LockBit: Who, What, Where, Why, How
The name LockBit refers to both Ransomware-as-a-Service (RaaS) and the threat group that develops and markets it (sometimes called the LockBit gang or LockBit group). It has grown in the years since 2019 to become one of the most commonly used forms of ransomware, and one of the most sophisticated.
Who?
LockBit was first seen in 2019, and was then known as the ABCD group because its ransomware used an .abcd extension for encrypted files. The latest version, LockBit 3.0 (aka LockBit Black), was released in June 2022.
In an August 2021 interview, a LockBit operator spoke in Russian and defended Russia. The LockBit ransomware avoids encrypting files on systems that use Commonwealth of Independent States (CIS) languages. These factors point to LockBit members being Russian, though the group has said it values the anonymity of its members.
Because LockBit is a RaaS, the ransomware isn’t used by a single entity, but by any affiliates that choose to use it. These can be criminal organizations or individuals located anywhere in the world.
Recorded Future has tracked 1,111 total LockBit victims as of November 2022. LockBit claims to have hit 750 victims in 2022 alone.
LockBit’s victims have included government organizations in North America, Europe, and the Asia-Pacific region, cybersecurity company Entrust, German automotive group Continental, French defense and technology group Thales, British insurer Kingfisher Insurance, Japanese tech company Oomiya, consulting firm Accenture, financial and healthcare institutions, and other private organizations.
In September 2022, someone claiming to be a LockBit developer leaked the source code, saying they were frustrated with the group’s leadership. With this source code, others can develop their own ransomware.
The group runs a bug bounty program to improve its ransomware, the first known bug bounty program by ransomware operators.
In November 2022, an alleged LockBit member, a 33-year-old Russian and Canadian national in custody in Canada, was extradited to the US on charges of LockBit involvement.
What?
LockBit is triple-extortion ransomware, meaning that it can use up to 3 methods for pressuring victims to pay: it can encrypt files, exfiltrate data and threaten to leak it, and hit victims with DDoS attacks.
In September 2022, LockBit accounted for over 40% of ransomware victims.
Where?
Based on their pro-Russian messaging, use of the Russian language, and the ransomware’s avoidance of systems that use Commonwealth of Independent States (CIS) languages, it seems likely that LockBit members are Russian.
Affiliates that use the LockBit RaaS can be located anywhere in the world.
Why?
Ransomware operators are generally financially motivated, and LockBit has demanded ransom payments of up to $60 million.
How?
The LockBit ransomware can spread in several ways. It can be delivered via phishing emails, often posing as job offers or copyright infringement notices. It can spread using stolen VPN and RDP credentials. LockBit can spread automatically by taking advantage of Windows PowerShell and Server Message Block. It has also spread via a zero-day vulnerability in Microsoft Exchange.
LockBit can be distributed as an infected Word file, an executable using the Word doc icon, or an obfuscated PowerShell script.
Once the ransomware is on a machine, it starts several threads which do the following:
- Stop Windows Defender.
- Replace files in the Recycle Bin with randomly generated data, then delete them, so they’re unrecoverable.
- Monitor and terminate SQL process.
- Delete shadow copies.
- Write ransom notes.
- Encrypt files using Salsa-20 algorithm.
- Look for domain controllers and attempt to remotely log into them.
- Look for connected drives and shared network resources, and attempt to encrypt files on them.
- Communicate with command and control (C2) server(s) over TLS 1.2, to encrypt traffic.
LockBit started with targeting Windows machines, and later expanded to also target Linux servers, including ESXi servers.
