LockBit 3.0, aka “LockBit Black,” has been causing waves in the cyber world as a new and sophisticated iteration of the notorious LockBit ransomware. Sharing similarities with the likes of Blackmatter and Blackcat ransomware, this elusive variant presents itself as a formidable adversary.
The RaaS Model: LockBit 3.0
LockBit 3.0 operates as a Ransomware-as-a-Service (RaaS), a business model that traces back to its predecessors, LockBit and LockBit 2.0. Its operations have been ongoing since January 2020, with deployment facilitated via an affiliate-based approach. This model allows its affiliates to employ a myriad of Tactics, Techniques, and Procedures (TTPs) against various businesses and organizations. This diverse strategy complicates the process of creating effective defense and mitigation plans.
Dissecting the LockBit 3.0 Operation
LockBit 3.0 is extremely versatile and adaptable. It provides a range of options influencing the ransomware‘s behavior, modifiable during both compilation and execution stages. It can perform specific operations for lateral movement or reboot into Safe Mode, creating an unpredictable behavioral pattern.
A significant feature of this ransomware is its password usage. Affiliates without access to a passwordless LockBit 3.0 must use a password, acting as a cryptographic key. This key decodes the executable, making it unreadable and unexecutable in its encrypted state, thereby obstructing detection and analysis efforts.
Defense Mechanism: Language Setting Exclusions
An interesting defense mechanism of LockBit 3.0 is its ability to exclude machines with certain language settings from infection. Systems set in languages like Romanian (Moldova), Arabic (Syria), and Tatar (Russia) can dodge infection. However, this feature’s activation depends on the configuration flag set during the compilation stage.
The Infiltration: Varied and Stealthy
LockBit 3.0 affiliates deploy a multitude of infiltration methods, such as exploiting remote desktop protocols (RDP), executing drive-by compromises, orchestrating phishing campaigns, misusing valid accounts, and exploiting publicly accessible applications.
Inside the Network: The Malware Routine
Once LockBit 3.0 has infiltrated a network, it escalates to the necessary privileges if current ones are insufficient. It conducts several actions like system information enumeration, process and service termination, command launching, automatic logon enabling, and log files and shadow copies deletion. It propagates using either pre-set credentials or compromised local accounts with high-level privileges, but it refrains from tampering with files linked to core system functions.
The Encryption: Sealing the Attack
Post-encryption, LockBit 3.0 leaves a ransom note with the filename <Ransomware ID>.README.txt. The ransomware also changes the host’s wallpaper and icons to display its branding. The malware may communicate encrypted host and bot information to a command and control (C2) server. Depending on the options chosen at compilation, it might delete itself from the disk, including any Group Policy changes made.
Companies hit by Lockbit
Several companies across different sectors and regions have been impacted by the LockBit 3.0 ransomware. Some of the notable victims include:
- Grupo Albanesi: An Argentinian power company, Grupo Albanesi, was targeted by the LockBit 3.0 ransomware. The attackers issued a ransom deadline of 28 February for the company to pay or face their data being published online.
- SRF: This Indian-based multi-business chemicals manufacturer was also targeted. The attackers issued an ultimatum for SRF to respond by 1 March, after which they threatened to publish all available data.
- CEFCO: An American convenience store chain with 200 branches throughout the states of Texas, Alabama, Mississippi, Oklahoma, Louisiana, and Florida, CEFCO was issued a ransom deadline of 22 February 2023.
The history of Lockbit
The legacy of LockBit began unfolding in 2019 when it first emerged as a formidable force in the world of ransomware. Its debut was marked by a rapidity of operation, swiftly encrypting files on target systems while leaving minimal footprints. As a hallmark, LockBit was distinctive in its ability to automatically spread within a network, eliminating the need for manual control, thereby increasing its attack efficiency.
From its inception, LockBit was designed to avoid detection by system defenses, and it did so remarkably. Its evasion techniques included frequent updates to its encryption algorithms, thereby rendering traditional defense mechanisms ineffective.
The evolution of LockBit didn’t stop there. LockBit 2.0, which surfaced in mid-2020, further raised the bar. It introduced a double extortion mechanism, wherein victims’ data was not only encrypted but also threatened to be leaked if the ransom wasn’t paid. This significantly amplified the pressure on victims to comply with the ransom demand.
Furthermore, LockBit 2.0 brought a greater level of customization and autonomy to its affiliates. It allowed them to tailor the ransomware’s operations to target specific systems or exploit certain vulnerabilities, granting them the flexibility to adapt their attack strategy based on the victim’s defenses.
Now, with the advent of LockBit 3.0, the legacy of LockBit persists, presenting more refined, advanced, and elusive threats.
Done reading? Continue with Cyberattack Defense 101 essential tips!