Reading:
Dark Web Profile: LockBit 3.0 Ransomware

Dark Web Profile: LockBit 3.0 Ransomware

April 27, 2023

The frequency of ransomware attacks is on the rise every year. A single group, the LockBit Ransomware Group, is accountable for over one-third of all ransomware attacks in the latter half of the previous year, the initial quarter of 2023.

LockBit Ransomware Group was first observed in September 2019, it became the most active ransomware group of 2022 with the shutdown of Conti, and as of the first quarter of 2023, they still stand out as the most active ransomware group. The group, which has over 1500 victim announcement records on the SOCRadar platform, broke the record in the first quarter of 2023 as the most active ransomware group by far, with over 300 announced victims.

Atento, a CRM company, showed the impact of an attack by LockBit as $42.1 million in its financial performance report published in 2021. $34.8 million was due to revenue loss, and $7.3 million was mitigation expenses. Even if these astronomical numbers could vary from company to company, the total financial loss caused by LockBit’s malicious acts can exceed billions of dollars.

lockbit victims
Announced victim counts so far in 2023.

Security researchers also have found new strains and evidence that the group responsible for LockBit 3.0 plans to expand the malware’s infection capacity. While the latest variant LockBit 3.0, had previously targeted Windows, Linux, and VMware ESXi servers, alleged new versions of LockBit encryptors have been identified that can also affect macOS, ARM, FreeBSD, MIPS, and SPARC CPUs. Given the group’s already sizable attack volume, it is likely that they will continue to increase the number of target devices, which could result in a significant surge in LockBit attacks soon.

MacOS/Linux ransomware strain of LockBit.
MacOS/Linux ransomware strain of LockBit. (Source: Virustotal)

Who is LockBit 3.0 Ransomware Group

LockBit 3.0 is a Ransomware-as-a-Service (RaaS) group that continues the legacy of LockBit and LockBit 2.0. From January 2020, LockBit adopted an affiliate-based ransomware approach, where its affiliates use various tactics to target a wide range of businesses and critical infrastructure organizations. LockBit has been highly active in deploying models such as double extortioninitial access broker affiliates, and advertising on hacker forums. They have even been known to recruit insiders and make contests in forums for recruiting skilled hackers; such expansionist policies have attracted numerous affiliates, have victimized thousands of entities, and continue their malicious acts.

The LockBit Ransomware Group even runs its own bug bounty program.
The LockBit Ransomware Group even runs its own bug bounty program.

LockBit Black, also known as LockBit 3.0, has been recalled as the latest variant of LockBit since July 2022. One of the key differences from its predecessor is the ability to customize various options during both the compilation and execution of the payload. LockBit 3.0 utilizes a modular approach and encrypts the payload until execution, which presents significant obstacles to malware analysis and detection.

LockBit discloses its victims on its leak site and sets a deadline for the ransom.
LockBit discloses its victims on its leak site and sets a deadline for the ransom.

What are the LockBit 3.0’s Targets

LockBit 3.0 infects the target system if it is not on the exclusion list of specific languages. Excluded languages include the local language of Russian-influenced countries and the languages of Russian-allied countries.

To confirm the location of the targeted system, LockBit ransomware employs the functions: 

  • GetSystemDefaultUILanguage()
  • GetUserDefaultUILanguage()

It cross-checks the result against a set of countries, and in case the locale doesn’t match any of the specified countries, the malware proceeds to the subsequent verification step. Some of the languages that are excluded are Romanian (Moldova), Arabic (Syria), and Tatar (Russia), but this is not an exhaustive list.

Although the ransomware group claims not to engage in politics, many of its targets appear to be NATO and allied countries. According to SOCRadar data, about half of the attacks with the LockBit 3.0 variant affect US companies.

Ransomware victims of LockBit 3.0 by country of origin.
Ransomware victims of LockBit 3.0 by country of origin.

Again, according to SOCRadar data, manufacturing takes the lead on a sectoral basis, but it is impossible to identify a specifically targeted industry. The fact that healthcare and education are among the sectors they target the most reveals that no industry is excluded, and in terms of business type. However, it is seen that it usually targets small or medium-sized organizations; huge companies such as IT company Accenture can also fall into the victim category for LockBit.

Top targeted industries by LockBit 3.0
Top targeted industries by LockBit 3.0

Findings on LockBit 3.0 Ransomware

According to CISA’s advisory:

LockBit 3.0, a Ransomware-as-a-Service (RaaS), has several options for configuring its behavior during compilation. Once executed in a victim’s system, LockBit 3.0 affiliates can modify its behavior using additional arguments, such as lateral movement or safe mode. If LockBit affiliates lack access to the passwordless version of the ransomware, they must provide a password during execution. Provided cryptographic key decodes the ransomware’s executable to protect the encoded file uploaded to the target system.

LockBit 3.0 affiliates use diverse methods for initial access, including exploiting RDP, launching phishing campaigns, and exploiting vulnerabilities in public-facing applications. Using an open-source package installer known as Chocolatey to install and execute malicious payloads is a recurring feature in LockBit 3.0 attacks, likely employed to evade detection.

LockBit 3.0 uses hardcoded credentials or compromised local accounts with elevated privileges to spread through a victim network. Using the Server Message Block (SMB) protocol, it can also spread via Group Policy Objects and PsExec. After encryption, LockBit 3.0 drops a ransom note and changes the host’s wallpaper and icons to LockBit branding. It may also send encrypted host and bot information to a command and control server.

LockBit 3.0’s ransomware note in wallpaper format. (Source: CISA)

LockBit 3.0 affiliates exfiltrate sensitive company data files before encryption using Stealbit, rclone, -exfiltration tools that LockBit commonly uses- and public file-sharing services. Their affiliates also use other public file-sharing services to exfiltrate data. LockBit threat actors use various tools such as ProDump and SoftPerfect Network Scanner to collect information about hostnames, network services, and remote access protocols. They also use remote desktop software, popular file transfer tools, and PuTTY Link to move between hosts and transfer files between compromised hosts and their command and control servers.

LockBit ransomware deletes log files, files in the recycle bin, and volume shadow copies after encrypting the victim’s files. The group also employs a hybrid encryption approach using AES and RSA encryption algorithms.

An overview of a typical LockBit operation. (Source: Australian Cyber Security Center)

Conclusion

In conclusion, LockBit 3.0 is a highly active and expanding Ransomware-as-a-Service (RaaS) group that has victimized thousands of organizations worldwide and employs various tactics, techniques, and procedures due to its wide number of affiliates. Moreover, there is a high probability that the number of victims and target pool will keep increasing, leading to a notable upsurge in LockBit attacks in the upcoming days, especially if they manage to become the first notable ransomware affecting IOS devices. The group’s targeting of many countries and sectors, and its efforts to increase the number of systems it can infect, also show that it poses a significant danger to all organizations.

How can SOCRadar Help?

LockBit affiliates commonly use phishing campaigns to gain initial access to their ransomware attacks. To prevent this, organizations can use SOCRadar’s Digital Risk Protection for brand protection, which proactively denies potential phishing campaigns that impersonate their domains.

SOCRadar DRP, Dark Web Monitoring module

In addition, LockBit affiliates also use spam emails containing malicious documents, and they may use stolen credentials to gain access. To prevent these, it is crucial to demand the use of multi-factor authentication and to be cautious when opening any email attachments.

The most crucial step in preventing ransomware attacks is to keep offline backups. However, the group uses a double extortion model, stealing the victim’s data before encrypting it, making even offline backups insufficient to avoid paying the ransom. Organizations should be aware of any vulnerabilities in their environment to prevent this, which can be achieved with SOCRadar’s Attack Surface Management. This provides visibility into external-facing digital assets, allowing security teams to track vulnerabilities and limit the attack surface that ransomware operators may exploit.

SOCRadar Attack Surface Management

MITRE ATT&CK TTPs

Tactics

Technique

ID

Initial Access

Valid Accounts

T1078

Exploit External Remote Services

T1133

Drive-by Compromise

T1189

Exploit Public-Facing Application

T1190

Phishing

T1566

Execution

Execution

TA0002

Software Deployment Tools

T1072

Persistence

Valid Accounts

T1078

Boot or Logo Autostart Execution

T1547

Privilege Escalation

Privilege Escalation

TA0004

Boot or Logo Autostart Execution

T1547

Defense Evasion

Obfuscated Files or Information

T1027

Indicator Removal: File Deletion

T1070.004

Execution Guardrails: Environmental Keying

T1480.001

Credential Access

OS Credential Dumping: LSASS Memory

T1003.001

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

System Location Discovery: System Language Discovery

T1614.001

Lateral Movement

Remote Services: Remote Desktop Protocol

T1021.001

Command and Control

Application Layer Protocol: File Transfer Protocols

T1071.002

Protocol Tunnel

T1572

Exfiltration

Exfiltration

TA0010

Exfiltration Over Web Service

T1567

Exfiltration Over Web Service: Exfiltration to Cloud Storage

T1567.002

Impact

Data Destruction

T1485

Data Encrypted for Impact

T1486

Service Stop

T1489

Inhibit System Recovery

T1490

Defacement: Internal Defacement

T1491.001

IOCs

IoCs from US Governmental Agencies’ #StopRansomware initiation report on LockBit 3.0; 

File Sharing Sites:

  • https://www.premiumize[.]com
  • https://anonfiles[.]com
  • https://www.sendspace[.]com
  • https://fex[.]net
  • https://transfer[.]sh
  • https://send.exploit[.]in

Freeware and Open-Source Tools:

  • Chocolatey
  • FileZilla
  • Impacket
  • MEGA Ltd MegaSync
  • Microsoft Sysinternals ProcDump
  • Microsoft Sysinternals PsExec
  • Mimikatz
  • Ngrok
  • PuTTY Link (Plink)
  • Rclone
  • SoftPerfect Network Scanner
  • Splashtop
  • WinSCP

Mutex:

  • Global<MD4 hash of machine GUID>

UAC Bypass via Elevated COM Interface:

  • C:\Windows\System32\dllhost.exe

Volume Shadow Copy Deletion:

  • Select * from Win32_ShadowCopy

Registry Artifacts:

  • HKCR. <Malware Extension>
  • HKCR<Malware Extension>\DefaultIcon
  • HKCU\Control Panel\Desktop\WallPaper
  • SOFTWARE\Policies\Microsoft\Windows\OOBE
  • SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

IoCs from the SOCRadar Platform:

Type

Value

IP

212[.]102[.]39[.]138

IP

194[.]32[.]122[.]35

IP

178[.]175[.]129[.]35

IP

178[.]162[.]209[.]138

IP

178[.]162[.]209[.]137

IP

172[.]93[.]181[.]238

IP

156[.]146[.]41[.]94

IP

216[.]24[.]213[.]7

IP

37[.]46[.]115[.]29

IP

37[.]46[.]115[.]26

IP

37[.]46[.]115[.]24

IP

37[.]46[.]115[.]17

IP

37[.]46[.]115[.]16

IP

212[.]102[.]35[.]149

IP

178[.]175[.]129[.]37

IP

91[.]90[.]122[.]24

SHA256

5fff24d4e24b54ac51a129982be591aa59664c888dd9fc9f26da7b226c55d835

SHA256

bb574434925e26514b0daf56b45163e4c32b5fc52a1484854b315f40fd8ff8d2

SHA256

9a3bf7ba676bf2f66b794f6cf27f8617f298caa4ccf2ac1ecdcbbef260306194

SHA1

e141562aab9268faa4aba10f58052a16b471988a

SHA1

3d62d29b8752da696caa9331f307e067bc371231

SHA1

3d62d29b8752da696caa9331f307e067bc371231

MD5

03f82d8305ddda058a362c780fe0bc68

MD5

fd8246314ccc8f8796aead2d7cbb02b1

MD5

f41fb69ac4fccbfc7912b225c0cac59d

MD5

ee397c171fc936211c56d200acc4f7f2

MD5

dfa65c7aa3ff8e292e68ddfd2caf2cea

MD5

d1d579306a4ddf79a2e7827f1625581c

MD5

b806e9cb1b0f2b8a467e4d1932f9c4f4

MD5

8ff5296c345c0901711d84f6708cf85f

MD5

8af476e24db8d3cd76b2d8d3d889bb5c

MD5

6c247131d04bd615cfac45bf9fbd36cf

MD5

58ea3da8c75afc13ae1ff668855a63



Latest Posts