LockBit Resurfaces With Version 2.0 Ransomware Detections in Chile, Italy, Taiwan, UK
The ransomware group LockBit resurfaced in June with LockBit 2.0, with reports indicating an increased number of targeted companies and the incorporation of double extortion features. Our detections followed attack attempts in Chile, Italy, Taiwan, and the UK from July to August.
The ransomware group LockBit resurfaced in June with LockBit 2.0, with reports indicating an increased number of targeted companies and the incorporation of double extortion features influenced by ransomware families such as Ryuk and Egregor.
In contrast to LockBit’s attacks and features in 2019, this version includes automatic encryption of devices across Windows domains by abusing Active Directory (AD) group policies, prompting the group behind it to claim that it’s one of the fastest ransomware variants in the market today. The group also includes an advertising campaign to recruit new “affiliates” from inside the target companies themselves in its attacks, seemingly to remove middlemen (of other threat actor groups) and to enable faster attacks by providing valid credentials and access to corporate networks.
From July 1 to Aug. 15, we detected attack attempts involving LockBit 2.0 in Chile, Italy, Taiwan, and the UK. We advise organizations and users to update their systems and enable multilayered defense mechanisms accordingly.
LockBit 2.0 routine and updates
LockBit 2.0 prides itself on having one of the fastest and most efficient encryption methods in today’s ransomware threat landscape. Our analysis shows that while it uses a multithreaded approach in encryption, it also only partially encrypts the files, as only 4 KB of data are encrypted per file.
Like other ransomware-as-a-service (RaaS) operations, LockBit 2.0 looks for affiliates to perform the intrusion and exfiltration on targets. The group behind it also helps affiliates by providing StealBit (detected by Trend Micro as TrojanSpy.Win32.STEALBIT.YXBHM), a tool that can automatically exfiltrate data. Attackers can also access victims’ systems with valid remote desktop protocol (RDP) accounts.
Once in a system, LockBit 2.0 uses a network scanner to identify the network structure and to find the target domain controller. It also uses multiple batch files that can be used to terminate processes, services, and security tools. There are also batch files for enabling RDP connections on the infected machine. The following are the tools and components that ensure LockBit’s smooth execution:
- delsvc.bat (detected by Trend Micro as Trojan.BAT.KILLPROC.D) ensures that crucial processes, such as MySQL and QuickBooks, are unavailable. It also stops Microsoft Exchange and disables other related services.
- AV.bat (detected by Trend Micro as Trojan.BAT.KILLAV.WLDX) uninstalls the antivirus program ESET.
- LogDelete.bat (detected by Trend Micro as PUA.BAT.DHARMA.A) clears Windows Event Logs.
- Defoff.bat (detected by Trend Micro as Trojan.BAT.KILLAV.WLDX) disables Windows Defender features such as real-time monitoring.
Once in the domain controller, the ransomware creates new group policies and sends them to every device on the network. These policies disable Windows Defender, and distribute and execute the ransomware binary to each Windows machine.
We found LockBIT_7D68A5BFD028A31F.exe (detected by Trend Micro as Ransom.Win32.LOCKBIT.SMYEBGW) as the main ransomware module that appends .lockbit to every encrypted file. Once LockBit 2.0 completes encrypting a device, it drops a ransom note, Restore-My-Files.txt (detected by Trend Micro as Ransom.Win32.LOCKBIT.SMA.note), into every encrypted directory. The note emphasizes that files are not only encrypted but also at risk of being published if the ransom is not paid.
LockBit 2.0 also changes the desktop wallpaper into an image with instructions on how victims can pay for the ransom and how organization insiders can be part of the “affiliate recruitment” of the group behind the ransomware. The group guarantees payouts of “millions of dollars” and anonymity in exchange for credentials and access.
Ryuk and Egregor influences
LockBit worked with the Maze ransomware cartel and was previously dubbed the ransomware “ABCD” because of the extension it appended to encrypted files before updating to the current extension. But after Maze’s shutdown, the LockBit group went on with its own leak site, which led to the development of LockBit in September 2019. The previous version showed characteristics of ready-made ransomware using the double extortion techniques of encrypting files, stealing data, and leaking the stolen data when the ransom was not paid. Two years later, LockBit 2.0 shows influences of and similarities to Ryuk and Egregor, particularly with regard to certain notable behaviors:
Wake-on-LAN feature inspired by Ryuk ransomware, sending the Magic Packet “0xFF 0xFF 0xFF 0xFF 0xFF 0xFF” to wake offline devices.
- Print bombing of the ransom note onto the victim’s network printers, similar to Egregor’s technique of attracting the victim’s attention. It uses Winspool APIs to enumerate and print a document on connected printers.
The group behind LockBit 2.0 recently conducted a highly publicized attack, so it should go without saying that organizations need to keep a wary eye on this ransomware variant. LockBit 2.0 is especially tricky for its fast encryption. We also assume that this group will continue to make a scene for a long time, especially since it’s currently recruiting affiliates and insiders, making it more capable of infecting many companies and industries. It would also be wise to assume and prepare for upgrades and further developments in LockBit 2.0, especially now that many companies are aware of its capabilities and how it works.
Given its persistence, speed of propagation, and methods of intrusion, LockBit 2.0 is likely to cause significant damage to its victims, be it financial or reputational. Here are some best practices from the frameworks set by the Center of Internet Security and the National Institute of Standards and Technology that can help organizations prevent and mitigate the impact of attacks involving ransomware like LockBit 2.0:
- Audit and inventory: Take an inventory of all organizational assets and data, and identify authorized and unauthorized devices, software, and personnel accessing particular systems. Audit and monitor all logs of events and incidents to identify unusual patterns and behaviors.
- Configure and monitor: Deliberately manage hardware and software configurations, and only grant administrative privileges and access to specific personnel when absolutely necessary. Monitor the use of network ports, protocols, and services. Implement security configurations on network infrastructure devices such as firewalls and routers, and have a software allow list to prevent malicious applications from being executed.
- Patch and update: Perform periodic vulnerability assessments, and conduct regular patching or virtual patching for operating systems and applications. Ensure that all installed software and applications are updated to their latest versions.
- Protect and recover: Enforce data protection, backup, and recovery measures. Implement multifactor authentication in all devices and platforms used whenever available.
- Secure and defend: Perform sandbox analysis to examine and block malicious emails. Employ the latest version of security solutions to all layers of the system, including email, endpoint, web, and network. Spot early signs of an attack such as the presence of suspicious tools in the system, and enable advanced detection technologies such as those powered with AI and machine learning.
- Train and test: Perform security skills assessment and training for all personnel regularly, and conduct red-team exercises and penetration tests.
Trend Micro solutions
Organizations can benefit from security solutions that encompass a system’s multiple layers (endpoint, email, web, and network) not only for detecting malicious components but also for close monitoring of suspicious behaviors in the network.
Trend Micro™ Vision One™ provides multilayered protection and behavior detection, spotting questionable behaviors that might otherwise seem benign when viewed from only a single layer. For an even closer inspection of endpoints, Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats and ransomware. This allows detecting and blocking ransomware early on before it can do any real damage to the system.
With techniques such as virtual patching and machine learning, Trend Micro™ Cloud One™ Workload Security protects systems against both known and unknown threats that exploit vulnerabilities. It also takes advantage of the latest in global threat intelligence to provide up-to-date, real-time protection.
Ransomware often gets into the system through phishing emails. Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block ransomware before it gets into the system.
Indicators of compromise
MITRE ATT&CK Tactics and Techniques
|Initial access||T1078: Valid accounts|
T1562.001: Impair defenses: disable or modify tools
T1546.008: Event-triggered execution: accessibility features
T1070.001: Indicator removal on host: clear Windows Event Logs
|Exfiltration||T1041: Exfiltration Over C2 Channel|
T1486: Data encrypted for impact
T1489: Service stop
T1490: Inhibit System Recovery