Our investigation into the intrusion set behind LockBit, which we track as Water Selkie, reveals the effectiveness and impact of the tactics we have discussed. The key takeaways are the following:
With LockBit affiliates being likely involved in other RaaS operations, its tactics slipping into those of other ransomware groups isn’t a far-fetched notion. Organizations would therefore benefit from recognizing LockBit’s tactics, techniques, and procedures (TTPs) laid out in the next sections.
Figure 12. Sample wallpaper used by LockBit
|Initial Access||Execution||Persistence||Privilege Escalation||Defense Evasion||Discovery||Lateral Movement||Exfiltration||Impact|
T1566 - Phishing
T1190 - Exploit public-facing application
T1078 - Valid accounts
T1106 - Execution through API
T1059 - Command and scripting interpreter
T1204 - User execution
T1547 - Boot or logon autostart execution
Creates registry run entries
T1134 - Access token manipulation
Use AdjustTokenPrivilege API to modify token attribute to SE_PRIVILEGE_ENABLED
T1548 - Abuse Elevation Control Mechanism
T1140 - Deobfuscate/Decode Files or Information
T1562 - Impair defenses
T1574 - Hijack execution flow
T1218 - Signed Binary Proxy Execution
T1484 - Domain Policy Modification
T1070 - Indicator Removal on Host
T1083 - File and directory discovery
T1135 - Network Share Discovery
T1018 - Remote system discovery
T1057 - Process discovery
T1570 - Lateral tool transfer
T1567 - Exfiltration over web service
T1041 - Exfiltration Over C2 Channel
T1486 - Data encrypted for impact
T1489 - Service stop
T1491 - Defacement
Security teams can watch out for the presence of the following malware tools and exploits that are typically used in LockBit attacks:
|Initial Entry||Execution||Discovery||Lateral Movement||Defense Evasion||Exfiltration|
As mentioned earlier, we expect the LockBit to continue its level of activity, if not increase it in the coming months. From our discussion, LockBit also demonstrates both consistent and versatile operations that adapt to current trends that affect the threat landscape. Organizations therefore should also keep abreast of the latest shifts that could influence their own security measures.
To help defend systems against similar threats, organizations can establish security frameworks that can allocate resources systematically for establishing a solid defense against ransomware.
Here are some best practices that can be included in these frameworks:
A multilayered approach can help organizations guard the possible entry points into the system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior could help protect enterprises.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.