CISA Alert AA23-075A: The Latest LockBit Ransomware Variant - LockBit 3.0

This blog was updated on June 15th, 2023 after the release of CISA Alert AA23-165A.

On March 16th, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on LockBit 3.0 ransomware from the notorious Ransomware-as-a-Service (RaaS) gang LockBit [1]. Since LockBit employs the RaaS model, their affiliates target organizations from a wide range of industries and countries. 

Picus Threat Library already had attack simulations for LockBit 3.0 ransomware. In this blog, we explain tactics, techniques, and procedures used by the LockBit ransomware group and how you can assess your security posture against LockBit ransomware attacks.

Simulate Ransomware Threats with 14-Day Free Trial of Picus Platform

LockBit Ransomware Group

LockBit ransomware group is one of the most prolific threat groups in the ransomware scene. They were first observed in September 2019 and have developed multiple ransomware variants since then. 

LockBit group is a financially motivated ransomware group that employs trending ransomware business models such as Ransomware-as-a-Service (RaaS), double extortion, and Initial Access Brokers (IABs). The use of these business models leads to a significant increase in the number of affiliated threat actors. The threat actors do not have any particular pattern for their targets. The LockBit attacks are spread to nearly all industries as they are financially motivated, opportunistic attacks. It is estimated that LockBit is responsible for nearly 40% of all ransomware infections worldwide.

What Is LockBit 3.0 Ransomware?

LockBit ransomware developers first released their original ransomware sample in September 2019. Back then, it was named ABCD ransomware. In 2020, they launched their RaaS affiliate program and leak site with the adoption of RaaS and double extortion models. Since then, the ransomware gang has developed several ransomware variants and expanded their operations. Due to a large number of affiliated threat actors, LockBit tools and infrastructure were observed in major ransomware attacks against large organizations such as Accenture, Continental, Foxconn, and many others.

Table 1: Timeline of LockBit operations

LockBit 3.0, also known as LockBit Black, was first seen in June 2022, and it is more modular and evasive than its predecessors. This new variant can be configured with different options at the time of compilation and execution of the payload. In addition to this modular approach, the ransomware payload remains encrypted until execution which makes malware analysis and detection highly difficult.

Example 1: LockBit Black Ransomware Attacks by Countries [2] 

Emergence of LockBit Green

After the release of LockBit Black, the LockBit group announced a bug bounty program to address the vulnerabilities found in the ransomware. While the bounty program was the first in the RaaS scene, it caused strife within the ransomware group, and some developers leaked the source code of LockBit 3.0 in September 2022. Several ransomware groups created their own ransomware variants using the leaked source code.

In January 2023, LockBit released its latest ransomware variant named LockBit Green. This new variant incorporates source code from the infamous Conti ransomware and shares significant similarities with Conti v3.

TTPs Used by LockBit 3.0

Tactic: Initial Access 

T1078 Valid Accounts

LockBit ransomware threat actors utilize valid accounts to gain initial access to their targets' environment. These valid accounts are sometimes acquired from Initial Access Brokers (IABs). Valid accounts are also used for establishing persistence in the victims' networks.

T1133 External Remote Services

Adversaries exploit remote desktop services to gain access to their targets' network. In some attacks, attackers use brute force into VPN and RDP services.

T1189 Drive-by Compromise & T1566 Phishing

LockBit threat actors trick their victims into downloading and executing a malicious zip file that contains SocGholish malware. The malware then deploys a Cobalt Strike beacon for persistent access for attackers. SocGholish malware is also used for system and domain information discovery.

Example 2: Commands executed by SocGholish malware [3]

T1190 Exploit Public Facing Applications

LockBit-affiliated threat actors exploit various vulnerabilities found in public-facing applications such as Microsoft Exchange servers, Fortigate SSL VPN, F5 BIG-IP, ESXi servers, and Microsoft IIS servers. Most of these exploited vulnerabilities are known, and related patches are available. Organizations are advised to patch their vulnerable services or apply workarounds as soon as possible.

Tactic: Execution

T1072 Software Deployment Tools

LockBit ransomware group uses an open-source package installer called Chocolatey to avoid detection when installing and executing malicious payloads.

Tactic: Persistence & Privilege Escalation

T1547 Boot or Logon Autostart Execution

Adversaries change the registry below to establish persistence and elevate privileges.

Tactic: Defense Evasion

T1027 Obfuscated Files or Information

To avoid detection, LockBit encrypts host and bot information before sending it to its command and control servers.

T1070.004 Indicator Removal: File Deletion

After successfully completing the attack, LockBit 3.0 ransomware deletes itself from the infected host to hinder malware analysis.

T1480.001 Execution Guardrails: Environmental Keying

In some cases, the LockBit group shares the ransomware payload in an encrypted format with its affiliates. Without the decryption key, the payload cannot be executed by attackers or analyzed by defenders. This technique is also used to avoid signature-based detection.

Tactic: Credential Access

T1003.001 OS Credential Dumping: LSASS Memory

LockBit threat actors use ProDump, a Microsoft SysInternals tool, to dump the contents of LSASS memory. The extracted LSASS memory is then used to harvest credentials.

Tactic: Discovery

T1046 Network Service Discovery & T1082 System Information Discovery

LockBit ransomware threat actors use a publicly available network scanner named SoftPerfect Network Scanner. This tool collects information about hostnames, network services, and remote access protocols in their victims' networks.

T1614.001 System Location Discovery: System Language Discovery

LockBit ransomware checks the language settings of the infected host. If the detected language is in the exclusion list, the payload does not encrypt the victims' files. For example, LockBit 3.0 variant does not encrypt files if the language setting is "Arabic (Syria)", "Romanian (Moldova)", and "Tatar (Russia)".

Tactic: Lateral Movement

T1021.001 Remote Services: Remote Desktop Protocol

Adversaries use a remote desktop software called Splashtop to easily move between hosts in the victims' network.

Tactic: Command and Control

T1071.002 Application Layer Protocol: File Transfer Protocols

LockBit threat actors use a popular file transfer tool called FileZilla to transfer files between compromised hosts and attackers' C2 servers.

T1572 Protocol Tunnel

Adversaries use PuTTY Link (Plink) to automate SSH actions on the victims' hosts. This technique also helps adversaries avoid being detected.

Tactic: Exfiltration

T1567 Exfiltration Over Web Service

LockBit threat actors use popular file-sharing services such as MEGA to exfiltrate their victims' sensitive data using rclone, an open-source cloud storage manager.

Tactic: Impact

T1485 Data Destruction & T1490 Inhibit System Recovery

LockBit deletes log files, files in the recycle bin folder, and volume shadow copies after encrypting the victims' files. These actions significantly hinder the forensic and recovery efforts of security teams.

T1486 Data Impact for Encryption

LockBit ransomware uses a hybrid encryption approach with AES and RSA encryption algorithms. 

How Picus Helps Simulate LockBit Ransomware Attacks?

We also strongly suggest simulating LockBit ransomware attacks to test the effectiveness of your security controls against ransomware attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against hundreds of other ransomware, such as Zeppelin, Royal, and Maui, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for LockBit ransomware: 

Moreover, Picus Threat Library contains 300+ threats containing 3000+ web application and vulnerability exploitation attacks in addition to 1500+ endpoint, 8000+ malware, email and data exfiltration threats as of today.

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address LockBit ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for LockBit ransomware:

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial  of Picus The Complete Security Validation Platform.

References

[1] "#StopRansomware: LockBit 3.0," Cybersecurity and Infrastructure Security Agency CISA. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a. [Accessed: Mar. 17, 2023]

[2] "LockBit ransomware - what you need to know." [Online]. Available: https://www.tripwire.com/state-of-security/lockbit-ransomware-what-you-need-know. [Accessed: Mar. 17, 2023]

[3] "Back in Black: Unlocking a LockBit 3.0 Ransomware Attack," NCC Group Research, Aug. 19, 2022. [Online]. Available: https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/. [Accessed: Mar. 17, 2023]