LockBit Ransomware Gang

By Suleyman Ozarslan, PhD   August 22, 2022   Ransomware

LockBit is an infamous ransomware group known for its technically complex and impactful ransomware variants. Formerly known as the ABCD group, LockBit uses the Ransomware-as-a-Service model and bug bounty programs to distribute and improve ransomware. LockBit claims to be the fastest encrypting ransomware in the RaaS market and is used by many affiliated threat actors. LockBit uses the double extortion method to pressure its victims to pay the ransom. Accenture, the French Ministry of Justice, and Bangkok Airways were notable victims of LockBit ransomware attacks.

Metadata

Associated Groups

Aliases - ABCD, Bitwise Spider, Water Selkie
Affiliates - UNC2165

Associated Country

Russia

First Seen

September 2019

Target Sectors

Education, Energy, Financial Services, Government, Healthcare, Legal, Manufacturing, Retail, Technology,Telecommunication, Transportation

Target Countries

United States, Italy, Australia, Brazil, France, India, Mexico, Morocco, Taiwan, United Arab Emirates, United Kingdom

Modus Operandi

Business Models

Ransomware-as-a-service (RaaS)

Double Extortion

Initial Access Brokers (IABs)
Cooperation with other groups (e.g., Maze)

Company Insiders

Criminal Bug Bounty

Extortion Tactics

File Encryption

Data Leakage

Initial Access Methods

Exploit Public-Facing Application

Phishing

Impact Methods

Data Encryption

Data Exfiltration

Exploited Applications and Vulnerabilities by LockBit

Application

Vulnerability

CVV

CVSS

Microsoft Exchange

ProxyShell RCE

CVE-2021-34473

9.8 Critical

Microsoft Exchange

ProxyShell Privilege Escalation

CVE-2021-34523

9.8 Critical

Microsoft Exchange

ProxyShell Security Feature Bypass

CVE-2021-31207

7.2 High

F5 BIG-IP

iControl REST API RCE

CVE-2022-22986

8.8 High

Fortinet FortiGate SSL VPN

Path Traversal

CVE-2018-13379

9.8 Critical

SonicWall SSLVPN

SQL Injection

CVE-2021-20028

9.8 Critical

Utilized Tools and Malware by LockBit

MITRE ATT&CK Tactic

Tools

Execution

PowerShell

PowerShell Empire

PSExec

Windows Task Scheduler

Windows Command Shell

Persistence

Reg.exe

Privilege Execution

UACme

Defence Evasion

GMER

GPEdit.msc

Invoke-GPUpdate

mshta

Process Hacker

wewtutil

Credential Access

Comsvcs.dll Minidump

Hakops Keylogger

Mimikatz

Discovery

ADfind.exe

Advanced Port Scanner

PsGetSi

Lateral Movement

PSExec

Command and Control

AnyDesk 

Metasploit Meterpreter

Exflitration

Mega

StealBit infostealer malware

Impact

LockBit ransomware

Vssadmin

BCDEdit

  • [1]     S. Özarslan, “MITRE ATT&CK T1086 PowerShell.” https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1086-powershell (accessed Jul. 06, 2022).

  • [2]     “GitHub - EmpireProject/Empire: Empire is a PowerShell and Python post-exploitation agent,” GitHub. https://github.com/EmpireProject/Empire (accessed Jul. 06, 2022).

  • [3]     “PsExec - Windows Sysinternals.” https://docs.microsoft.com/en-us/sysinternals/downloads/psexec (accessed Jul. 06, 2022).

  • [4]     S. Özarslan, “MITRE ATT&CK T1053 Scheduled Task.” https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-1053-scheduled-task (accessed Jul. 06, 2022).

  • [5]     H. C. Yüceel, “T1059 Command and Scripting Interpreter of the MITRE ATT&CK Framework.” https://www.picussecurity.com/resource/t1059-command-and-scripting-interpreter-of-the-mitre-attck-framework (accessed Jul. 06, 2022).

  • [6]     S. Özarslan, “MITRE ATT&CK T1060 Registry Run Keys / Startup Folder.” https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1060-registry-run-keys-startup-folder (accessed Jul. 06, 2022).

  • [7]     “GitHub - hfiref0x/UACME: Defeating Windows User Account Control,” GitHub. https://github.com/hfiref0x/UACME (accessed Jul. 06, 2022).

  • [8]       “GMER - Rootkit Detector and Remover.” http://www.gmer.net (accessed Jul. 06, 2022).

  • [9] “Website.” [Online]. Available: https://raw.githubusercontent.com/DISREL/Conti-Leaked-Playbook-TTPs/main/Conti-Leaked-Playbook-TTPs.pdf

  • [10]     JasonGerend, “Invoke-GPUpdate.” https://docs.microsoft.com/en-us/powershell/module/grouppolicy/invoke-gpupdate (accessed Jul. 06, 2022).

  • [11]     H. C. Yüceel, “T1218 Signed Binary Proxy Execution of the MITRE ATT&CK Framework.” https://www.picussecurity.com/resource/t1218-signed-binary-proxy-execution-of-the-mitre-attck-framework (accessed Jul. 06, 2022).

  • [12]     P. Hacker, “Process Hacker.” https://processhacker.sourceforge.io (accessed Jul. 06, 2022).

  • [13]     H. C. Yüceel, “Lockbit 2.0 Ransomware: TTPs Used in Emerging Ransomware Campaigns.” https://www.picussecurity.com/resource/lockbit-2.0-ransomware-ttps-used-in-emerging-ransomware-campaigns (accessed Jul. 06, 2022).

  • [14]       S. Özarslan, “MITRE ATT&CK T1003 Credential Dumping.” https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1003-credential-dumping (accessed Jul. 05, 2022).

  • [15]     “HAKOPS Keylogger 16 - 12.04.2018,” TurkHackTeam, Apr. 12, 2018. https://www.turkhackteam.org/konular/hakops-keylogger-16-12-04-2018.1699779/ (accessed Jul. 06, 2022).

  • [16]     “GitHub - gentilkiwi/mimikatz: A little tool to play with Windows security,” GitHub. https://github.com/gentilkiwi/mimikatz (accessed Jul. 06, 2022).

  • [17]     “AdFind.” http://www.joeware.net/freetools/tools/adfind/index.htm (accessed Jul. 06, 2022).

  • [18]     “Advanced Port Scanner – free and fast port scanner.” https://www.advanced-port-scanner.com (accessed Jul. 06, 2022).

  • [19]     “PsGetSid - Windows Sysinternals.” https://docs.microsoft.com/en-us/sysinternals/downloads/psgetsid (accessed Jul. 06, 2022).

  • [20]     “The Fast Remote Desktop Application –,” AnyDesk. https://anydesk.com/en (accessed Jul. 06, 2022).

  • [21]     “Metasploit,” Metasploit. https://www.metasploit.com/ (accessed Jul. 06, 2022).

  • [22]     “MEGA.” https://mega.io/ (accessed Jul. 06, 2022).

  • [23]     F. Fkie, “StealBit (Malware Family).” https://malpedia.caad.fkie.fraunhofer.de/details/win.stealbit (accessed Jul. 06, 2022).

  • [24]     H. C. Yüceel, “MITRE ATT&CK T1490 Inhibit System Recovery - The Ransomware’s Favorite.” https://www.picussecurity.com/resource/mitre-attck-t1490-inhibit-system-recovery-the-ransomwares-favorite (accessed Jul. 06, 2022).