LockBit: Who, What, Where, Why, How
The name LockBit refers to both Ransomware-as-a-Service (RaaS) and the threat group that develops and markets it (sometimes called the LockBit gang or LockBit group). It has grown in the years since 2019 to become one of the most commonly used forms of ransomware, and one of the most sophisticated.
LockBit was first seen in 2019, and was then known as the ABCD group because its ransomware used an .abcd extension for encrypted files. The latest version, LockBit 3.0 (aka LockBit Black), was released in June 2022.
In an August 2021 interview, a LockBit operator spoke in Russian and defended Russia. The LockBit ransomware avoids encrypting files on systems that use Commonwealth of Independent States (CIS) languages. These factors point to LockBit members being Russian, though the group has said it values the anonymity of its members.
Because LockBit is a RaaS, the ransomware isn’t used by a single entity, but by any affiliates that choose to use it. These can be criminal organizations or individuals located anywhere in the world.
Recorded Future has tracked 1,111 total LockBit victims as of November 2022. LockBit claims to have hit 750 victims in 2022 alone.
LockBit’s victims have included government organizations in North America, Europe, and the Asia-Pacific region, cybersecurity company Entrust, German automotive group Continental, French defense and technology group Thales, British insurer Kingfisher Insurance, Japanese tech company Oomiya, consulting firm Accenture, financial and healthcare institutions, and other private organizations.
In September 2022, someone claiming to be a LockBit developer leaked the source code, saying they were frustrated with the group’s leadership. With this source code, others can develop their own ransomware.
The group runs a bug bounty program to improve its ransomware, the first known bug bounty program by ransomware operators.
In November 2022, an alleged LockBit member, a 33-year-old Russian and Canadian national in custody in Canada, was extradited to the US on charges of LockBit involvement.
LockBit is triple-extortion ransomware, meaning that it can use up to 3 methods for pressuring victims to pay: it can encrypt files, exfiltrate data and threaten to leak it, and hit victims with DDoS attacks.
In September 2022, LockBit accounted for over 40% of ransomware victims.
Based on their pro-Russian messaging, use of the Russian language, and the ransomware’s avoidance of systems that use Commonwealth of Independent States (CIS) languages, it seems likely that LockBit members are Russian.
Affiliates that use the LockBit RaaS can be located anywhere in the world.
Ransomware operators are generally financially motivated, and LockBit has demanded ransom payments of up to $60 million.
The LockBit ransomware can spread in several ways. It can be delivered via phishing emails, often posing as job offers or copyright infringement notices. It can spread using stolen VPN and RDP credentials. LockBit can spread automatically by taking advantage of Windows PowerShell and Server Message Block. It has also spread via a zero-day vulnerability in Microsoft Exchange.
LockBit can be distributed as an infected Word file, an executable using the Word doc icon, or an obfuscated PowerShell script.
Once the ransomware is on a machine, it starts several threads which do the following:
- Stop Windows Defender.
- Replace files in the Recycle Bin with randomly generated data, then delete them, so they’re unrecoverable.
- Monitor and terminate SQL process.
- Delete shadow copies.
- Write ransom notes.
- Encrypt files using Salsa-20 algorithm.
- Look for domain controllers and attempt to remotely log into them.
- Look for connected drives and shared network resources, and attempt to encrypt files on them.
- Communicate with command and control (C2) server(s) over TLS 1.2, to encrypt traffic.
LockBit started with targeting Windows machines, and later expanded to also target Linux servers, including ESXi servers.
LockBit 3.0 Builder Code Leak Points to Another Disgruntled Criminal...
The recent Conti vs. Monti story (see Intel 471's blog: Conti vs. Monti: A Reinvention or Just a Simple Rebranding?)…
LockBit 3.0 Ransomware Unlocked
LockBit 3.0 seems to love the spotlight. Also known as LockBit Black, this ransomware family announced itself in July…
Everything You Need to Know About LockBit
LockBit ransomware is in the minority group of ransomware families that leverage auto-propagating malware and double…
LockBit 3.0 Gang Allegedly Stole Thales Group's Data | Cyware Hacker News
LockBit 3.0 ransomware group asserted that it had stolen data from the French defense and technology group Thales…
Amadey Bot Spotted Deploying LockBit 3.0 Ransomware on Hacked Machines
A new analysis shows that the Amadey malware is being used to install the LockBit 3.0 ransomware on compromised…
LockBit affiliate uses Amadey Bot malware to deploy ransomware
A LockBit 3.0 ransomware affiliate is using phishing emails that install the Amadey Bot to take control of a device and…
LockBit ransomware claims attack on Continental automotive giant
The LockBit ransomware gang has claimed responsibility for a cyberattack against the German multinational automotive…
Ransomware In Q3 2022 | Digital Shadows
Ransomware activity decreased in the third quarter of 2022 (Q3 2022), as actors regrouped and refocused after a busy…
What Is LockBit Ransomware? LockBit ransomware has been implicated in more cyberattacks this year than any other…
LockBit 2.0 Interview with Russian OSINT
On August 23, 2021, the YouTube channel Russian OSINT published an interview with the LockBit 2.0 ransomware gang in…
LockBit 2.0: How This RaaS Operates and How to Protect Against It
LockBit 2.0 is ransomware as a service (RaaS) that first emerged in June 2021 as an upgrade to its predecessor LockBit…