Lockbit : From Genesis to Doomsday

Lockbit: from Genesis to the Last Judgment

Lockbit

From Genesis to Doomsday

A comprehensive overview of the Lockbit Saga: major ransomware, its evolutions, notable attacks, mitigation techniques, and international efforts to combat it.

From Creation to Chaos

Lockbit first appeared on the cyber scene on September 3, 2019. Since its inception, Lockbit has carried out more than 2,000 attacks worldwide, making it one of the most prolific ransomware groups.

The group has extorted over $120 millionThe group claims its members are from former Soviet Union republics, explaining their decision not to attack Russian interests or those of ex-USSR countries. Compared to its competitors, Lockbit is highly organized, resembling a startup. Its affiliate program even includes recommendations on which targets to avoid to stay under law enforcement radar, specifically sectors like healthcare, education, and oil.

Lockbit 2.0 to 3.0

Lockbit 2.0 first appeared in cybersecurity reports in early 2022. The group gradually deployed this new version, testing its features before a full-scale launch. Victims quickly accumulated, including well-known companies like TitanHQ and Travelex.

In February 2022, law enforcement managed to infiltrate Lockbit’s systems and seize millions of dollars in ransom, forcing the group to temporarily suspend its activities. However, by March 2022, Lockbit resumed operations, launching a series of notable attacks. Lockbit 3.0 was released in May 2022, with significant improvements to avoid antivirus detection and introducing a function to delete backups.

The ransomware evolved into Lockbit 2.0 and then Lockbit 3.0, with each version introducing more sophisticated evasion techniques and destructive capabilities, such as deleting backups to prevent data recovery.

In September 2022, an internal disagreement led to the release of Lockbit 3.0’s source code on GitHub. According to Kaspersky, this leak resulted in the creation of over 400 variants of Lockbit 3.0 under the ransomware-as-a-service (RaaS) model, allowing other cybercriminals to use its malicious software for a commission. Initially known as “abcd” due to the extension added during data encryption, Lockbit quickly made a name for itself in cybercrime.

Modus Operandi

1.Infection Methods

Lockbit uses a variety of methods to infiltrate its victims’ computer systems, including :

    • Phishing: Lockbit sends fraudulent emails to gather sensitive information. In February 2023, Lockbit used a sophisticated phishing campaign to infiltrate Royal Mail, resulting in a ransom demand of $80 million.

    • Exploitation of Security Flaws: Targeting outdated or unprotected systems. In 2022, Lockbit exploited a vulnerability in an enterprise’s RDP service to gain initial access and used tools like PsExec to move laterally across the network, encrypting data on multiple systems and demanding a substantial ransom.

    • Malware Installation: Using backdoors for stealthy access. Recently, Lockbit used ConnectWise RMM software to penetrate the systems of several clients of a managed services provider, installing malicious versions of the software to establish persistence and exfiltrate data before deploying ransomware.

2. Attack Phases

    • Exploitation: Using social engineering or brute force attacks to infiltrate a network and obtain VPN or RDP credentials.

    • Infiltration: Gaining elevated privileges and preparing for ransomware deployment. For example, in a 2023 attack, Lockbit used tools like Mimikatz to steal administrator credentials, allowing control over more systems.

    • Persistence: Maintaining access to the compromised network by enabling automatic logon or continually using compromised credentials.

    • Defense Evasion: Avoiding detection and disabling network defenses using tools like Defender Control to disable EDR processes and services or clearing event log files to hide traces.

    • Lateral Movement: Moving laterally within the compromised network using remote desktop software like Splashtop or targeting SMB shares with Cobalt Strike.

3. Data Encryption

Once initial access is obtained, Lockbit affiliates execute malicious commands to deploy the ransomware, such as using batch scripts to execute malicious commands via the Windows Command Shell or using Chocolatey to deploy malicious software on infected systems.

To maximize the impact of their attacks and make data access impossible, Lockbit affiliates use various destructive techniques:

    • Data Encryption: Encrypting data on target systems to disrupt their availability.
    • Internal Defacement: Changing the system’s wallpapers and icons to the Lockbit 3.0 branding.
    • System Recovery Inhibition: Deleting volume shadow copies to prevent data recovery.

4. Ransom Demand

    • After encryption, Lockbit displays a ransom note demanding payment in cryptocurrency under the threat of data destruction or disclosure.
  1.  

How to Protect Against Lockbit?

Organizations are encouraged to implement mitigation measures developed by CISA and NIST to strengthen their cybersecurity posture against Lockbit’s activities.

  • Initial Access: Use sandboxed browsers, enforce strong password policies, utilize MFA, segment networks, and filter malicious emails.

  • Execution: Control network connections and enable advanced PowerShell logging.

  • Privilege Escalation: Restrict command-line activities and use Credential Guard.

  • Defense Evasion: Establish application whitelisting and enforce local security policies.

  • Credential Access: Limit NTLM usage with security policies.

  • Discovery: Disable unused ports.

  • Lateral Movement: Monitor network activities with surveillance tools.

  • Command and Control: Create trust zones for sensitive assets and adopt Zero Trust architecture for VPNs.

  • Exfiltration: Block connections to malicious systems with a TLS proxy and restrict access to public file-sharing services.

  • Impact: Maintain multiple copies of sensitive data in secure locations and regularly update offline backups.
  • Security Controls Validation: Continuously test and validate your security program against MITRE ATT&CK techniques to ensure optimal protection.

Cronos Operation

In February 2022, law enforcement took action and infiltrated Lockbit’s systems, seizing millions in ransom and forcing the group to suspend activities temporarily. Lockbit resumed attacks by March 2022, targeting prominent companies.

The first arrests related to Lockbit began in October 2022 during Operation Cronos, conducted by authorities from 11 countries. In October 2022, Canadian authorities intercepted Mikhael Vasiliev, suspected of being a significant member of Lockbit, revealing his involvement in over a hundred attacks in France and links to other hacker groups like Blackcat, Ragnarlocker, and Darkside.

In May 2023, the FBI offered a $10 million reward for information leading to the identification of Mikhail Pavlovich Matveev, alias “Wazawaka,” crucial in developing Lockbit’s ransomware. Despite these efforts, Lockbit remains defiant. In June 2023, seven international cybersecurity agencies published a guide to help companies defend against Lockbit.

In February 2024, a major police operation led to the seizure of Lockbit’s infrastructure. This operation, the result of years of meticulous investigation by Europol, the NCA, and national authorities, involved collecting evidence, analyzing millions of financial transactions, and conducting complex surveillance operations to identify network members.

The operation seized dozens of servers and over 200 cryptocurrency wallets. Authorities also obtained a thousand decryption keys, allowing the creation of decryption software freely available to Lockbit victims. Additionally, the source code and documents explaining the group’s expansion were discovered.

Lockbit’s Reputation in Tatters?

In a dramatic turn for global cybersecurity, Operation Cronos dealt a significant blow to the criminal franchise LockBit by revealing approximately 190 affiliate accounts. This revelation comes from the cybersecurity intelligence firm Recorded Future and highlights the significant reduction in options for the gang. LockBit’s ability to rebound has been severely hampered largely due to the negative publicity surrounding the gang.

By suggesting that LockbitSupp is now collaborating with law enforcement to reveal former partners, authorities have used an obvious attempt to nip any organizational recovery in the bud. This maneuver aims to deter any future association with LockbitSupp.

The police also took the liberty of mocking the ransomware gang by hijacking their data leak website.

But just a few weeks later, the hacker group Lockbit made a notable return on the dark web on February 24, 2024, mocking the efforts of the FBI and the international coalition. Lockbit announced that they had restored their servers and launched new Tor domains, already displaying five victims on their page and threatening to target more U.S. government sites.

The Presumed Leader of LockBit Unmasked

In a statement released on Tuesday, May 7, 2024, the National Crime Agency (NCA), the UK’s national crime-fighting agency, revealed a series of details about LockBitSupp, the leader of the cybercriminals.

Dmitry Yuryevich Khoroshev, a 31-year-old Russian national, has been identified by international authorities as the mastermind behind LockBit 3.0. Known by the alias LockBitSupp, he is now the target of a $10 million reward offered by the FBI and the U.S. Department of Justice for 26 charges. Dmitry Yuryevich Khoroshev is now subject to asset freezes and travel bans.

This latest episode not only highlights the alleged identity of the LockBit operator but also the small number of cybercriminals who actually profit from these malicious activities.

According to information from Operation Cronos, out of the 114 affiliates listed within the LockBit infrastructure before its interruption, only 80 managed to generate revenue. The majority of cybercriminals did not gain any financial benefit from their actions.

With approximately 7,000 documented attacks between June 2022 and February 2024, and only 178 victims engaging in negotiations, most ransomware attempts failed to extort payment.

This revelation comes after a series of recent cyberattacks by Lockbit, including the attack on April 16, 2024, against the Cannes hospital, which led to the disclosure of 61 gigabytes of confidential patient data.

Lockbit: State of the Threat

Authorities continue to closely monitor the activities within this cybercriminal network.

Operation Cronos, despite being criticized for its lack of discretion and limited effectiveness against the group, has nonetheless succeeded in reducing the average number of monthly Lockbit attacks in the UK by 73% since February. The NCA states that Lockbit is currently operating at limited capacity, although the group is attempting to rebuild.

International authorities continue to target Lockbit affiliates responsible for attacks on schools, hospitals, and large enterprises. The effectiveness of these measures remains to be seen, especially with the approach of the Paris 2024 Olympics. International cooperation and information sharing between public and private actors remain essential to effectively counter this threat.

The next phase of this battle will unfold in the near future..

 

Jean-François SCHOONHEERE
CEO & founder Stroople