We’ve barely started March 2022, but according to LockBit’s 2.0 Onion website, they have already successfully targeted over 100 different organizations so far.
What is Lockbit?
LockBit is a ransomware-as-a-service (RaaS) gang that develops malware and distributes it through affiliates. Turning over the deployment of the ransomware payload to affiliates allows LockBit to dramatically increase their reach and constantly attack new victims.
LockBit 2.0 started advertising their affiliate program in the beginning of 2020. Last summer they added new payloads and significantly improved their infrastructure. One of the biggest changes was the incorporation of double extortion features, which put additional pressure on a large number of organizations who now also had to worry about personal data being exposed. In a warning published recently by the FBI, they announced that “LockBit's operators have started advertising for insiders at a target company to help them establish initial access into the network. Insiders were promised a cut of the proceeds from a successful attack”
Today, LockBit 2.0 employs several methods to successfully exfiltrate data to be published should the victim fail to pay the ransom, including StealBit, Cobalt Strike, and Metasploit. LockBit 2.0 relies on affiliates to perform the intrusion and exfiltration on targets. Affiliates typically buy access to targets from other threat actors, who usually obtain it via phishing, exploiting vulnerable apps, or brute forcing remote desktop protocol (RDP) accounts.
Lockbit Evasion Techniques
The LockBit gang uses several evasion technique’s to prevent/slow down analysis and detection by security products. The Evasion techniques used by LockBit are:
- Binary obfuscation
- API encryption using FNV hashing algorithm and their dynamic resolve.
- Multi-threaded execution in hidden from debugger threads:
Figure 1 - Hidden Thread Creation
Once in a system, LockBit 2.0 uses a network scanner to identify the network structure and to find the target domain controller. It also uses multiple batch files that can be used to terminate processes, services, and security tools:
Figure 2 - Decrypted processes list terminated by LockBit
Figure 3 - Decrypted services list stopped by LockBit
Lockbit 2.0 identifies and collects the infected device's hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices.
It takes care to deleting shadow copies and uses different Living-Off-the-Land techniques to escalate privileges.
Like other Russia-based ransomware operations, LockBit 2.0 determines the system and user language settings and excludes an organization from attack if the languages are one of 13 Eastern European languages.
Since October 2021, LockBit also expanded to Linux hosts, specifically ESXi servers.
How Minerva Mitigates Lockbit 2.0
Minerva's Hostile Environment Simulation platform turns Lockbit's evasion techniques against itself, causing it to disable itself indefinitely. The fact that Lockbit employs a number of advanced techniques to evade detection by standard security solutions, makes it much easier for Minerva to prevent it from ever executing.