LockBit 2.0 Ransomware Detection: Infamous Threat Resurfaces with New Attack Techniques and Encryption Methods

February 10, 2022 · 4 min read
LockBit 2.0 detection

LockBit operators are accelerating rapidly. The gang has been on cybersecurity professionals’ radar since 2019, revamping with the launch of a LockBit ransomware version 2.0 in June 2021. On February 07, 2022, The Federal Bureau of Investigations (FBI) released IOCs, warning about LockBit 2.0 ransomware attacks. The current data suggest that the novel campaign is characterized by quick data exfiltration and stolen sensitive information exposure.

LockBit 2.0 Upgrade

Since summer 2021, the LockBit group has been actively hunting for new affiliates. The hiring program went successfully, and the number of organizations impacted by the LockBit gang steadily increased, falling victim to novel and more efficient attack techniques and extortion methods. Among victims are organizations of all sizes, including those from The Fortune 500 list, universities, and healthcare facilities. The latest update equipped adversaries with the automatic encryption of devices across windows domains by abusing Active Directory group policies. LockBit 2.0 began advertising for insiders in August 2021 in order to gain initial access to companies’ networks, promising a part of the proceeds from a successful assault.

LockBit 2.0 Kill Chain

LockBit 2.0 is run as an affiliate-powered Ransomware-as-a-Service (RaaS), adopting a diverse arsenal of tactics, techniques, and procedures (TTPs), obfuscating the effectiveness of defense and mitigation best practices. Adversaries target networks employing such malicious approaches as unpatched vulnerabilities’ exploit, insider access, and zero-day exploits. Moreover, LockBit operators are known for purchasing access to vulnerable targets, compromised by third-party hackers through phishing techniques and brute-forcing RDP accounts.

When a network is breached, affiliates utilize bespoke and legitimate applications, such as Mimikatz, to steal the victim’s authentication credentials. Lockbit 2.0 then analyzes the system and user language settings and only targets those that do not match a list of Eastern European languages. The ransomware application does not spread infection if it detects an Eastern European language on the device, which points to the origin of its maintainers. LockBit 2.0 targets log files and shadow copies; collects system information, aiming at encryption of all data on local and remote drives, except for files required for core system functions. The self-propagating malware deletes itself from the disk after the encryption operation is accomplished. The perpetrators always leave a ransom note in each impacted directory detailing how to obtain the decryption software from them. The ransom note further threatens to publish stolen sensitive information on their doxxing site unless a ransom is paid.

LockBit 2.0 also developed a Linux-based malware that takes advantage of vulnerabilities within VMWare ESXi virtual machines.

LockBit 2.0 Malware Detection

The new generation of LockBit 2.0 is rapidly gaining traction, putting a lot of strain on industries worldwide. To protect from the booming threat, you can download a set of Sigma rules released by our skilled Threat Bounty developers Nattatorn Chuensangarun and Kaan Yeniyol:

LockBit 2.0 Ransomware Force GPO Policy (via process_creation)

Detect LockBit 2.0 Ransomware via Registry

LockBit 2.0 Ransomware Named Pipe

The complete list of Threat Detection Marketplace content devoted to LockBit attack detection is available here

Also, we recommend you inspect the Industry Guidelines: Defending Against Ransomware Attacks provided by Vlad Garaschenko, CISO at SOC Prime. These guidelines cover best practices for ransomware defense and make a deep-dive overview of ransomware stats, major trends, and the Tactics, Techniques, and Procedures (TTPs) applied by major ransomware gangs. 

To stay one step ahead of ransomware actors, you can additionally download a dedicated Ransomware Detection pack of rules from SOC Prime that aggregates 35+ detections to spot such nefarious samples as Ruyk, DoppelPaymer, Conti, LockBit, Avaddon, and more. All rules are mapped directly to the MITRE ATT&CK® framework and enriched with the corresponding threat context and intelligence.

Sign up for free at SOC Prime’s Detection as Code platform to streamline your SOC operations with best practices and shared expertise. Eager to craft your own detection content and participate in threat hunting initiatives? Tap into the power of the global cybersecurity community and monetize your input.

Go to Platform Join Threat Bounty

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts