorized and unauthorized devices, software, and personnel accessing particular systems. Audit and monitor all logs of events and incidents to identify unusual patterns and behaviors.
- Configure and monitor: Deliberately manage hardware and software configurations, and only grant administrative privileges and access to specific personnel when necessary. Monitor the use of network ports, protocols, and services. Implement security configurations on network infrastructure devices such as firewalls and routers, and have a software allow list to prevent malicious applications from being executed.
- Patch and update: Perform periodic vulnerability assessments, and conduct regular patching or virtual patching for operating systems and applications. Ensure that all installed software and applications are updated to their latest versions.
- Protect and recover: Enforce data protection, backup, and recovery measures. Implement multifactor authentication in all devices and platforms used whenever available.
- Secure and defend: Perform sandbox analysis to examine and block malicious emails. Employ the latest version of security solutions to all layers of the system, including email, endpoint, web, and network. Spot early signs of an attack such as the presence of suspicious tools in the system, and enable advanced detection technologies such as those powered with AI and machine learning.
- Train and test: Perform security skills assessment and training for all personnel regularly, and conduct red-team exercises and penetration tests.