What is the LockBit Ransomware?

“Vicious and sophisticated”. That is how cybersecurity experts describe LockBit, a relatively new breed of ransomware that has already attempted to infiltrate several thousand companies since its launch in 2019. Leaving a trail of chaos in more than 850 victims as announced on its own data leak site, LockBit has accounted for nearly half of all ransom-related data breaches for the year so far, becoming the most prevalent ransomware month-after-month in 2022 according to both Malware Bytes’ Threat Intelligence Team and Palo Alto Networks’ Unit 42.

Based on its attack history, LockBit appears to gobble up whatever plump targets appear in its crosshairs, with a growing victim list that includes a French hospital, a Thai airline, a Brazilian bank, a Canadian town, a British railway, an American digital security company, Italy’s tax office, and the world’s largest electronics technology manufacturer.

From being a relative unknown when it first waded into the black-hat economy, the LockBit operation has now become one of the most lucrative businesses in the world of ransomware.

It’s also among the most innovative and market-savvy.

First known simply as the “abcd virus,” LockBit has metastasised over the years into a far more powerful variant: LockBit 3.0 or LockBit Black. On top of its automatic data encryption and exfiltration capabilities, LockBit Black has demonstrated the ability to also bypass some antimalware solutions such as Windows Defender, replicate itself across a network, and obfuscate traces of its crime to prevent forensic security analysts from reverse-engineering its code. Adopting the triple extortion tactic, LockBit operators 1) demand a hefty ransom for a decryption key that will unlock the victim’s encrypted data; 2) intimidate unresponsive victims with threats of humiliating data leaks unless the ransom is paid; and, 3) escalate negotiations via the prospect of a crippling DDoS (distributed denial of service) attack, if the victim still remains uncooperative.     

Technically advanced, the minds behind LockBit also show a fair degree of entrepreneurship. The LockBit operation has recently launched a brand new logo (with a US$1000-offer to anyone who inks it as a tattoo); deployed chat support to make life more convenient for its “customers” [read: victims]; recruited fresh talent to run and spruce up its online assets; introduced novel methods of ransom payment (e.g., Zcash); enhanced the loot management dashboard for affiliates; and even rolled out its own bug bounty program (with offers ranging from US$1,000 to US$1,000,000) just like any respectable Fortune 500 company would. To top it all off, LockBit owners appear to have also embraced a twisted form of corporate responsibility: prohibiting affiliates of its ransomware-as-a-service operation from using encryption on targets such as hospitals because the decryption process can potentially corrupt life-critical data. Stealing such data via the less harmful method of exfiltration is permitted.  

So yes, business is good for LockBit.

Any cash-rich business anywhere is fair game for the LockBit team and their affiliates, who have left a trail of cybercrime virtually all over the planet (except in Syria and CIS-member states). Unfortunately for organisations in Australia, we ranked fourth (with more than a thousand attempts) among the most frequently attacked countries after the US, India, and Brazil for the six-month period ending in January 2022. As early as August 2021, the Australian Cyber Security Centre had already noted a surge in reported LockBit attacks, prompting the agency to issue a warning for local businesses, a threat profile on LockBit, and a guideline on how to mitigate your company’s risks.

What is LockBit?

LockBit refers to a ransomware variant and the criminal operation behind it. First detected in September 2019, LockBit has evolved dramatically in terms of its stand-alone capabilities, support infrastructure, and adopted practices. Unlike those in other ransomware, much of LockBit’s processes run via self-piloted scripts that require very minimal human intervention. Once a single host gets manually breached by a criminal affiliate or operator, the rest of the process runs in full automatic mode: from network surveillance and payload replication to data encryption and exfiltration. 

To facilitate a breach, LockBit can bypass some IT security processes, evade a number of malware detection solutions, and erase traces of its movements to undermine forensic analyses. It can then automatically encrypt (convert into an incomprehensible/unusable format) and exfiltrate (transfer/copy from one device or location to another) the target entity’s data. Once a victim’s data has been encrypted and exfiltrated, LockBit operators would then proceed to extort ransom money from the victim, payable in cryptocurrency.

LockBit operates under the ransomware-as-a-service (RaaS) model, wherein its owners/developers maintain a platform on the dark web from which third parties – called affiliates – can acquire the “license” to use the ransomware toolkit and related services in exchange for a fee. Said affiliates – who are expected to perform pretty much all the grunt work and heavy lifting – can then attempt to scout the market, breach the networks of target companies, inject the LockBit malware, and extort money from victims. Affiliates take home the bulk of ransom payments (reportedly up to 75%), while LockBit’s owners are entitled to a portion of every ransom payment made.

LockBit has undergone multiple iterations and has been called the ABCD ransomware (also, .abcd virus), LockBit, LockBit 2.0, and LockBit 3.0 (also, LockBit Black). In 2021 and so far in 2022, LockBit has been the most dominant ransomware in terms of the number of attack attempts and the number of successful data breaches.  

Who is behind LockBit?

Like in many other ransomware gangs, the identities and exact number of members behind the LockBit operation are difficult to establish with absolute certainty. Instead, what can be reasonably inferred from LockBit’s infection chain is the fact that the ransomware is programmed to avoid companies domiciled in or owned/run by entities who speak the languages of CIS-member countries as well as Syria (in the case of LockBit 3.0).

This inference is based on the malware’s built-in check for verifying the default language of a target machine’s user interface (UI). This check is persistently and automatically performed by the LockBit payload every time it gets injected into a device. If the check yields a positive, the program terminates the infection process, exhibiting the ransomware gang’s airtight aversion for targeting such organisations. Unsurprisingly, no attacks have been reported from any nation in LockBit’s geographic/linguistic whitelist. (Note: The Commonwealth of Independent States (CIS) is a Russia-led grouping of former Soviet republics while Syria is a close Russian ally that hosts Moscow’s only naval base in the Mediterranean.)

Nonetheless, LockBit operators remain adamant in renouncing any political ties to Russia, with its affiliate portal declaring “We are located in the Netherlands, completely apolitical and only interested in money.” In a highly publicised row with Conti, a rival ransomware gang that pledged allegiance to Russia at the onset of its invasion of Ukraine, LockBit released a statement in February 2022 declaring its neutrality:

“For us, it is just business and we are all apolitical … We are only interested in money for our harmless and useful work.”

And even while LockBit belongs to a broad family of ransomware that is markedly designed for Russian hackers and active on Russian-speaking underground forums on the dark web, its operators insist on LockBit being apolitical:

“Our community consists of many nationalities of the world, most of our pentesters are from the CIS including Russians and Ukrainians, but we also have Americans, Englishmen, Chinese, French, Arabs, Jews, and many others in our team … Our servers are located in the Netherlands and the Seychelles, we are all simple and peaceful people, we are all Earthlings.”

In June 2022, LockBit operators released a statement distancing the ransomware from Evil Corp (also known as Dridex and INDRIK SPIDER). Evil Corp is a hacking group with alleged ties to the Russian intelligence community that has been sanctioned by the U.S., prohibiting companies from making any transaction with the entity, including ransom payments:

“Our group has nothing to do with Evil Corp. We are real underground darknet hackers, we have nothing to do with politics or special services like FSB, FBI and so on.”

Previously in the same month, American cybersecurity firm Mandiant published a report that linked LockBit to Evil Corp, prompting the former to retaliate by falsely claiming that it has successfully breached Mandiant’s systems.

In September 2022, a reportedly disgruntled LockBit programmer leaked a ransomware builder for the LockBit 3.0 encryptor, which technically allows any threat actor to run their very own ransomware operation. While the leak undermines the exclusive control of LockBit owners over their toolkits and cybercrime business (particularly their share of the ransom payments), it also exposes businesses around the world to a potentially larger group of independent ransomware operators. 

Which companies have been victimised by LockBit?

On its underground website, LockBit publishes the identity and the hacked data of targeted organisations that refuse to negotiate or pay the ransom. So far, LockBit bragged about attacking more than 12,000 companies, of which more than 850 have been allegedly breached with some level of success.

All mentioned in LockBit’s victim list, Accenture, Entrust, and Mandiant nevertheless painted a drabber picture of the ransomware’s supposed exploits regarding their respective corporate data.

In August 2021, Accenture confirmed the breach but said it immediately detected and contained the attack, restored encrypted data from backups, and ignored LockBit’s ransom demands. The global consulting firm also added that “none of the information [encrypted] were of a highly sensitive nature,” and that there were “no impact on Accenture’s operations, or on our clients’ systems.”

Similarly, Entrust acknowledged that LockBit did indeed breach its network and stole data, but did not further elaborate on details. LockBit disclosed ransom negotiations and started leaking the allegedly stolen data but their underground leak site was crippled for an entire day by a vicious DDoS attack the ransomware gang attributed to Entrust or a surrogate.  

Meanwhile, Google subsidiary Mandiant denied LockBit’s claim that it successfully hacked the cybersecurity firm in retaliation for Mandiant’s June 2022 report that linked LockBit to the US-sanctioned cybercriminal group Evil Corp. Reportedly, Mandiant conducted internal investigations and found no evidence of a breach. 

While the foregoing enterprises appeared to have stood their ground against LockBit, other organisations were not as prepared or fortunate. According to the PRODAFT threat intelligence report published in mid-2021, the LockBit RaaS platform has successfully infected thousands of devices around the world, with enterprises accounting for the vast majority of victims. Ransom payments clock in at a calculated average of around US$85,000.

Here are some organisations that have confirmed LockBit-orchestrated data breaches, suffered operational disruptions, and incurred significant damages as a result:

1. Bangkok Airways. Aug 2021. Bangkok Airways apologizes for passport info breach as LockBit ransomware group threatens data leak.
2. Bridgestone Americas Inc. March 2022. LockBit ransomware gang claimed to have hacked Bridgestone Americas, one of the largest manufacturers of tires.
3. Undisclosed regional U.S. government agency. Detected/Reported April 2022. LockBit ransomware gang lurked in a U.S. gov network for months.
4. Foxconn (Hon Hai Technology Group). May 2022. Foxconn confirms ransomware attack disrupted operations at Mexico factory.
5. L’Agenzie delle Entrate (The Revenue Agency). July 2022. LockBit ransomware gang claims attack on Italian tax office.
6. St. Mary’s (Ontario) municipal government. July 2022. LockBit Ramps Up Attacks on Public Sector.
7. Center Hospital Sud Francilien (CHSF). August 2022.  French hospital hit by $10M ransomware attack, sends patients elsewhere.
8. Sunshine Coast Regional District (British Columbia). September 2022. B.C. regional government acknowledges cyber attack.   
9. Advanced. October 14. Advanced: Healthcare data was stolen in LockBit 3.0 attack.
10. Omiya Kasei. October 17. Japanese tech firm Omiya hit by LockBit 3.0. Multiple supply chains potentially impacted.

Some key findings from Trend Micro’s Ransomware Spotlight report published in February 2022:

• LockBit has been detected around the world.
• North America, followed by Asia Pacific and Europe, are the most targeted region, with the U.S., India, Brazil, and Australia constituting the most attacked countries.
• The ransomware avoided CIS-member states.
• LockBit attacked organisations indiscriminately, regardless of their line of business. In order of frequency, the industries that incurred the most number of attack attempts per machine were the healthcare, education, technology, and financial sectors. On the other hand, the most impacted industries In terms of the number of data breach victims are the financial, professional services, industrial, and legal sectors. 
• Small to medium-sized businesses (SMBs) accounted for around 80% of victims, with large enterprises making up the remainder. An updated report published in May 2022 revealed an even higher share (86%) of SMBs in LockBit’s victim profile. 

How does LockBit operate?

Ransomware-as-a-Service (RaaS)

The LockBit operation adopts the RaaS business model. Offered on the underground market, this model “licenses” the use of the LockBit toolkit, affiliate dashboard, and related services to third-party operators (called affiliates) in exchange for a fee. To facilitate the operation, LockBit owners maintain an online RaaS panel/dashboard for their criminal affiliates. Among other functionalities, this panel can be used to 1) create an executable ransomware payload; 2) generate a decryptor program when ransom payments are made; 3) facilitate payments in cryptocurrency; 4) monitor target statistics; and 5) establish chat communications with victims.

The LockBit RaaS operation is known to conduct aggressive R&D as well as marketing campaigns. Prominent among such campaigns are a first-of-a-kind bug bounty program, enhanced payment mechanisms, and upgraded iterations of LockBit’s core build since its launch in 2019. Known for actively recruiting both talented hackers and insiders from targeted companies, LockBit has been ranked among the most “professional” groups in the world of cybercrime.

Main LockBit Attack Processes

Depending on the ransomware version, a typical LockBit attack may use the following steps:

1. Target Selection
2. Network Breach
3. Network Surveillance, Escalation, and Evasion
4. Ransomware Infection/Propagation
5. Data Exfiltration and Encryption
6. Ransom Declaration/Ultimatum
7. Ransom Negotiation/Resolution

Target Selection

Like other ransomware operators, LockBit owners prefer targets that have the financial capability to pay ransom. And while LockBit appears to attack organisations indiscriminately, the ransomware notably avoided CIS-member states and victimised a much higher number of small- to medium-sized businesses (SMBs) compared to large enterprises.

Network Breach

To infiltrate a target network, LockBit uses different techniques including a) the purchase of already compromised networks from underground “access brokers;” b) offering hefty rewards to willing insiders in the target company; and, c) exploiting software vulnerabilities and unpatched bugs. LockBit affiliates are also known to use d) common phishing tactics: e) mass vulnerability scanning; f) credential stuffing; and, g) brute force assaults on poorly configured network systems.

Surveillance, Escalation, and Evasion

Upon gaining access to a single host, LockBit is programmed to run on auto mode and will probe the network to detect and infect other accessible devices and undermine key elements such as network-attached storage (NAS) devices, backup servers, antimalware applications, and domain controllers. To do so, LockBit typically uses tools that are native to or whitelisted by the target system, making it more difficult for many cybersecurity solutions to discover malicious activity. In addition, LockBit can clear event/activity logs, obfuscating its tracks to most forensic analyses.

Compromised endpoints such as a user’s computer that has been accessed via phishing emails can be used to remotely surveil the network. A misconfigured service such as a publicly open RDP (remote desktop protocol) port will also enable threat actors to conduct malicious reconnaissance across the target’s IT infrastructure.

Infection/Propagation

Security analysts have noted LockBit’s ability to self-propagate as a unique feature among different families and strains of ransomware.

In the absence of correct network settings and adequate security protocols, LockBit can perform a complete system probe in just a matter of days. Once it gains a foothold, the ransomware will proceed to escalate access privileges, automatically spread the infection, and set up the system to facilitate the release of LockBit’s exfiltration/encryption payload.

To achieve a system-ready status for payload release, LockBit will disable security programs and cripple the network resources that help enable unassisted (i.e., ransomless) data recovery.

Data Exfiltration and Encryption

Upon achieving system-ready status, LockBit will unload and unleash its data exfiltration and encryption payload (i.e., StealBit), which is alleged by its developers as the fastest encryption program on the dark web. The ransomware will then determine whether data in the breached system is valuable for the targeted company and worth stealing.

Typically only data deemed sensitive and critical are exfiltrated and uploaded to servers/cloud accounts controlled by the threat actors. However, LockBit 3.0 has the ability to encrypt and exfiltrate all the data in an infected device.

Ransom Declaration/Ultimatum

Once the target’s data has been exfiltrated and encrypted, and their backups deleted, LockBit will programmatically perform several tasks that will clearly alert the victim that a malicious entity has gained complete control over their sensitive data.

As reported in previously cited studies, LockBit will change all infected devices’ wallpapers to signify an active cyber attack. It will also create a readable “Restore-My-Files.txt” document (now reportedly formatted as “[id].README.txt” for LockBit 3.0) and/or an HTML page that explains the victim’s predicament and describes how the target company can recover their encrypted data. In some cases, LockBit has been known to have commandeered networked printers to continuously print the ransom notice until paper runs out.

Typically, the ransom notice states the process for and the cost of acquiring the unique decryptor key that will allow the victim to recover their data. The notice also highlights the set deadline within which the targeted company can comply with the affiliate’s ransom demands. Finally, the notice warns victims not to hire cybersecurity companies to take remedial/retaliatory actions nor to use third-party solutions that will corrupt encrypted data.

Adopting the double extortion tactic, LockBit operators will threaten to punish/shame victims who ignore the ransom deadlines by leaking sensitive information to the public, reminding victims of the massive regulatory penalties data-holding organisations face just for a little more emphasis.

With the ransomware now operating as LockBit 3.0 and having adopted a triple-extortion strategy, prospective targets can expect the threat of a DDoS and other types of damaging attacks to be part of the ransom negotiations (i.e., intimidation tactics).   

Ransom Negotiation/Resolution

Once informed of the ransom demands, victims are left to decide which route to take: pay the ransom or ignore the deadline.

Many security experts advise against paying the ransom nor acceding to any demand because there is no guarantee that a victim will not be hacked again (80% of companies who pay ransoms experience at least a second attack soon after); that the decrypted data will be 100% uncorrupted; and that the stolen data won’t be sold on the black market anyway. Cyber criminals are simply criminals who are good at tech, and therefore deserve as little trust as any street burglar who pilfers grocery items just for fun.  

If the target organisation chooses non-compliance, LockBit operators often punctuate the attack with massive data leaks, selling off the most sensitive data on the black market. With LockBit 3.0, further malignant actions such as DDoS can be expected. 

On the other hand, many businesses (such as JBS SA whose Australian and North American subsidiaries were attacked by REvil/Sodinokibi ransomware operators) might still choose to pay the ransom, rather than suffer prolonged outages and other serious business disruptions.

LockBit victims who prefer this route would need to visit the LockBit portal on the dark web and communicate – via online chat – with the specific affiliate who orchestrated the data breach. LockBit owners implement a “trial decrypt” feature on the portal to convince victims that they can indeed recover stolen/encrypted data. To use this feature, victims can select one encrypted file they want to unlock and the platform will return the decrypted data. To push through with the ransom payment, victims would need to make transactions in Bitcoin, Monero, or Zcash (a hard-to-trace privacy coin).  

How do you fight LockBit?

While the LockBit strain has some unique features, businesses can fight it the way they would other ransomware variants. And while cyber crime is nearly impossible to eradicate, there are ways for your organisation to bring its attack frequency and impact to a minimum. Here are some ways to do that:

1. Start with human vectors, which represent the weakest link in an IT system.
   • Require all your people to use strong passwords. Quite a number of breaches can be attributed to simple, easy-to-guess passwords that malicious algorithms and human actors can discover through persistent trial and error.
   • Get your staff prepared against all sorts of phishing attacks.
   • Keep their vigilance sharp with regular IT security awareness training.
   • Implement multifactor authentication MFA policy across your network. This will help plug the security gaps between nodes in your network especially amid the rise in RDP-enabled ransomware attacks.
   • Use biometrics and physical key authenticators whenever possible as additional layers of protection for your IT system.
   • Audit, refresh, and strengthen all valid user accounts, especially those with administrative privileges. Remove unused or outdated accounts.
2. Audit, correct, and strengthen all your network and system configurations. Some attacks exploit misconfigured firewalls and VPNs to orchestrate a successful breach. Implement a zero-trust architecture that will make it difficult for malware and threat actors to linger and move across your network. Make it virtually impossible for any unauthorised entity to access valuable IT assets.    
3. Practice due diligence when it comes to software updates and patches. Keep operating systems, antivirus software, and business applications always up-to-date. 
4. Adopt best practices for your data backup and recovery system. Analysts have hailed smart back-up practices for being among the most effective countermeasures against ransomware, and the top method for restoring encrypted data.
5. Continuously upgrade your security posture with comprehensive and adequate protection to include MDR (managed detection and response), EDR (endpoint detection and response), XDR (extended detection and response (XDR) and SIEM (security information and event management) solutions.
6. Acquire an adequate cyber insurance coverage for your business.
7. Regularly conduct vulnerability and penetration tests to objectively assess your security posture and make proactive improvements.
8. Have a well-planned response protocol for data breach incidents. This will help manage the situation better and prevent panic-induced decisions. When breached, promptly notify mandated institutions and law enforcement agencies. Then focus on and fortify the system weaknesses that have been exploited by the attacker. Become better prepared for the next wave of cyber crime. 

Final Takeaways

Based on what’s happening on the ground for the last three quarters, security analysts are already tagging LockBit as a strong contender in the race for the “nastiest malware” of 2022.

But this is not about LockBit alone. Already, other notorious criminal gangs such as Evil Corp are reportedly using the LockBit toolkit to extort money from breached targets around the world. And with the unexpected leak of the ransomware builder for LockBit 3.0, even more threat actors can now wield the power of LockBit to victimise unwitting companies.

Businesses like yours are also running a different race. Whichever way you call it – cyber resilience or IT security – now is not the time to drag your feet and be left behind. 

Primary sources used in this article:

1. The State of Ransomware 2022. Sophos.
2. CRA Ransomware Study: Invest Now or Pay Later. CyberRisk Alliance.
3. 2022 State of the Threat: Ransomware is still hitting companies hard. TechRepublic
4. Ransomware Spotlight: LockBit: TrendMicro Research
5. THREAT ANALYSIS REPORT: LockBit 2.0 – All Paths Lead to Ransom. Cybereason