Cybersecurity Snapshots #32 - LockBit Ransomware Group

Cybersecurity Snapshots #32 -

LockBit Ransomware Group

Security researchers at Digital Shadows have discovered that ransomware activity continues to increase, and they cite the LockBit ransomware group as a major contributor to the rise. The researchers monitored almost 90 data leak sites on the dark web and observed that ransomware groups claimed 705 victims in Q2 2022, representing a 21% increase over the prior quarter's 582. The researchers stated that the LockBit ransomware group overtook Conti in victim numbers as Conti ceased operations following the leak of internal chat logs. Conti had reached almost 900 victims during its operations, but LockBit is now closing in on 1000 after a 13% growth in activity during the quarter. At around 230, LockBit's quarterly victim numbers far exceeded any other group in Q2. It was accountable for almost a third of all postings to leak sites in Q2. Some big companies that fell victim to the LockBit ransomware group included Mandiant, La Poste Mobile, Atento, and Accenture.

LockBit ransomware gang first emerged in September 2019. LockBit functions as Ransomware-as-a-Service (RaaS). RaaS means that cyber criminals place a deposit in exchange for the use of custom "for-hire" attacks. LockBit originally targeted organizations in the U.S., the UK, Germany, China, India, France, Ukraine, and Indonesia.

LockBit 1.0 eventually evolved into LockBit 2.0. LockBit 2.0 first appeared in Russian-language cybercrime forums in January 2021. LockBit 2.0 relied on tools such as Windows PowerShell and Server Message Block (SMB) to attack organizations and to scan networks in order to infect compromised devices. LockBit 2.0 primarily used tools that are built into Windows systems, which means it was more difficult to detect malicious activity. LockBit 2.0 successfully deployed ransomware within the following industries: manufacturing, retail and food, construction, and professional services, with most of the attempts being against Chile, Taiwan, Italy, and the U.K. After re-emerging as LockBit 2.0, the gang chose not only to encrypt systems, but they also adopted the double extortion model. With double extortion, threat actors go beyond just encryption by exfiltrating an organization's data and threatening to publicize the stolen data if the demanded ransom is not paid. If an organization does not pay the ransom, the gang will publish and sell the exfiltrated data on their own dedicated data leak site. Sometimes they will sell the stolen data even if an organization paid the demanded ransom.

The LockBit ransomware group touts its speed over competing ransomware families to attract potential buyers for its RaaS. Many buyers of RaaS want the fastest ransomware, because using ransomware that encrypts files fast makes it virtually impossible for victims to counter the ransomware attack. Earlier this year, the LockBit group posted a table listing encryption speeds for more than 30 ransomware families, highlighting that LockBit 2.0 was the fastest. Security researchers on Splunk's SURGe research team conducted a new study to see if LockBit's claim that it was the quickest ransomware is true. The researchers found that LockBit was faster than other ransomware families, but there were some notable differences. For example, the LockBit 2.0, was actually slower at encrypting files than the original LockBit 1.0. LockBit 1.0 takes 2.33 minutes to encrypt 98553 files and LockBit 2.0 takes 2.5 minutes to encrypt 98548 files. The security research stated that the pace that ransomware encrypts files is faster than any network defender can handle. The researchers noted that enterprise defense cannot "win" during the encryption phase, so their best chance for foiling a ransomware attack is to detect the intrusion before the encryption process kicks off. Researchers at Mandiant recently reported that ransomware families tend to spend three to five days in the victim environment collecting information before kicking off the encryption process. The researchers stated that security teams need to be acting during those three to five days.

The ransomware gang continues to innovate and recently launched LockBit 3.0 in March 2022. With the launch of LockBit 3.0, the gang created a bug bounty program. Similar to how legitimate companies reward researchers for helping them improve their security, LockBit operators claim they are prepared to pay out between $1,000 and $1 million to security researchers and hackers. Rewards can be earned for website vulnerabilities, flaws in the ransomware encryption process, vulnerabilities in the Tox messaging app, and vulnerabilities exposing their Tor infrastructure. According to researchers at Cyble, the latest version of the ransomware encrypts files on victim's machines and appends the extension of encrypted files as "HLjkNskOq." It then requires a key from the command-line argument "-pass" to execute. Resolving its API functions dynamically, LockBit 3.0 is encrypted and decrypts the strings and code during runtime. The researchers noted that additionally, the ransomware creates various threads to perform numerous tasks in parallel for faster encryption. The threads are responsible for querying system information, as well as ransom note creation, getting file attributes, and deleting services. To encrypt files successfully, LockBit 3.0 deletes a few services. After encryption, the victims are instructed on how to pay the demanded ransom via a ransom note that is dropped onto the victim's computer. Victims are threatened and told their data will be leaked on LockBit 3.0's data leak site if the ransom isn't paid in Bitcoin. Some new features in LockBit 3.0 also include support for payments using the Zcash cryptocurrency, a reward program for any information on high-value targets, and a new data leak site that allows anyone to purchase victim data. The top sectors targeted with LockBit 3.0 include Bank Financial Services Industry (BFSI) (33.3%), professional services (22.2%), technology (11.1%), manufacturing (11.1%), consumer goods (11.1%), and construction (11.1%).

The LockBit ransomware gang is expected to be more active in the future. Security researchers suggest that organizations protect themselves from ransomware such as LockBit 3.0 by ensuring that usual security best practices are in place, including not opening unverified emails or clicking on any embedded links or attachments in such messages, and regularly backing up important files using the 3-2-1 rule. The 3-2-1 rule is when an individual creates three backup copies in two different file formats, with one of the backups in a separate physical location. As usual, regular updates of software and applications with the latest patches are also recommended. The researchers also suggest monitoring inbound and outbound network traffic, with alerts for data exfiltration in place.