Resources | Picus Security

Lockbit 2.0 Ransomware: TTPs Used in Emerging Ransomware Campaigns

Written by Huseyin Can YUCEEL | Feb 11, 2022 2:14:54 PM

On February 4th, 2022, the FBI issued a flash report on LockBit 2.0 ransomware and its indicators of compromise (IOCs). Although Picus Labs updated the Picus Threat Library with attack simulations for LockBit 2.0 back in August 2021, the increasing number of attacks led us to write this blog post.

Test your security controls against LockBit Ransomware NOW!

LockBit Ransomware Group

The LockBit group is a Ransomware-as-a-Service (RaaS) operator and has been in active operations for nearly 3.5 years. They are formerly known as the ABCD ransomware group. For the last six months, they have been promoting their latest ransomware, LockBit 2.0. Since then, The threat actors have attacked more than 50 organizations in multiple industries using this ransomware. Lately, the number of developers and threat actors associated with the Lockbit group has been rising. As a result, more LockBit 2.0 ransomware attacks can be expected in the near future.

What is LockBit 2.0 Ransomware?

LockBit 2.0 is the latest ransomware released in August 2021 by the LockBit ransomware group. The advertisement of the group claims to provide the fastest encrypting ransomware. Also, the ransomware operators modify the ransomware per the threat actors' needs.

Figure 1: LockBit 2.0 Advertisement [1]

After execution, LockBit 2.0 encrypts the victim's files and appends the .lockbit extension. If the attack is successfully completed, LockBit 2.0 changes wallpaper to inform the victim and puts the ransom note Restore-My-Files.txt on the desktop.

Figure 2: Wallpaper of the victim after LockBit 2.0 attack [2]

Technical Details of LockBit 2.0

1. LockBit 2.0 uses encoding for defense evasion


The LockBit executable is encoded. Ransomware decodes required modules and strings as needed. Encoding the executable helps the ransomware to evade detection.

2. LockBit 2.0 does not attack systems using certain languages


LockBit 2.0 ransomware looks up the system and user settings. If the language is set to specific languages, it does not attack the system. The list of languages that LockBit 2.0 does not attack is given below.

  • Russian 
  • Belarusian
  • Tajik
  • Armenian
  • Azeri-Latin
  • Georgian
  • Kazakh
  • Kyrgyz - Cyrillic
  • Turkmen
  • Uzbek - Latin
  • Russian - Moldova
  • Azeri - Cyrillic
  • Uzbek - Cyrill

 

3. LockBit 2.0 damages built-in recovery and logging mechanisms


LockBit 2.0 ransomware deletes shadow copies using the commands below so that the victim cannot retrieve its data using built-in recovery services.

cmd.exe /c vssadmin Delete Shadows /All /Quiet

Delete volume shadow copies

cmd.exe /c bcdedit /set {default} recoveryenabled No

Disable Windows recovery

cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

Ignore boot failures

4. LockBit 2.0 deletes itself and log data


LockBit 2.0 ransomware deletes itself and the log data so that the victim cannot investigate the attack afterward.

cmd.exe /c wevtutil cl security

Delete security log

cmd.exe /c wevtutil cl system

Delete system log

cmd.exe /c wevtutil cl application

Delete application log

cmd.exe /c del /f /q "<PATH>\Lsystem-234-bit.exe"

Delete ransomware itself

How Picus Helps Simulate LockBit 2.0 Ransomware?

Using the Picus Continuous Security Validation Platform, you can test your security controls against the LockBit 2.0 ransomware. We advise you to simulate LockBit 2.0 ransomware attacks and determine whether your security controls can prevent them or not. Picus Threat Library includes the following threats to simulate LockBit 2.0 ransomware variants.

Threat Name

LockBit 2.0 Ransomware .EXE File Download (8 variants)

Test your security controls against LockBit Ransomware in minutes!

Picus Threat Library also includes other ransomware threats of LockBit RaaS group:

Threat Name

LockBit Ransomware .EXE File Download (5 variants)

MITRE ATT&CK Techniques Used by LockBit 2.0 Ransomware

Initial Access

T1078 Valid Accounts

T1190 Exploit Public-Facing Application

Execution

T1047 Windows Management Instrumentation

T1059 Command and Scripting Interpreter

T1059.003 Windows Command Shell

Persistence 

T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Privilege Escalation

T1055 Process Injection

Defense Evasion

T1055 Process Injection

T1070.004 Indicator Removal on Host: File Deletion

T1112 Modify Registry

T1497 Virtualization/Sandbox Evasion

Credential Access

T1056.004 Credential API Hooking

T1110 Brute Force

Discovery

T1012 Query Registry

T1018 Remote System Discovery

T1057 Process Discovery

Lateral Movement

T1021 Remote Services

T1021.001 Remote Services: Remote Desktop Protocol

T1021.002 Remote Services: SMB/Windows Admin Shares

Collection

T1056.004 Credential API Hooking

Command and Control (C2)

T1090.003 Proxy: Multi-hop Proxy

Exfiltration

T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Impact

T1486 Data Encrypted for Impact

T1490 Inhibit System Recovery

Indicators of Compromise (IOCs)

MD5

SHA-1

SHA-256

af9ff037caca1f316e7d05db86dbd882

844e9b219aaecb26de4994a259f822500fb75ae1

f3e891a2a39dd948cd85e1c8335a83e640d0987dbd48c16001a02f6b7c1733ae

b7f1120bcff47ab77e74e387805feabe

a185904a46b0cb87d38057fc591a31e6063cdd95

4de287e0b05e138ab942d71d1d4d2ad5fb7d46a336a446f619091bdace4f2d0a

4d25a9242eac26b2240336fb94d62b1e

c7b2d4a22f788b1b942f993fff33f233dca960ce

f32e9fb8b1ea73f0a71f3edaebb7f2b242e72d2a4826d6b2744ad3d830671202

84866fca8a5ceb187bca8e257e4f875a

038bc02c0997770a1e764d0203303ef8fcad11fb

acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c

f91095ae0e0632b0f630e0c4eb12ba10

6c4040f2a76e61c649e1ff4ac564a5951c15d1fa

717585e9605ac2a971b7c7537e6e311bab9db02ecc6451e0efada9b2ff38b474

b0916724ff4118bf213e31cd198c0afd

12ac32d012e818c78d6db790f6e11838ca75db88

4bb152c96ba9e25f293bbc03c607918a4452231087053a8cb1a8accb1acc92fd

6fc418ce9b5306b4fd97f815cc9830e5

95838a8beb04cfe6f1ded5ecbd00bf6cf97cd564

0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049

66b9ccb41b135f302b3143a5d53f4842

3d532697163e7c33c7c906e8efbb08282d3efd75

d089d57b8b2b32ee9816338e96680127babc5d08a03150740a8459c29ab3ba78

Reference

[1] “LockBit 2.0: Ransomware Attacks Surge After Successful Affiliate Recruitment,” Security Intelligence, 09-Sep-2021. [Online]. Available: https://securityintelligence.com/posts/lockbit-ransomware-attacks-surge-affiliate-recruitment/

[2] T. Meskauskas, “LockBit 2.0 Ransomware,” 15-Oct-2021. [Online]. Available: https://www.pcrisk.com/removal-guides/21605-lockbit-2-0-ransomware