The LockBit intrusion set, tracked by Trend Micro as Water Selkie, has one of the most active ransomware operations today. With LockBit’s strong malware capabilities and affiliate program, organizations should keep abreast of its machinations to effectively spot risks and defend against attacks.
View infographic of "Ransomware Spotlight: LockBit"
(Last update: July 14, 2022) LockBit first emerged as the ABCD ransomware on September 2019, which was improved to become one of the most prolific ransomware families today.
Through their professional operations and strong affiliate program, LockBit operators proved that they were in it for the long haul. Thus, being acquainted with their tactics will help organizations fortify their defenses for current and future ransomware attacks.
One of its notable tactics was the creation and use of the malware StealBit, which automates data exfiltration. This tool was seen with the release of LockBit 2.0, which has been touted by its creators for having the fastest and most efficient encryption among its competition. In October 2021, LockBit also expanded to Linux hosts, specifically ESXi servers, in its release of Linux-ESXI Locker version 1.0. This variant is capable of targeting Linux hosts and could have a big impact on targeted organizations.
Another side of LockBit’s operations is its recruitment of and marketing to affiliates. It has been known to hire network access brokers, cooperate with other criminal groups (such as the now defunct Maze), recruit company insiders, and sponsor underground technical writing contests to recruit talented hackers. Using such tactics, the LockBit group has built itself into one of the most professional organized criminal gangs in the criminal underground.
The tactics we’ve enumerated are evident in their attack on Accenture in 2021. Experts suspect that an insider helped the group gain access to the firm’s network. LockBit also reportedly published a small part of the stolen data from the attack.
LockBit0 3.0: Sharpening the saw with a bug bounty program
In late June 2022, the LockBit ransomware gang reportedly launched LockBit 3.0, the latest known variant of the group’s ransomware, after two months of beta testing with the new malware deployed in the attacks. Twitter user @WhichbufferArda found a sample of the LockBit 3.0 ransomware version and noted that the malware uses anti-analysis techniques to hide itself and does not execute without a password like BlackCat. It also contains a command-line argument feature.
Our debugging process found that LockBit 3.0’s code is very similar to that of DarkSide and BlackMatter, which other researchers also noted. The two variants show that they use the same codes to resolve its needed API functions. It also has the same implementation of NtSetInformationThread to hide a thread from a debugger. Both BlackMatter and LockBit 3.0 also used the same method of identifying logical drives. While this is common for some ransomware, the code used in this case is very similar. (we link to the blog in development once published.) The malware observed from the samples were detected by Trend Micro as Ransom.Win32.LOCKBIT.YXCGD for LockBit 3.0 and Ransom.Win32.LOCKBIT.YXCGD for the unpacked sample provided by Twitter user @cPeterr.
The release of LockBit 3.0 is significant because it also launched the group’s bug bounty program, the first initiative of its kind for ransomware operations. The gang urges security researchers to submit vulnerability reports to improve their operations in exchange for remuneration. The group’s reward for the contribution of security researchers ranges from US$1,000 to $1 million. The affiliate manager, referred to as LockBitSupp, has offered $1 million to anyone who can provide the identity of the members of the ransomware group. The hefty reward incentivizes hackers to discover a vulnerability that the gang considers as a warning that their operation is at risk.
Water Selkie is also offering compensation for ideas that can improve their software development and operation. They are looking for vulnerabilities related to TOX messenger, suggesting that the group relies heavily on the platform for communication. Moreover, the gang is seeking vulnerabilities in the Tor network to better ascertain their operation’s security and ensure that their root access servers are not compromised.
Figure 1. LockBit’s timeline of notable activities
The impact of LockBit and insights from Water Selkie
Our investigation into the intrusion set behind LockBit, which we track as Water Selkie, reveals the effectiveness and impact of the tactics we have discussed. The key takeaways are the following:
The malware’s performance is a strong selling point. The malware’s speed and capabilities are widely known because the group uses them as selling points. The threat group’s efforts to publicize their malware’s capabilities have established it as the ransomware with one of the fastest and most efficient encryption methods.
It considers external pressures and issues faced by its potential targets. Water Selkie’s operators have indicated a preference for victims in Europe who fear breaching EU’s General Data Protection Regulation (GDPR). They continue to also consider the US to have lucrative targets, but see that data privacy laws can affect their chances of getting a successful payout. In general, they are attuned to geopolitical issues that they can use to their advantage.
Banks on the strength of its affiliate program. As mentioned earlier, a contributing factor in LockBit’s success is how well it recruits trustworthy and capable affiliates. Evidence also suggests that several of its affiliates are involved in multiple RaaS operations, which helps Water Selkie innovate and keep up with its competition. In return, Water Selkie prides itself on its professional operation that can be trusted by affiliates.
It has more in store for the future. Water Selkie clearly ramped up operations in the second half of 2021. We see that the intrusion set will either maintain or increase their level of activity in the first half of 2022. Organizations should also expect more supply chain attacks in the future according to an interview conducted with one of LockBit’s operators.
With LockBit affiliates being likely involved in other RaaS operations, its tactics slipping into those of other ransomware groups isn’t a far-fetched notion. Organizations would therefore benefit from recognizing LockBit’s tactics, techniques, and procedures (TTPs) laid out in the next sections.
Top affected industries and countries
In this section, we discuss Trend Micro™ Smart Protection Network™ data, which are detections of LockBit attempts to compromise organizations. LockBit has been detected all over the globe, with the US seeing most of the attack attempts from June 2021 to January 20, 2022, followed by India and Brazil. Like many ransomware families LockBit avoids Commonwealth of Independent States (CIS) countries.
Figure 2. Countries with the highest number of attack attempts per machine for LockBit ransomware (July 1, 2021 to January 20, 2022) Source: Trend Micro™ Smart Protection Network™ infrastructure
We saw the most LockBit-related detections in the healthcare industry followed by the education sector. LockBit threat actors have claimed that they do not attack healthcare, educational, and charity institutions. This “contradictory code of ethics,” has been noted by the US Department of Health Services (HHS) who warns the public not to rely on such statements as these tend to dissolve in the face of easy targets.
Figure 3. Industries with the highest number of attack attempts per machine for LockBit ransomware (July 1, 2021 to January 20, 2022) Source: Trend Micro Smart Protection Network infrastructure
Overall, we saw increased LockBit-related activity following the release of LockBit 2.0, peaking in November 2021.
Figure 4. LockBit monthly detections per machine (July 1, 2021 to January 20, 2022) Source: Trend Micro Smart Protection Network infrastructure
Targeted regions and sectors according to LockBit leak site
In this section, we examine the number of attacks recorded on LockBit’s leak site, which represents successfully compromised organizations who, as of writing, have refused to pay ransom. In our foray into the leak site of LockBit operators from December 16, 2021 to January 15, 2022, we observed that they had the highest number of recorded victims among active ransomware groups at 41, followed by Conti at 29. Do note, however, that LockBit has been accused of artificially inflating the number of their victims.
Looking into the list of their victims, it appears that more than half of the organizations are based in North America, followed by Europe and Asia Pacific.
Figure 5. Regional distribution of LockBit victims according to the group’s leak site (December 16, 2021 to January 15, 2022)
LockBit targets organizations indiscriminately, in that their victims come from many different sectors compared to other groups. In the abovementioned time period, they have victims coming from financial, professional services, manufacturing, and construction sectors, just to name a few. The majority of LockBit’s victims have been either small or small and medium-size businesses (SMBs) – 65.9% and 14.6% respectively, with enterprises only comprising 19.5%. That’s at odds with a group like Conti who victimized 44.8% of enterprises and 34.5% SMBs, and only victimized 20.7% of small businesses.
Figure 6. Sector distribution of LockBit victims according to the group’s leak site (December 16, 2021 to January 15, 2022)
In our observation of the activities within the LockBit leak site for the same time period, majority of attacks took place during weekdays, approximately 78% of the total, while 22% happened during the weekend.
Infection chain and techniques
Operating as a RaaS, LockBit infection chains show a variety of tactics and tools employed, depending on the affiliates involved in the attack. Affiliates typically buy access to targets from other threat actors, who typically obtain it via phishing, exploiting vulnerable apps, or brute forcing remote desktop protocol (RDP) accounts.
Here are some of the observed infection flows of LockBit variants:
Figure 7. A LockBit 1.0 campaign that used PowerShell Empire to perform command and control after gaining access to the system
Figure 8. A LockBit 1.0 campaign that used Microsoft RAS to access other systems
Figure 9. A LockBit 1.0 campaign that used Meterpreter to perform command and control after gaining access to the system
Figure 10. A LockBit 1.0 campaign that did not involve any network scanning as it directly deployed the payload after gaining access to the system
Figure 11. LockBit 2.0 infection chain that uses StealBit for automated data exfiltration
LockBit operators mostly gain access via compromised servers or RDP accounts that are usually bought or obtained from affiliates.
In some instances, it arrived via spam email or by brute forcing insecure RDP or VPN credentials.
It can also arrive via exploiting Fortinet VPN’s CVE-2018-13379 vulnerability.
LockBit is usually executed via command line as it accepts parameters of file path or directories if desired to only encrypt specific paths.
It may also be executed via created scheduled tasks. This is usually the case if it is propagated in other machines.
There are also reports of it being executed using PowerShell Empire, a pure PowerShell post-exploitation agent.
Aside from using credentials obtained from affiliates. LockBit attacks were also observed using Mimikatz to further gather credentials.
Some infections were observed to have GMER, PC Hunter, and/or Process Hacker. These are tools that are usually used to disable security products.
In some observed attacks, a Group Policy was created to disable Windows Defender.
Network Scanner, Advanced Port Scanner, and AdFind were also used to enumerate connected machines in the network. Probably to locate the Domain Controller or Active Directory server as these are usually the best targets for deploying ransomware with network encryption or propagation.
LockBit can self-propagate via SMB connection using obtained credentials.
Some samples can self-propagate and execute via Group Policy.
In some instances, PsExec or Cobalt Strike were used to move laterally within the network.
Uploads stolen files via cloud storage tools like MEGA or FreeFileSync.
Sometimes, the StealBit malware (also sold by the threat actors) was used instead to exfiltrate stolen files.
The ransomware payload will proceed with encryption routine upon execution. Encryption includes both local and network encryption.
It encrypts files using AES and encrypts AES key with RSA encryption. The AES Key is generated using BCryptGenRandom.
For faster encryption, it only encrypts the first 4KB of a file and appends it to “.lockbit.”
It will also replace the desktop wallpaper with a note that includes a statement where it tries to recruit insiders or affiliates within companies.
Figure 12. Sample wallpaper used by LockBit
LockBit also sends a WoL packet to ensure that network drives are active for its network encryption; this behavior was first observed on the Ryuk ransomware.
LockBit also has the capability to print its ransom note using connected printers using WinSpool APIs, which is probably inspired by Egregor ransomware.
MITRE tactics and techniques
T1566 - Phishing Arrives via phishing emails
T1190 - Exploit public-facing application Arrives via any the following exploits:•CVE-2018-13379
T1078 - Valid accounts Has been reported to make use of compromised accounts to access victims via RDP or VPN
T1106 - Execution through API Uses native API to execute various commands/ routines
T1059 - Command and scripting interpreter Uses various scripting interpreters like PowerShell and Windows command shell
T1204 - User execution User execution is needed to carry out the payload from the spear phishing link or attachments
T1547 - Boot or logon autostart execution
Creates registry run entries
T1134 - Access token manipulation
Use AdjustTokenPrivilege API to modify token attribute to SE_PRIVILEGE_ENABLED
T1548 - Abuse Elevation Control Mechanism Makes use of ucmDccwCOMMethod in UACME, a github collection of UAC bypass techniques
T1140 - Deobfuscate/Decode Files or Information Strings to be used throughout the routine are encrypted using XOR or Subtraction.
T1562 - Impair defenses Disables security related services via terminating them. May include using tools like PC Hunter, Process Hacker, KillAV/KillProc
T1574 - Hijack execution flow DLL side-loading can also be used as a form of defense evasion
T1218 - Signed Binary Proxy Execution Executes mshta to open the ransom note
T1484 - Domain Policy Modification It releases group policy update that will be able to terminate AV tools and create scheduled tasks to execute the propagated copies via SMB
T1070 - Indicator Removal on Host It is capable of deleting Windows event logs and its executable file to remove traces
T1083 - File and directory discovery Searches for specific files and directory related to its encryption
T1135 - Network Share Discovery Enumerate network share for its network encryption
T1018 - Remote system discovery Makes use of tools for network scans
T1057 - Process discovery Discovers certain processes for process termination
T1570 - Lateral tool transfer Can make use of RDP, SMB admin shares, or PsExec to transfer the ransomware or tools within the network
T1567 - Exfiltration over web service Syncs files to a specified cloud storage, such as MegaSync or FreeFileSync
T1041 - Exfiltration Over C2 Channel Exfiltration using StealBit tool
T1486 - Data encrypted for impact Uses a combination of AES and RSA to encrypt the files and key.
Also prints ransom notes on printers using Winspool API
T1489 - Service stop Contains a list of services to be terminated to ensure encryption
T1491 - Defacement Replaces the desktop background to display the ransom note
Summary of malware, tools, and exploits used
Security teams can watch out for the presence of the following malware tools and exploits that are typically used in LockBit attacks:
As mentioned earlier, we expect the LockBit to continue its level of activity, if not increase it in the coming months. From our discussion, LockBit also demonstrates both consistent and versatile operations that adapt to current trends that affect the threat landscape. Organizations therefore should also keep abreast of the latest shifts that could influence their own security measures.
To help defend systems against similar threats, organizations can establish security frameworks that can allocate resources systematically for establishing a solid defense against ransomware.
Here are some best practices that can be included in these frameworks:
Audit and inventory
Take an inventory of assets and data
Identify authorized and unauthorized devices and software
Make an audit of event and incident logs
Configure and monitor
Manage hardware and software configurations
Grant admin privileges and access only when necessary to an employee’s role
Monitor network ports, protocols, and services
Activate security configurations on network infrastructure devices such as firewalls and routers
Establish a software allow list that only executes legitimate applications
Patch and update
Conduct regular vulnerability assessments
Perform patching or virtual patching for operating systems and applications
Update software and applications to their latest versions
Protect and recover
Implement data protection, backup, and recovery measures
Enable multifactor authentication (MFA)
Secure and defend
Employ sandbox analysis to block malicious emails
Deploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and network
Detect early signs of an attack such as the presence of suspicious tools in the system
Use advanced detection technologies such as those powered by AI and machine learning
Train and test
Regularly train and assess employees on security skills
Conduct red-team exercises and penetration tests
A multilayered approach can help organizations guard the possible entry points into the system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior could help protect enterprises.
Trend Micro Vision One™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools early on before the ransomware can do irreversible damage to the system.
Trend Micro Cloud One™ Workload Security protects systems against both known and unknown threats that exploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine learning.