The Rise of LockBit: Dominating Global Ransomware Threats

The digital revolution has brought increased attention to cybersecurity issues globally. One of the significant cyber threats is ransomware, with the LockBit ransomware family being particularly notable. Since its inception in 2019, LockBit has evolved through numerous ransomware incidents, making it the most widely deployed ransomware variant by 2022 and continuing to be active into 2023 and 2024. According to Flashpoint data, from July 2022 to June 2023, this ransomware was responsible for 27.93% of all known ransomware attacks.

Figure 1: Statistics of Ransomware Family Attack Incidents

LockBit not only targets organizations of various sizes but also involves critical infrastructure sectors such as financial services, food and agriculture, education, energy, government, and emergency services.

LockBit intentionally refrains from targeting Russia or other CIS countries, potentially to avoid legal sanctions. According to LockBit, even though their base is in the Netherlands, many of their members originate from these regions. Therefore, they may take precautions to prevent attacks in these areas due to legal, geopolitical, or personal safety concerns. This strategy aims to minimize the risk of legal consequences and retaliatory actions.

LockBit operates on a Ransomware-as-a-Service (RaaS) model, recruiting affiliates to carry out ransomware attacks. Due to the involvement of numerous unrelated affiliates, LockBit’s attacks vary significantly in the strategies, techniques, and procedures used. This variability poses significant challenges for organizations in maintaining cybersecurity and defending against ransomware threats.

Figure 2: Ransomware-as-a-Service (RaaS)

In this guide, we analyze LockBit’s history and what sets its ransomware attacks apart. Our goal is to raise awareness of the seriousness of these cyber threats and explore potential defense measures. By examining LockBit and its affiliates’ approaches, we can better understand the nature of modern cyber threats, offering valuable insights for the future of cybersecurity.

The Development History of LockBit Ransomware

1.2019: Origins and Early Development

LockBit initially appeared as the “ABCD” ransomware, primarily spreading through network intrusions and email phishing attacks.

2. 2020: LockBit 2.0 – Evolution and Innovation

This version represented a significant evolution for LockBit, introducing automated tools that significantly increased the speed of file encryption. It also offered more convenient ransom payment and decryption services and included the StealBit information-stealing tool.

3. 2021: LockBit 3.0 – Technical Upgrades and Strategic Adjustments

Introduced LockBit Black, also known as LockBit 3.0, which supports both Windows and Linux systems. This version featured more efficient encryption algorithms and a more complex ransom payment system. LockBit 3.0 has implemented a “double extortion” strategy, adding an additional layer of threat to the attacks.

4. 2023: Latest Developments

LockBit Linux-ESXi Locker: Expanded to target Linux and VMware ESXi systems.

LockBit Green: Integrated elements from the Conti ransomware, enhancing the attack capabilities.

Figure 3: LockBit Development Timeline

The evolution of LockBit not only demonstrates its technological advancements as ransomware but also highlights its expanding threat in the realm of cybercrime. This situation offers crucial insights for cybersecurity experts and organizations. Understanding LockBit’s development history and varied attack methods is essential for devising effective defense strategies.

As LockBit ransomware continues to evolve, its threat to global cybersecurity increases. LockBit is not only becoming more technically sophisticated but also continues to expand its range of victims. Additionally, through its RaaS model, LockBit allows individuals with limited technical capabilities to easily participate in its cybercriminal activities, further exacerbating its threat level.

The history and evolution of LockBit reveal a key reality: cyber threats are a constantly evolving field, and only through continuous attention and research can we effectively address these challenges. Next, we will explore LockBit’s recent activities and technical details to gain a deeper understanding of its attack methods.

Technical Details and Attack Strategies

LockBit ransomware, as one of the most advanced cyber threats today, is driven by a black-market commercial operation model that as we have seen above, continually iterates and updates its technology.

This demonstrates the attackers’ strong commitment to continuously refining their methods. LockBit’s frequent updates and high adaptability make it an especially challenging threat in the field of cybersecurity.

Below is a detailed description of the key technical characteristics and attack strategies of LockBit:

Figure 4: LockBit Attack Process

Initial Intrusion

LockBit operators employ a variety of strategies to gain initial access. They may exploit vulnerabilities in internet services, perform password brute-force attacks, or engage in phishing to obtain valid login credentials. Additionally, they may send customized phishing emails aimed at infiltrating office hosts and gaining control. To increase efficiency and success rates, LockBit attackers often collaborate with “Initial Access Brokers” (IABs).

Initial Access Brokers (IABs) are intermediaries who obtain and sell access to victim networks. They acquire access through various methods, such as RDP, VPN, web shells, SSH, and other direct access points. This access includes unauthorized entry to assets, databases, and system user accounts. IABs also trade exploitable enterprise systems and network devices with known vulnerabilities, such as those in Citrix, Fortinet, ESXi, and Pulse Secure. These brokers often sell access on hacker forums, sometimes multiple times to different ransomware organizations.

There exists a supply-demand relationship between IABs and ransomware vendors, facilitated through anonymous instant messaging (IM) tools and transactions in digital currency. Using hacker forums, ransomware operators can purchase access provided by IABs and directly implant ransomware to achieve extortion goals.

Figure 5: Data/Access Sales on Underground Forums

Recent LockBit attacks have primarily exploited CVE-2023-4966 (Citrix Bleed vulnerability) for initial intrusion. Affiliates of LockBit 3.0 bypassed multi-factor authentication (MFA) by exploiting this vulnerability, hijacking legitimate user sessions on Citrix NetScaler Application Delivery Controller (ADC) and Gateway devices. Attackers sent specially crafted HTTP GET requests to retrieve system memory information, including NetScaler AAA session cookies. With these cookies, they established authenticated sessions on the NetScaler device without requiring a username, password, or MFA token.

Figure 6: Distribution of Citrix/NetScaler Gateway Assets

Deep Penetration & Execution

The bait formats used by LockBit ransomware are consistent with most phishing emails. They typically include the following types of files:

• Word Documents: These documents may contain malicious macros. When users open these documents and enable macros, the attachments install malware on the computer.
• HTML Attachments: HTML attachments are among the most common phishing attacks because they are generally perceived as less suspicious than other file types.
• Executable Files: These files may end with extensions such as .vbs, .js, .exe, .ps1, .jar, .bat, .com, or .scr, as all of these can be used to execute commands on a computer.

In the case disclosed by Boeing, the initial ransom sample was a ps1 script. The process started by executing a PowerShell script (e.g., 123.ps1), which concatenated, converted and wrote two base64 strings to a file (adobelib.dll). It then used rundll32 to call this dll file, passing a 104-character string parameter for decryption and execution.

Figure 7: Boeing Incident (123.ps1)

Privilege Escalation and Lateral Movement

The attacker further penetrates the internal network:

Credential Access (T1003): Tools like Mimikatz, ProxyShell, etc., may be used for credential access and lateral movement.

Lateral Movement (T1021): Tools such as PsExec or Cobalt Strike are used to execute code on controlled machines and other machines within the network.

Defense Evasion

LockBit uses BYOVD (Bring Your Own Vulnerable Driver) techniques, specifically abusing legitimate drivers and tools such as GMER, PC Hunter, and Process Hacker. These tools are designed for system diagnostics and security analysis, but in the hands of attackers, they are used to bypass security measures.

GMER, PC Hunter, and Process Hacker are commonly used rootkit detection and system monitoring tools. They have kernel-level access, allowing deep system-level operations. LockBit attackers exploit these tools in the following ways:

1. Disabling or Bypassing EDR and Antivirus Software: Attackers use the drivers of these tools to disable or bypass security software running on the system, making malicious activities more challenging to detect.
2. Modifying System Kernel Structures: These tools can access and modify kernel data structures, including disabling mandatory driver signatures and Protected Process Light (PPL) protection.
3. Hiding Malicious Activities: These tools are used to hide malicious processes and files, and clean up log records to avoid security analysis and forensics.

In the Boeing case, LockBit attackers used the Process Hacker tool. Process Hacker is an advanced system monitoring tool that provides features such as system resource monitoring, debugging, and memory viewing.

According to the loldrivers project statistics, there are currently 433 legitimate drivers (only statistical data) that can be exploited for attack activities.

Figure 8: Drivers at Risk of Abuse

Impact

LockBit 3.0’s ultimate goals include data destruction and extortion:

1. Data Encryption: Using AES and RSA algorithms to encrypt data.
2. Data Exfiltration: Uploading files using StealBit or cloud storage tools to perform double extortion.

Boeing, for instance, had approximately 40GB of data leaked due to non-payment of the ransom.

Figure 9: LockBit Publicly Leaked Stolen Data

Conclusion

The professional operation and evolving technical strategies of LockBit ransomware demonstrate the advancements in the cybercriminal world. This shows that traditional defense measures are not enough against increasingly specialized and complex threats.

Instead, cybersecurity defense must be dynamic and continuously evolving, requiring constant optimization of security strategies, technical measures, and management processes. Only through continuous learning, adaptation, and innovation can we effectively counter these cunning cyber attacks and ensure a robust and secure network environment.

Prevention Recommendations

To combat LockBit ransomware, companies, and organizations can implement various preventive measures from a risk management perspective to strengthen their security defenses:

1. Internet Asset Exposure Discovery: Conduct comprehensive queries and correlation analysis of domain names, IPs, and keywords to discover, identify, monitor, and audit internet assets, uncovering and organizing unknown internet assets.
2. Regular Updates and Patching: Ensure that operating systems and software (especially security software and commonly used applications) are kept up to date, and security patches are applied promptly.
3. Vulnerability Scanning: Use vulnerability scanners to perform security scans on web application assets, identifying security vulnerabilities in web applications (OWASP TOP10, weak passwords, CVE vulnerabilities, etc.).
4. Penetration Testing: Conduct manual penetration testing to simulate the techniques and attack methods used by hackers, performing non-destructive vulnerability discovery to identify potential security risks in the system.
5. Security Awareness Training: Enhance employees’ security awareness by educating them on how to recognize and avoid phishing attacks, suspicious emails, and links.
6. Backup and Recovery Plan: Regularly back up critical data and ensure backups are stored in secure, isolated locations. Regularly test data recovery processes.

Implement multiple protection measures to ensure asset security and mitigate unknown security risks:

• Exposure Surface Convergence: Implement exposure surface convergence strategies using zero trust solutions for secure network resource access to minimize the attack surface exposed to the internet. Use cloud security protection to hide the source IP of external sites, building a layered defense system.
• Web Security Protection: Deploy WAAP (Web Application And API Protection) products to protect web applications and APIs from various cyber attacks such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and API abuse.
• Network Access Control: Properly segment network security domains to ensure internal and external isolation of critical network areas, limiting attackers’ ability to spread threats laterally within the internal network. If feasible, further implement network micro-segmentation for finer-grained network access control.
• Intrusion Detection and Response Plan: Deploy network and endpoint detection and response (NDR/EDR) tools to monitor network and system activities, quickly responding to suspicious or abnormal behaviors.
• Identity Verification and Access Management: Implement enhanced authentication mechanisms such as multi-factor authentication to ensure that only verified users and devices can access authorized network resources. Enforce the principle of least privilege, granting employees only the access necessary to perform their jobs.

Systematic Security Operations for Comprehensive Risk Management

• Continuous Monitoring and Behavioral Analysis: Implement real-time monitoring and use behavioral analysis techniques to identify abnormal behavior and potential threats from users and devices accessing the network.
• Dynamic Defense: Incorporate threat intelligence, big data, and AI technologies to automatically detect attack incidents and deploy countermeasures. Continuously optimize security strategies to dynamically enhance overall security capabilities.

Adopting risk management, WAAP, and zero trust principles can effectively improve the ability to defend against LockBit ransomware and other advanced persistent threats (APT). At the same time, organizations should not only focus on technical defenses but also consider personnel and processes, creating an effective operational security system.