Understanding Ransomware Threat Actors: LockBit | CISA (www.cisa.gov)


quote_lines(163, 163)
quote_lines(180, 184)
quote_lines(186, 188)
quote_lines(190, 191)
quote_lines(201, 233)
quote_lines(237, 242)
quote_lines(244, 250)
quote_lines(348, 352)
quote_lines(362, 362)
quote_lines(376, 382)
quote_lines(386, 392)
quote_lines(396, 402)
quote_lines(406, 412)
quote_lines(416, 422)
quote_lines(426, 432)
quote_lines(436, 442)
quote_lines(446, 452)
quote_lines(456, 462)
quote_lines(466, 472)
quote_lines(476, 482)
quote_lines(486, 492)
quote_lines(496, 502)
quote_lines(506, 512)
quote_lines(516, 522)
quote_lines(526, 532)
quote_lines(536, 542)
quote_lines(546, 552)
quote_lines(556, 562)
quote_lines(566, 572)
quote_lines(576, 582)
quote_lines(586, 592)
quote_lines(596, 602)
quote_lines(606, 612)
quote_lines(616, 622)
quote_lines(626, 632)
quote_lines(636, 642)
quote_lines(646, 652)
quote_lines(656, 662)
quote_lines(666, 672)
quote_lines(676, 682)
quote_lines(686, 692)
quote_lines(696, 702)
quote_lines(706, 712)
quote_lines(716, 722)
quote_lines(726, 732)
quote_lines(736, 742)
quote_lines(746, 752)
quote_lines(756, 762)

In 2022, LockBit was the most deployed ransomware variant across the world and continues to be prolific in 2023. Since January 2020, affiliates using LockBit have attacked organizations of varying sizes across an array of critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. LockBit ransomware operation functions as a Ransomware-as-a-Service (RaaS) model where affiliates are recruited to conduct ransomware attacks using LockBit ransomware tools and infrastructure. Due to the large number of unconnected affiliates in the operation, LockBit ransomware attacks vary significantly in observed tactics, techniques, and procedures (TTPs). This variance in observed ransomware TTPs presents a notable challenge for organizations working to maintain network security and protect against a ransomware threat.

Understanding Ransomware Threat Actors: LockBit | CISA

Note: This advisory uses the 【62†MITRE ATT&CK for Enterprise†attack.mitre.org】 framework, version 13.1. See the MITRE ATT&CK Tactics and Techniques section for tables of LockBit’s activity mapped to MITRE ATT&CK® tactics and techniques.

#### Introduction

The LockBit RaaS and its affiliates have negatively impacted organizations, both large and small, across the world. In 2022, LockBit was the most active global ransomware group and RaaS provider in terms of the number of victims claimed on their data leak site. [【63†1†www.trendmicro.com】] A RaaS cybercrime group maintains the functionality of a particular ransomware variant, sells access to that ransomware variant to individuals or groups of operators (often referred to as “affiliates”), and supports affiliates’ deployment of their ransomware in exchange for upfront payment, subscription fees, a cut of profits, or a combination of upfront payment, subscription fees, and a cut of profits. Some of the methods LockBit has used to successfully attract affiliates include, but are not limited to:

  * Assuring payment by allowing affiliates to receive ransom payments before sending a cut to the core group; this practice stands in stark contrast to other RaaS groups who pay themselves first and then disburse the affiliates’ cut.
  * Disparaging other RaaS groups in online forums.
  * Engaging in publicity-generating activities stunts, such as paying people to get LockBit tattoos and putting a $1 million bounty on information related to the real-world identity of LockBit’s lead who goes by the persona “LockBitSupp.”


LockBit has been successful through innovation and ongoing development of the group’s administrative panel and the RaaS supporting functions. In parallel, affiliates that work with LockBit and other notable variants are constantly revising the TTPs used for deploying and executing ransomware.

September 2019

First observed activity of ABCD ransomware, the predecessor to LockBit. [【66†4†documents.trendmicro.com】]  

January 2020

LockBit-named ransomware first seen on Russian-language based cybercrime forums.  

June 2021

Appearance of LockBit version 2 (LockBit 2.0), also known as LockBit Red including StealBit, a built-in information-stealing tool.  

October 2021

Introduction of LockBit Linux-ESXi Locker version 1.0 expanding capabilities to target systems to Linux and VMware ESXi. [【67†5†www.trendmicro.com】]  

March 2022

Emergence of LockBit 3.0, also known as LockBit Black, that shares similarities with BlackMatter and Alphv (also known as BlackCat) ransomware.  

September 2022

Non-LockBit affiliates able to use LockBit 3.0 after its builder was leaked. [【64†2†analyst1.com】, 【68†6†www.malwarebytes.com】]  

January 2023

Arrival of LockBit Green incorporating source code from Conti ransomware. [【69†7†cybernews.com】]  

April 2023

LockBit ransomware encryptors targeting macOS seen on VirusTotal [【70†8†thehackernews.com】, 【71†9†www.wired.com】]  

LockBit 2.0, LockBit 3.0, LockBit Green, and LockBit Linux-ESXi Locker are still available for affiliates’ use on LockBit’s panel.

##### Percentage of ransomware incidents attributed to LockBit:

  * Australia: From April 1, 2022, to March 31, 2023, LockBit made up 18% of total reported Australian ransomware incidents. This figure includes all variants of LockBit ransomware, not solely LockBit 3.0.
  * Canada: In 2022, LockBit was responsible for 22% of attributed ransomware incidents in Canada.[【72†10†www.cbc.ca】]
  * New Zealand: In 2022, CERT NZ received 15 reports of LockBit ransomware, representing 23% of 2022 ransomware reports.
  * United States: In 2022, 16% of the State, Local, Tribal, and Tribunal (SLTT) government ransomware incidents reported to the MS-ISAC were identified as LockBit attacks. This included ransomware incidents impacting municipal governments, county governments, public higher education and K-12 schools, and emergency services (e.g., law enforcement).

##### Number of LockBit ransomware attacks in the U.S. since 2020:

  * About 1,700 attacks according to the FBI.

##### Total of U.S. ransoms paid to LockBit:

  * Approximately $91M since LockBit activity was first observed in the U.S. on January 5, 2020.

##### Leak Sites

The authoring agencies observe data leak sites, where attackers publish the names and captured data of victims if they do not pay ransom or hush money. Additionally, these sites can be used to record alleged victims who have been threatened with a data leak. The term 'victims' may include those who have been attacked, or those who have been threatened or blackmailed (with the attack having taken place).

The leak sites only show the portion of LockBit affiliates’ victims subjected to secondary extortion. Since 2021, LockBit affiliates have employed double extortion by first encrypting victim data and then exfiltrating that data while threatening to post that stolen data on leak sites. Because LockBit only reveals the names and leaked data of victims who refuse to pay the primary ransom to decrypt their data, some LockBit victims may never be named or have their exfiltrated data posted on leak sites. As a result, the leak sites reveal a portion of LockBit affiliates’ total victims. For these reasons, the leak sites are not a reliable indicator of when LockBit ransomware attacks occurred. The date of data publication on the leak sites may be months after LockBit affiliates actually executed ransomware attacks.

During their intrusions, LockBit affiliates have been observed using various freeware and open-source tools that are intended for legal use. When repurposed by LockBit, these tools are then used for a range of malicious cyber activity, such as network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration. Use of PowerShell and batch scripts are observed across most intrusions, which focus on system discovery, reconnaissance, password/credential hunting, and privilege escalation. Artifacts of professional penetration-testing tools such as Metasploit and Cobalt Strike have also been observed.

7-zip

Compresses files into an archive.

Compresses data to avoid detection before exfiltration.

【73†T1562†attack.mitre.org】

AdFind

Searches Active Directory (AD) and gathers information.

Gathers AD information used to exploit a victim’s network, escalate privileges, and facilitate lateral movement.

【74†S0552†attack.mitre.org】

Advanced Internet Protocol (IP) Scanner

Performs network scans and shows network devices.

Maps a victim’s network to identify potential access vectors.

【75†T1046†attack.mitre.org】

Advanced Port Scanner

Performs network scans.

Finds open Transmission Control Protocol (TCP) and User Data Protocol (UDP) ports for exploitation.

【75†T1046†attack.mitre.org】

AdvancedRun

Allows software to be run with different settings.

Enables escalation of privileges by changing settings before running software.

【76†TA0004†attack.mitre.org】

AnyDesk

Enables remote connections to network devices.

Enables remote control of victim’s network devices.

【77†T1219†attack.mitre.org】

Atera Remote Monitoring & Management (RMM)

Enables remote connections to network devices.

Enables remote control of victim’s network devices.

【77†T1219†attack.mitre.org】

Backstab

Terminates antimalware-protected processes.

Terminates endpoint detection and response (EDR)- protected processes.

【73†T1562.001†attack.mitre.org】

Bat Armor

Generates .bat files using PowerShell scripts.

Bypasses PowerShell execution policy.

【73†T1562.001†attack.mitre.org】

Bloodhound

Performs reconnaissance of AD for attack path management.

Enables identification of AD relationships that can be exploited to gain access onto a victim’s network.

【78†T1482†attack.mitre.org】

Chocolatey

Handles command-line package management on Microsoft Windows.

Facilitates installation of LockBit affiliate actors’ tools.

【79†T1072†attack.mitre.org】

Defender Control

Disables Microsoft Defender.

Enables LockBit affiliate actors to bypass Microsoft Defender.

【73†T1562.001†attack.mitre.org】

ExtPassword

Recovers passwords from Windows systems.

Obtains credentials for network access and exploitation.

【80†T1003†attack.mitre.org】

FileZilla

Performs cross-platform File Transfer Protocol (FTP) to a site, server, or host.

Enables data exfiltration over FTP to the LockBit affiliate actors’ site, server, or host.

【81†T1071.002†attack.mitre.org】

FreeFileSync

Facilitates cloud-based file synchronization.

Facilitates cloud-based file synchronization for data exfiltration.

【82†T1567.002†attack.mitre.org】

GMER

Removes rootkits.

Terminates and removes EDR software.

【73†T1562.001†attack.mitre.org】

Impacket

Collection of Python classes for working with network protocols.

Enables lateral movement on a victim’s network.

【83†S0357†attack.mitre.org】

LaZagne

Recovers system passwords across multiple platforms.

Collect credentials for accessing a victim’s systems and network.

【84†S0349†attack.mitre.org】

Ligolo

Establishes SOCKS5 or TCP tunnels from a reverse connection for pen testing.

Enables connections to systems within the victim’s network via reverse tunneling.

【85†T1095†attack.mitre.org】

LostMyPassword

Recovers passwords from Windows systems.

Obtains credentials for network access and exploitation.

【80†T1003†attack.mitre.org】

MEGA Ltd MegaSync

Facilitates cloud-based file synchronization.

Facilitates cloud-based file synchronization for data exfiltration.

【82†T1567.002†attack.mitre.org】

Microsoft Sysinternals ProcDump

Monitors applications for central processing unit (CPU) spikes and generates crash dumps during a spike.

Obtains credentials by dumping the contents of Local Security Authority Subsystem Service (LSASS).

【86†T1003.001†attack.mitre.org】

Microsoft Sysinternals PsExec

Executes a command-line process on a remote machine.

Enables LockBit affiliate actors to control victim’s systems.

【87†S0029†attack.mitre.org】

Mimikatz

Extracts credentials from a system.

Extracts credentials from a system for gaining network access and exploiting systems.

【88†S0002†attack.mitre.org】

Ngrok

Enables remote access to a local web server by tunnelling over the internet.

Enables victim network protections to be bypassed by tunnelling to a system over the internet.

【89†S0508†attack.mitre.org】

PasswordFox

Recovers passwords from Firefox Browser.

Obtains credentials for network access and exploitation.

【90†T1555.003†attack.mitre.org】

PCHunter

Enables advanced task management including system processes and kernels.

Terminates and circumvents EDR processes and services.

【73†T1562.001†attack.mitre.org】

PowerTool

Removes rootkits, as well as detecting, analyzing, and fixing kernel structure modifications.

Terminates and removes EDR software.

【73†T1562.001†attack.mitre.org】

Process Hacker

Removes rootkits.

Terminates and removes EDR software.

【73†T1562.001†attack.mitre.org】

PuTTY Link (Plink)

Automates Secure Shell (SSH) actions on Windows.

Enables LockBit affiliate actors to avoid detection.

【91†T1572†attack.mitre.org】

Rclone

Manages cloud storage files using a command-line program.

Facilitates data exfiltration over cloud storage.

【92†S1040†attack.mitre.org】

Seatbelt

Performs numerous security-oriented checks.

Performs numerous security-oriented checks to enumerate system information.

【93†T1082†attack.mitre.org】

ScreenConnect (also known as ConnectWise)

Enables remote connections to network devices for management.

Enables LockBit affiliate actors to remotely connect to a victim’s systems.

【77†T1219†attack.mitre.org】

SoftPerfect Network Scanner

Performs network scans for systems management.

Enables LockBit affiliate actors to obtain information about a victim’s systems and network.

【75†T1046†attack.mitre.org】

Splashtop

Enables remote connections to network devices for management.

Enables LockBit affiliate actors to remotely connect to systems over Remote Desktop Protocol (RDP).

【94†T1021.001†attack.mitre.org】

TDSSKiller

Removes rootkits.

Terminates and removes EDR software.

【73†T1562.001†attack.mitre.org】

TeamViewer

Enables remote connections to network devices for management.

Enables LockBit affiliate actors to remotely connect to a victim’s systems.

【77†T1219†attack.mitre.org】

ThunderShell

Facilitates remote access via Hypertext Transfer Protocol (HTTP) requests.

Enables LockBit affiliate actors to remotely access systems while encrypting network traffic.

【95†T1071.001†attack.mitre.org】

WinSCP

Facilitates file transfer using SSH File Transfer Protocol for Microsoft Windows.

Enables data exfiltration via the SSH File Transfer Protocol.

【96†T1048†attack.mitre.org】

search("LockBit ransomware group financial earnings")

LockBit victims in the US alone paid $90m+ since 2020 • The Register (www.theregister.com)


quote_lines(87, 87)
quote_lines(107, 107)
quote_lines(109, 109)
quote_lines(113, 113)
quote_lines(115, 115)
quote_lines(121, 121)
quote_lines(125, 125)
quote_lines(129, 131)
quote_lines(138, 138)
quote_lines(142, 142)
quote_lines(146, 146)

The group's affiliates remains a global scourge, costing US victims alone more than $90 million from roughly 1,700 attacks since 2020, we're told.

LockBit victims in the US alone paid $90m+ since 2020 • The Register

Some of the more recent victims include 【81†Managed Care of North America】, one of the biggest government-backed dental care and insurance providers in the US. Earlier this year, the criminals broke into MCNA's servers, hung around for 10 days and extracted info on nearly 9 million people. 

In January, the gang "【82†formally apologized】" for breaking into the systems of Canada's largest children's hospital, SickKids, blaming a since-ditched affiliate group for an extortion attack and offering a free decryptor for the victim to recover the files.

But before thinking that the ransomware-as-a-service group has gone soft, it's worth remembering the gang's 【83†ransomware attack†www.chsf.fr】 last summer against France's Center Hospitalier Sud Francilien.

The crew has been linked to Russia, and in May 【84†Uncle Sam sanctioned】 a Russian national, Mikhail Pavlovich Matveev, accused of using LockBit and other ransomware to extort a law enforcement agency and nonprofit healthcare organization in New Jersey, as well as the Metropolitan Police Department in Washington DC, among "numerous" other victim organizations in the US and globally.

"Lockbit's cybercrime wave is significant, notably the proceeds of which helped Russia offset some western economic sanctions," Kellermann told The Register. "The most nefarious ransomware gangs are affiliated with cybercrime cartels that enjoy a pax mafiosa with the Russian government." 

LockBit was the most used ransomware in 2022 globally and thus far in 2023, according to the seven countries. This is largely due to the gang's large number of affiliates, which, in exchange for paying upfront and subscription fees, get a cut of the ransom payments.

"Due to the large number of unconnected affiliates in the operation, LockBit ransomware attacks vary significantly in observed tactics, techniques, and procedures (TTPs)," the advisory notes.

This includes using some 30 freeware and open-source tools, all of which are detailed in the security alert, and the FBI has mapped more than 40 of the gang's TTPs to the MITRE ATT&CK frameworks.

The criminals have also been spotted exploiting "numerous" CVEs. These include the Fortra GoAnyhwere Managed File Transfer remote code execution (RCE) vulnerability (CVE-2023-0669), the 【86†PaperCut MF/NG improper access control flaw】 (CVE-2023-27350), the 【87†Log4j RCE】 (CVE-2021-44228), the 【88†F5 BIG-IP and BIG-IQ Centralized Management iControl REST RCE】 (CVE-2021-22986), a NetLogon privilege escalation bug (CVE-2020-1472), a 【89†Microsoft remote desktop RCE】 (CVE-2019-0708), and a Fortinet FortiOS SSL-VPN path traversal vulnerability (CVE-2018-13379). 

After breaking in, encrypting, and then stealing organizations' data, LockBit affiliates publish names and sometimes screenshots of stolen data on their leak sites to try to force the victims to pay the ransom demand. 

Between January 2020 and the first quarter of 2023, a total of 1,653 alleged victims have been named on LockBit leak sites — although, according to the cyber agencies, this number only represents "a portion" of the affiliates' victims since it only includes those who refuse to pay. 

search("LockBit ransomware group defenses and prevention strategies")

#StopRansomware: LockBit 3.0 | CISA (www.cisa.gov)


quote_lines(165, 169)
quote_lines(173, 175)
quote_lines(187, 191)
quote_lines(195, 195)
quote_lines(199, 211)

Actions to take today to mitigate cyber threats from ransomware:

  * Prioritize remediating 【61†known exploited vulnerabilities】.
  * Train users to recognize and report 【62†phishing attempts】.
  * Enable and enforce phishing- resistant 【63†multifactor authentication】.

#StopRansomware: LockBit 3.0 | CISA

The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model and is a continuation of previous versions of the ransomware, LockBit 2.0, and LockBit. Since January 2020, LockBit has functioned as an affiliate-based ransomware variant; affiliates deploying the LockBit RaaS use many varying TTPs and attack a wide range of businesses and critical infrastructure organizations, which can make effective computer network defense and mitigation challenging.

The FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.

LockBit 3.0, also known as “LockBit Black,” is more modular and evasive than its previous versions and shares similarities with Blackmatter and Blackcat ransomware.

LockBit 3.0 is configured upon compilation with many different options that determine the behavior of the ransomware. Upon the actual execution of the ransomware within a victim environment, various arguments can be supplied to further modify the behavior of the ransomware. For example, LockBit 3.0 accepts additional arguments for specific operations in lateral movement and rebooting into Safe Mode (see LockBit Command Line parameters under Indicators of Compromise). If a LockBit affiliate does not have access to passwordless LockBit 3.0 ransomware, then a password argument is mandatory during the execution of the ransomware. LockBit 3.0 affiliates failing to enter the correct password will be unable to execute the ransomware [【66†T1480.001†attack.mitre.org】]. The password is a cryptographic key which decodes the LockBit 3.0 executable. By protecting the code in such a manner, LockBit 3.0 hinders malware detection and analysis with the code being unexecutable and unreadable in its encrypted form. Signature-based detections may fail to detect the LockBit 3.0 executable as the executable’s encrypted potion will vary based on the cryptographic key used for encryption while also generating a unique hash. When provided the correct password, LockBit 3.0 will decrypt the main component, continue to decrypt or decompress its code, and execute the ransomware.

LockBit 3.0 will only infect machines that do not have language settings matching a defined exclusion list. However, whether a system language is checked at runtime is determined by a configuration flag originally set at compilation time. Languages on the exclusion list include, but are not limited to, Romanian (Moldova), Arabic (Syria), and Tatar (Russia). If a language from the exclusion list is detected [【67†T1614.001†attack.mitre.org】], LockBit 3.0 will stop execution without infecting the system.

Affiliates deploying LockBit 3.0 ransomware gain initial access to victim networks via remote desktop protocol (RDP) exploitation [【68†T1133†attack.mitre.org】], drive-by compromise [【69†T1189†attack.mitre.org】], phishing campaigns [【70†T1566†attack.mitre.org】], abuse of valid accounts [【71†T1078†attack.mitre.org】], and exploitation of public-facing applications [【72†T1190†attack.mitre.org】].

During the malware routine, if privileges are not sufficient, LockBit 3.0 attempts to escalate to the required privileges [【73†TA0004†attack.mitre.org】]. LockBit 3.0 performs functions such as:

  * Enumerating system information such as hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices [【74†T1082†attack.mitre.org】]
  * Terminating processes and services [【75†T1489†attack.mitre.org】]
  * Launching commands [【76†TA0002†attack.mitre.org】]
  * Enabling automatic logon for persistence and privilege escalation [【77†T1547†attack.mitre.org】]
  * Deleting log files, files in the recycle bin folder, and shadow copies residing on disk [【78†T1485†attack.mitre.org】], [【79†T1490†attack.mitre.org】]

LockBit 3.0 attempts to spread across a victim network by using a preconfigured list of credentials hardcoded at compilation time or a compromised local account with elevated privileges [【80†T1078†attack.mitre.org】]. When compiled, LockBit 3.0 may also enable options for spreading via Group Policy Objects and PsExec using the Server Message Block (SMB) protocol. LockBit 3.0 attempts to encrypt [【81†T1486†attack.mitre.org】] data saved to any local or remote device, but skips files associated with core system functions.

After files are encrypted, LockBit 3.0 drops a ransom note with the new filename <Ransomware ID>.README.txt and changes the host’s wallpaper and icons to LockBit 3.0 branding [【82†T1491.001†attack.mitre.org】]. If needed, LockBit 3.0 will send encrypted host and bot information to a command and control (C2) server [【83†T1027†attack.mitre.org】].

Once completed, LockBit 3.0 may delete itself from the disk [【84†T1070.004†attack.mitre.org】] as well as any Group Policy updates that were made, depending on which options were set at compilation time.

LockBit Group Threat Assessment

An automated cyber threat intelligence expert configured and trained by Bob Gourley. Pls provide feedback. Find Bob on X at @bobgourley

LockBit Group Threat Assessment

Identity and Operations

Financial Earnings

Tactics, Techniques, and Procedures (TTPs)

Defense Strategies

Conclusion