- Security News
- Ransomware Spotlight
- Ransomware Spotlight: LockBit
Our investigation into the intrusion set behind LockBit, which we track as Water Selkie, reveals the effectiveness and impact of the tactics we have discussed. The key takeaways are the following:
With LockBit affiliates being likely involved in other RaaS operations, its tactics slipping into those of other ransomware groups isn’t a far-fetched notion. Organizations would therefore benefit from recognizing LockBit’s tactics, techniques, and procedures (TTPs) laid out in the next sections.
In this section, we discuss Trend Micro™ Smart Protection Network™ data, which are detections of LockBit attempts to compromise organizations. LockBit has been detected all over the globe, with the US seeing most of the attack attempts from June 2021 to January 20, 2022, followed by India and Brazil. Like many ransomware families LockBit avoids Commonwealth of Independent States (CIS) countries.
Figure 2. Countries with the highest number of attack attempts per machine for LockBit ransomware (July 1, 2021 to January 20, 2022)
Source: Trend Micro™ Smart Protection Network™ infrastructure
We saw the most LockBit-related detections in the healthcare industry followed by the education sector. LockBit threat actors have claimed that they do not attack healthcare, educational, and charity institutions. This “contradictory code of ethics,” has been noted by the US Department of Health Services (HHS) who warns the public not to rely on such statements as these tend to dissolve in the face of easy targets.
Figure 3. Industries with the highest number of attack attempts per machine for LockBit ransomware (July 1, 2021 to January 20, 2022)
Source: Trend Micro Smart Protection Network infrastructure
In this section, we examine the number of attacks recorded on LockBit’s leak site, which represents successfully compromised organizations who, as of writing, have refused to pay ransom. In our foray into the leak site of LockBit operators from December 16, 2021 to January 15, 2022, we observed that they had the highest number of recorded victims among active ransomware groups at 41, followed by Conti at 29. Do note, however, that LockBit has been accused of artificially inflating the number of their victims.
Looking into the list of their victims, it appears that more than half of the organizations are based in North America, followed by Europe and Asia Pacific.
Figure 5. Regional distribution of LockBit victims according to the group’s leak site (December 16, 2021 to January 15, 2022)
LockBit targets organizations indiscriminately, in that their victims come from many different sectors compared to other groups. In the abovementioned time period, they have victims coming from financial, professional services, manufacturing, and construction sectors, just to name a few. The majority of LockBit’s victims have been either small or small and medium-size businesses (SMBs) – 65.9% and 14.6% respectively, with enterprises only comprising 19.5%. That’s at odds with a group like Conti who victimized 44.8% of enterprises and 34.5% SMBs, and only victimized 20.7% of small businesses.
Figure 6. Sector distribution of LockBit victims according to the group’s leak site (December 16, 2021 to January 15, 2022)
In our observation of the activities within the LockBit leak site for the same time period, majority of attacks took place during weekdays, approximately 78% of the total, while 22% happened during the weekend.
Operating as a RaaS, LockBit infection chains show a variety of tactics and tools employed, depending on the affiliates involved in the attack. Affiliates typically buy access to targets from other threat actors, who typically obtain it via phishing, exploiting vulnerable apps, or brute forcing remote desktop protocol (RDP) accounts.
Here are some of the observed infection flows of LockBit variants:
Figure 7. A LockBit 1.0 campaign that used PowerShell Empire to perform command and control after gaining access to the system
Figure 8. A LockBit 1.0 campaign that used Microsoft RAS to access other systems
Figure 9. A LockBit 1.0 campaign that used Meterpreter to perform command and control after gaining access to the system
Figure 10. A LockBit 1.0 campaign that did not involve any network scanning as it directly deployed the payload after gaining access to the system
Figure 11. LockBit 2.0 infection chain that uses StealBit for automated data exfiltration
Figure 12. LockBit 3.0 infection chain that uses Cobeacon and KillAV
Figure 12. Sample wallpaper used by LockBit
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Discovery | Lateral Movement | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|
T1566 - Phishing T1190 - Exploit public-facing application T1078 - Valid accounts T1106 - Execution through API | T1059 - Command and scripting interpreter T1204 - User execution | T1547 - Boot or logon autostart execution Creates registry run entries | T1134 - Access token manipulation Use AdjustTokenPrivilege API to modify token attribute to SE_PRIVILEGE_ENABLED T1548 - Abuse Elevation Control Mechanism | T1140 - Deobfuscate/Decode Files or Information T1562 - Impair defenses T1574 - Hijack execution flow T1218 - Signed Binary Proxy Execution T1484 - Domain Policy Modification T1070 - Indicator Removal on Host | T1083 - File and directory discovery T1135 - Network Share Discovery T1018 - Remote system discovery T1057 - Process discovery | T1570 - Lateral tool transfer | T1567 - Exfiltration over web service T1041 - Exfiltration Over C2 Channel | T1486 - Data encrypted for impact T1489 - Service stop T1491 - Defacement |
Security teams can watch out for the presence of the following malware tools and exploits that are typically used in LockBit attacks:
Initial Entry | Execution | Discovery | Lateral Movement | Defense Evasion | Exfiltration |
---|---|---|---|---|---|
|
|
|
|
|
|
As mentioned earlier, we expect the LockBit to continue its level of activity, if not increase it in the coming months. From our discussion, LockBit also demonstrates both consistent and versatile operations that adapt to current trends that affect the threat landscape. Organizations therefore should also keep abreast of the latest shifts that could influence their own security measures.
To help defend systems against similar threats, organizations can establish security frameworks that can allocate resources systematically for establishing a solid defense against ransomware.
Here are some best practices that can be included in these frameworks:
A multilayered approach can help organizations guard the possible entry points into the system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior could help protect enterprises.
The IOCs for this article can be found here. Actual indicators might vary per attack.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.