CISA Alert AA23-075A: The Latest LockBit Ransomware Variant - LockBit 3.0

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

This blog was updated on June 15th, 2023 after the release of CISA Alert AA23-165A.

On March 16th, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on LockBit 3.0 ransomware from the notorious Ransomware-as-a-Service (RaaS) gang LockBit [1]. Since LockBit employs the RaaS model, their affiliates target organizations from a wide range of industries and countries. 

Picus Threat Library already had attack simulations for LockBit 3.0 ransomware. In this blog, we explain tactics, techniques, and procedures used by the LockBit ransomware group and how you can assess your security posture against LockBit ransomware attacks.

Simulate Ransomware Threats with 14-Day Free Trial of Picus Platform

LockBit Ransomware Group

LockBit ransomware group is one of the most prolific threat groups in the ransomware scene. They were first observed in September 2019 and have developed multiple ransomware variants since then. 

LockBit group is a financially motivated ransomware group that employs trending ransomware business models such as Ransomware-as-a-Service (RaaS), double extortion, and Initial Access Brokers (IABs). The use of these business models leads to a significant increase in the number of affiliated threat actors. The threat actors do not have any particular pattern for their targets. The LockBit attacks are spread to nearly all industries as they are financially motivated, opportunistic attacks. It is estimated that LockBit is responsible for nearly 40% of all ransomware infections worldwide.

What Is LockBit 3.0 Ransomware?

LockBit ransomware developers first released their original ransomware sample in September 2019. Back then, it was named ABCD ransomware. In 2020, they launched their RaaS affiliate program and leak site with the adoption of RaaS and double extortion models. Since then, the ransomware gang has developed several ransomware variants and expanded their operations. Due to a large number of affiliated threat actors, LockBit tools and infrastructure were observed in major ransomware attacks against large organizations such as Accenture, Continental, Foxconn, and many others.

Date

Event

September 2019

Release of ABCD ransomware, the first ransomware variant developed by LockBit

January 2020

Start of LockBit RaaS affiliate program

September 2020

Creation of the LockBit leak site

June 2021

Release of LockBit 2.0, also known as LockBit Red

Release of StealBit data exfiltration tool

October 2021

Release of LockBit Linux-ESXi Locker v1.0

March 2022

Release of LockBit 3.0, also known as LockBit Black

September 2022

LockBit 3.0 builder leaked and several non-affiliated LockBit variants emerged.

January 2023

Release of LockBit Green

Table 1: Timeline of LockBit operations

LockBit 3.0, also known as LockBit Black, was first seen in June 2022, and it is more modular and evasive than its predecessors. This new variant can be configured with different options at the time of compilation and execution of the payload. In addition to this modular approach, the ransomware payload remains encrypted until execution which makes malware analysis and detection highly difficult.

lockbit-black
Example 1: LockBit Black Ransomware Attacks by Countries [2] 

Emergence of LockBit Green

After the release of LockBit Black, the LockBit group announced a bug bounty program to address the vulnerabilities found in the ransomware. While the bounty program was the first in the RaaS scene, it caused strife within the ransomware group, and some developers leaked the source code of LockBit 3.0 in September 2022. Several ransomware groups created their own ransomware variants using the leaked source code.

In January 2023, LockBit released its latest ransomware variant named LockBit Green. This new variant incorporates source code from the infamous Conti ransomware and shares significant similarities with Conti v3.

TTPs Used by LockBit 3.0

Tactic: Initial Access 

T1078 Valid Accounts

LockBit ransomware threat actors utilize valid accounts to gain initial access to their targets' environment. These valid accounts are sometimes acquired from Initial Access Brokers (IABs). Valid accounts are also used for establishing persistence in the victims' networks.

T1133 External Remote Services

Adversaries exploit remote desktop services to gain access to their targets' network. In some attacks, attackers use brute force into VPN and RDP services.

T1189 Drive-by Compromise & T1566 Phishing

LockBit threat actors trick their victims into downloading and executing a malicious zip file that contains SocGholish malware. The malware then deploys a Cobalt Strike beacon for persistent access for attackers. SocGholish malware is also used for system and domain information discovery.

powershell /c nltest /dclist: ; nltest /domain_trusts ; cmdkey /list ; net group 'Domain Admins' /domain ; net group 'Enterprise Admins' /domain ; net localgroup Administrators /domain ; net localgroup Administrators ;
powershell /c Get-WmiObject win32_service -ComputerName localhost | Where-Object {$_.PathName -notmatch 'c:\\win'} | select Name, DisplayName, State, PathName | findstr 'Running' 

Example 2: Commands executed by SocGholish malware [3]

T1190 Exploit Public Facing Applications

LockBit-affiliated threat actors exploit various vulnerabilities found in public-facing applications such as Microsoft Exchange servers, Fortigate SSL VPN, F5 BIG-IP, ESXi servers, and Microsoft IIS servers. Most of these exploited vulnerabilities are known, and related patches are available. Organizations are advised to patch their vulnerable services or apply workarounds as soon as possible.

Tactic: Execution

T1072 Software Deployment Tools

LockBit ransomware group uses an open-source package installer called Chocolatey to avoid detection when installing and executing malicious payloads.

Tactic: Persistence & Privilege Escalation

T1547 Boot or Logon Autostart Execution

Adversaries change the registry below to establish persistence and elevate privileges.

Registry Key

Value

Data

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

AutoAdminLogon

1

DefaultUserName

<username>

DefaultDomainName

<domain_name>

Tactic: Defense Evasion

T1027 Obfuscated Files or Information

To avoid detection, LockBit encrypts host and bot information before sending it to its command and control servers.

T1070.004 Indicator Removal: File Deletion

After successfully completing the attack, LockBit 3.0 ransomware deletes itself from the infected host to hinder malware analysis.

T1480.001 Execution Guardrails: Environmental Keying

In some cases, the LockBit group shares the ransomware payload in an encrypted format with its affiliates. Without the decryption key, the payload cannot be executed by attackers or analyzed by defenders. This technique is also used to avoid signature-based detection.

Tactic: Credential Access

T1003.001 OS Credential Dumping: LSASS Memory

LockBit threat actors use ProDump, a Microsoft SysInternals tool, to dump the contents of LSASS memory. The extracted LSASS memory is then used to harvest credentials.

Tactic: Discovery

T1046 Network Service Discovery & T1082 System Information Discovery

LockBit ransomware threat actors use a publicly available network scanner named SoftPerfect Network Scanner. This tool collects information about hostnames, network services, and remote access protocols in their victims' networks.

T1614.001 System Location Discovery: System Language Discovery

LockBit ransomware checks the language settings of the infected host. If the detected language is in the exclusion list, the payload does not encrypt the victims' files. For example, LockBit 3.0 variant does not encrypt files if the language setting is "Arabic (Syria)", "Romanian (Moldova)", and "Tatar (Russia)".

Tactic: Lateral Movement

T1021.001 Remote Services: Remote Desktop Protocol

Adversaries use a remote desktop software called Splashtop to easily move between hosts in the victims' network.

Tactic: Command and Control

T1071.002 Application Layer Protocol: File Transfer Protocols

LockBit threat actors use a popular file transfer tool called FileZilla to transfer files between compromised hosts and attackers' C2 servers.

T1572 Protocol Tunnel

Adversaries use PuTTY Link (Plink) to automate SSH actions on the victims' hosts. This technique also helps adversaries avoid being detected.

Tactic: Exfiltration

T1567 Exfiltration Over Web Service

LockBit threat actors use popular file-sharing services such as MEGA to exfiltrate their victims' sensitive data using rclone, an open-source cloud storage manager.

Tactic: Impact

T1485 Data Destruction & T1490 Inhibit System Recovery

LockBit deletes log files, files in the recycle bin folder, and volume shadow copies after encrypting the victims' files. These actions significantly hinder the forensic and recovery efforts of security teams.

T1486 Data Impact for Encryption

LockBit ransomware uses a hybrid encryption approach with AES and RSA encryption algorithms. 

How Picus Helps Simulate LockBit Ransomware Attacks?

We also strongly suggest simulating LockBit ransomware attacks to test the effectiveness of your security controls against ransomware attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against hundreds of other ransomware, such as Zeppelin, Royal, and Maui, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for LockBit ransomware

Threat ID

Threat Name

Attack Module

74169

LockBit Green Ransomware Download Threat

Network Infiltration

43227

LockBit Green Ransomware Email Threat

Email Infiltration (Phishing)

76668

LockBit 3.0 Malware Downloader Download Threat

Network Infiltration

30789

LockBit 3.0 Malware Downloader Email Threat

Email Infiltration (Phishing)

24168

LockBit 3.0 Ransomware Download Threat

Network Infiltration

71275

LockBit 3.0 Ransomware Email Threat

Email Infiltration (Phishing)

42142

LockBit 2.0 Ransomware Email Threat

Email Infiltration (Phishing)

56526

LockBit 2.0 Ransomware Download Threat

Network Infiltration

59891

LockBit Ransomware Email Threat

Email Infiltration (Phishing)

55537

LockBit Ransomware Download Threat

Network Infiltration

Moreover, Picus Threat Library contains 300+ threats containing 3000+ web application and vulnerability exploitation attacks in addition to 1500+ endpoint, 8000+ malware, email and data exfiltration threats as of today.

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address LockBit ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for LockBit ransomware:

Security Control

Signature ID

Signature Name

Check Point NGFW

85259031

Malicious Binary.TC.a9a1gtaF 

Check Point NGFW

0DF8EAD47

Ransomware.Win32.LockBit.TC.4595IgpB 

Check Point NGFW

0B9B5200F

Ransomware.Win32.LockBit.TC.ad 

Check Point NGFW

0A9203C66

Trojan-Ransom.Win32.Encoder.ndg.TC.468eHzih 

Check Point NGFW

0E8314685

Trojan.Win32.Generic.Win32.Generic.TC.fac8lKAS 

Check Point NGFW

0974D1461

Ransomware.Win32.LockBit.TC.ac72xYUR 

Check Point NGFW

08A63F7F6

UDS:Trojan-Ransom.Win32.Generic.TC.ddcbnxCE 

Check Point NGFW

0F78C125A

Trojan.Win32.Generic.Win32.Generic.TC.53caLqjh 

Check Point NGFW

0D3183045

Trojan-Ransom.Win32.Encoder.ndj.TC.9769PdQO 

Check Point NGFW

0A62659F4

Trojan-Ransom.Win32.Encoder.ney.TC.2f27eHNJ 

Check Point NGFW

088F2DF9C

Trojan-Ransom.Win32.Encoder.nfh.TC.0f7dmjJv 

Check Point NGFW

0E3B25556

Trojan.Win32.Ransomware.Win32.LockBit.TC.2e8dsGuZ 

Check Point NGFW

0D83B7962

Trojan.Win32.Ransomware.Win32.LockBit.TC.fbefAOYh 

Check Point NGFW

0B44AC79B

Trojan.Win32.Ransomware.Win32.LockBit.TC.d0f1pgCM 

Check Point NGFW

0B2A953A5

Trojan.Win32.Ransomware.Win32.LockBit.TC.23a4LuVq 

Check Point NGFW

0B4088178

Trojan.Win32.Ransomware.Win32.LockBit.TC.1619pCUl 

Check Point NGFW

0EE101D4F Ransomware.Win32.LockBit Green.TC.55ddsbul

Check Point NGFW

0E9ACE64D Ransomware.Win32.LockBit Green.TC.3813mKCF

Cisco FirePower

 

W32.Auto:baafd4.in03.Talos 

Cisco FirePower

 

W32.80E8DEFA53-95.SBX.TG 

Cisco FirePower

1.58024.1

MALWARE-OTHER Win.Ransomware.Lockbit

download attempt 

Cisco FirePower

1.54910.1

MALWARE-OTHER Win.Ransomware.LockBit

ransomware download attempt 

Cisco FirePower

1.54911.1

MALWARE-OTHER Win.Ransomware.LockBit

ransomware download attempt 

Cisco FirePower

 

Win.Ransomware.Lockbit::in03.talos 

Cisco FirePower

 

Auto.FB49B9.261467.in02

Forcepoint NGFW

 

File_Malware-Blocked 

Fortigate AV

10113116

VBA/Agent.F230!tr 

Fortigate AV

10079067

NSIS/Injector.AOW!tr 

Fortigate AV

10123717

W32/Lockbit.K!tr.ransom 

Fortigate AV

10042007

W32/Lockbit.C2F8!tr.ransom 

Fortigate AV

10093469

W32/LockBit.2513!tr.ransom 

Fortigate AV

8138651

W32/Filecoder.NXQ!tr.ransom 

Fortigate AV

10089996

MSIL/GenKryptik.EBMY!tr.ransom 

Fortigate AV

8183406

W32/LockBit.29EA!tr.ransom 

Fortigate AV

10085361 W64/GenKryptik.FSFZ!tr.ransom

Fortigate AV

8273597 W32/Conti.F!tr.ransom

Fortigate AV

62183 PossibleThreat

McAfee

0x40232600

HTTP: Microsoft Word DOCX Macro Vulnerability 

McAfee

0x4840c900

MALWARE: Malicious File Detected by GTI 

Palo Alto NGFW

543891824

trojan/Win32.nemesis.hz 

Palo Alto NGFW

514958735

Trojan-Ransom/Win32.encoder.xj 

Palo Alto NGFW

419491650

trojan/Win32 EXE.encoder.ua 

Palo Alto NGFW

527143790

trojan/Win32 EXE.malware.bdkw 

Palo Alto NGFW

344149788

trojan/Win32 EXE.filecoder.adu 

Palo Alto NGFW

334282092

Malware/Win32.msilinj.dsw 

Palo Alto NGFW

333569703

Malware/Win32.msilinj.dsj 

Palo Alto NGFW

343726995

Trojan-Ransom/Win32.wanna.xn 

Palo Alto NGFW

332681025

ransomware/Win32 EXE.wanna.xj 

Palo Alto NGFW

573007961 TrojanDownloader/Win64.bazaarloader.b

Palo Alto NGFW

571147349 Ransom/Win32.conti.cb

Snort

1.2019835.2

ET WEB_CLIENT SUSPICIOUS Possible Office

Doc with Embedded VBA Project 

Snort

1.58024.1

MALWARE-OTHER Win.Ransomware.Lockbit

download attempt 

Snort

1.54910.1

MALWARE-OTHER Win.Ransomware.LockBit ransomware

download attempt 

Snort

1.54911.1

MALWARE-OTHER Win.Ransomware.LockBit ransomware

download attempt 

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof Picus The Complete Security Validation Platform.

References

[1] "#StopRansomware: LockBit 3.0," Cybersecurity and Infrastructure Security Agency CISA. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a. [Accessed: Mar. 17, 2023]

[2] "LockBit ransomware - what you need to know." [Online]. Available: https://www.tripwire.com/state-of-security/lockbit-ransomware-what-you-need-know. [Accessed: Mar. 17, 2023]

[3] "Back in Black: Unlocking a LockBit 3.0 Ransomware Attack," NCC Group Research, Aug. 19, 2022. [Online]. Available: https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/. [Accessed: Mar. 17, 2023]