Despite being a relatively new player in the cyber threat arena, LockiBit ransomware quickly earned the fame of a prolific and dangerous malware strain. During 2020-2021, LockBit was consistently included in the list of the most active and notorious malicious samples. To achieve this, LockBit maintainers leverage Ransomware-as-a-Service (RaaS) model to involve more affiliates and proceed with attacks. Furthermore, they apply a double extortion practice to put additional pressure on victims and increase the chances to get the ransom paid.
Initially, LockBit ransomware emerged in 2019 as “ABCD” virus. Such moniker occurred due to the file extension added to all encrypted files. Since then, the malware significantly evolved its malicious arsenal and changed the extension to .lockbit. Currently, LockBit is actively advertised on the underground forums, acquiring new members to its RaaS program. In 2020, researchers estimated $75,000 earned by LockBit sellers via an affiliate program.
According to the analysis from Coveware, LockBit concentrates its efforts on mid-size to large enterprises as well as government entities. Yet, ransomware maintainers have their own “moral code” and avoid targeting organizations related to health care, labor unions, and education. Moreover, LockBit terminates its activity in case the targeted machine’s IP address locates in the Commonwealth of Independent States. The reason for this might be the origin of the developer, who claims to live in the Siberian region of Russia, according to the interview with the Cisco Talos team. Furthermore, statistics show very high rates of paid data recovery accompanied by the short time of recovery. That means that malware operators tend to follow their commitments, which is claimed to be an important part of the LockBit business model.
Nevertheless, there is no honor among thieves, and LockBit increasingly targets major enterprises for profits. The main focus is IT firms operating in the US and Europe. Ransomware operators successfully apply the double extortion practice, stealing sensitive data before encryption. To encourage victims to pay the ransom, LockBit maintainers regularly post data dumps alongside information about the latest attacks on a dedicated website. Prominent media are also involved to make noise about the victimized company and drive the attention of its business partners to the incident.
Coveware states that as of May 2021, the average ransom payment for LockBit victims is $57,600. However, it usually correlates with the scope and scale of the targeted company and might be much bigger.
LockBit uses a variety of sophisticated methods to proceed with the infection process. Notably, it is a self-spreading malware strain that requires only a couple of hours inside the network to propagate across it encrypting all accessible assets. Normally attackers spend days or weeks investigating the targeted company. LockBit instead relies on automation and takes advantage of the lightning-speed intrusion. Furthermore, the malware proceeds with reconnaissance during the encryption phase to cause maximum damage.
To get initial access to the environment, LockBit usually relies on phishing emails. Also, known vulnerabilities and RDP servers are commonly used for infection. Further, the ransomware enters the reconnaissance stage, using such tools as Mimikatz, PowerShell, and Cobal Strike for research and lateral movement. SMB, ARP tables, and PowerShell are used for propagation. Finally, LockBit executes in memory, typically with a Windows Management Instrumentation (WMI) command, and starts encryption. Immediately after, a ransom note is dropped in several folders on the host.
To prevent possible infections and protect company infrastructure from this notorious threat, you can download a set of Sigma and YARA rules released by our Threat Bounty developers in Threat Detection Marketplace.
Detection of LockBit Ransomware
Ransomware Payload Detection (LockBit)
The full list of Threat Detection Marketplace content devoted to LockBit attack detection is available here.
Subscribe to Threat Detection Marketplace, an industry-leading Content-as-a-Service (CaaS) platform that powers complete CI/CD workflow for threat detection by providing qualified, cross-vendor, and cross-tool SOC content. Eager to craft your own detection content and participate in threat hunting initiatives? Join our Threat Bounty Program and get rewarded for your input!