Your Yello Ring Road To Success
GOOGLE LOGIN MY ADS MY SHOP

LockBit 3.0 Ransomware: Inside the Cyberthreat That’s Costing Millions

Mar 18, 2023Ravie LakshmananEndpoint Security / Encryption

lockbit-ransomware

U.S. government agencies have released a joint cybersecurity
advisory detailing the indicators of compromise (IoCs) and tactics,
techniques, and procedures (TTPs) associated with the notorious
LockBit 3.0 ransomware[1].

“The LockBit 3.0 ransomware operations function as a
Ransomware-as-a-Service (RaaS) model and is a continuation of
previous versions of the ransomware, LockBit 2.0, and LockBit,” the
authorities said[2].

The alert comes courtesy of the U.S. Federal Bureau of
Investigation (FBI), the Cybersecurity and Infrastructure Security
Agency (CISA), and the Multi-State Information Sharing & Analysis
Center (MS-ISAC).

Since emerging in late 2019, the LockBit actors[3]
have invested significant technical efforts[4]
to develop and fine-tune its malware, issuing two major updates —
LockBit 2.0, released in mid-2021, and LockBit 3.0[5], released in June 2022.
The two versions are also known as LockBit Red and LockBit Black,
respectively.

“LockBit 3.0 accepts additional arguments for specific
operations in lateral movement and rebooting into Safe Mode,”
according to the alert[6]. “If a LockBit affiliate
does not have access to passwordless LockBit 3.0 ransomware, then a
password argument is mandatory during the execution of the
ransomware.”

The ransomware is also designed to infect only those machines
whose language settings do not overlap with those specified in an
exclusion list, which includes Romanian (Moldova), Arabic (Syria),
and Tatar (Russia).

Initial access to victim networks is obtained via remote desktop
protocol (RDP) exploitation, drive-by compromise, phishing
campaigns, abuse of valid accounts, and weaponization of
public-facing applications.

Upon finding a successful ingress point, the malware takes steps
to establish persistence, escalate privileges, carry out lateral
movement, and purge log files, files in the Windows Recycle Bin
folder, and shadow copies, before initiating the encryption
routine.

“LockBit affiliates have been observed using various freeware
and open source tools during their intrusions,” the agencies said.
“These tools are used for a range of activities such as network
reconnaissance, remote access and tunneling, credential dumping,
and file exfiltration.”

One defining characteristic of the attacks is the use of a
custom exfiltration tool referred to as StealBit[7], which the LockBit group
provides to affiliates for double extortion purposes.

In November, the U.S. Department of Justice reported[8]
that the LockBit ransomware strain has been used against at least
1,000 victims worldwide, netting the operation over $100 million in
illicit profits.

Industrial cybersecurity firm Dragos, earlier this year,
revealed[9]
that LockBit 3.0 was responsible for 21% of 189 ransomware attacks
detected against critical infrastructure in Q4 2022, accounting for
40 incidents. A majority of those attacks impacted food and
beverage and manufacturing sectors.

The FBI’s Internet Crime Complaint Center (IC3), in its latest
Internet Crime Report[10], listed LockBit (149),
BlackCat[11] (114), and Hive[12] (87) as the top three
ransomware variants victimizing critical infrastructure in
2022.

Despite LockBit’s prolific attack spree, the ransomware gang
suffered a huge blow[13] in late September 2022
when a disgruntled LockBit developer released the builder code for
LockBit 3.0, raising concerns that other criminal actors could take
advantage of the situation and spawn their own variants.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app
access to your company’s SaaS apps? Join our webinar to learn about
the types of permissions being granted and how to minimize
risk.

RESERVE YOUR
SEAT[14]

The advisory comes as the BianLian[15] ransomware group has
shifted its focus[16] from encrypting its
victims’ files to pure data-theft extortion attacks, months after
cybersecurity company Avast released[17] a free decryptor in
January 2023.

In a related development, Kaspersky has published[18] a free decryptor to
help victims who have had their data locked down by a version of
ransomware based on the Conti source code[19] that leaked[20] after Russia’s invasion
of Ukraine last year led to internal friction[21] among the core
members.

“Given the sophistication of the LockBit 3.0 and Conti ransomware[22] variants, it is easy to
forget that people are running these criminal enterprises,” Intel
471 noted[23] last year. “And, as
with legitimate organizations, it only takes one malcontent to
unravel or disrupt a complex operation.”

Found this article interesting? Follow us on Twitter [24] and LinkedIn[25] to read more exclusive
content we post.

References

  1. ^
    LockBit
    3.0 ransomware     (thehackernews.com)
  2. ^
    said
    (www.cisa.gov)
  3. ^
    LockBit
    actors     (www.wired.com)
  4. ^
    technical efforts
    (thehackernews.com)
  5. ^
    LockBit
    3.0     (thehackernews.com)
  6. ^
    alert
    (www.cisa.gov)
  7. ^
    StealBit
    (www.cybereason.com)
  8. ^
    reported
    (thehackernews.com)
  9. ^
    revealed
    (www.dragos.com)
  10. ^
    Internet Crime Report
    (www.ic3.gov)
  11. ^
    BlackCat
    (thehackernews.com)
  12. ^
    Hive
    (thehackernews.com)
  13. ^
    suffered a huge blow
    (intel471.com)
  14. ^
    RESERVE YOUR SEAT
    (thn.news)
  15. ^
    BianLian
    (thehackernews.com)
  16. ^
    shifted its focus
    (redacted.com)
  17. ^
    released
    (thehackernews.com)
  18. ^
    published
    (usa.kaspersky.com)
  19. ^
    Conti
    source code     (thehackernews.com)
  20. ^
    leaked
    (thehackernews.com)
  21. ^
    internal friction
    (www.bloomberg.com)
  22. ^
    Conti
    ransomware     (intel471.com)
  23. ^
    noted
    (intel471.com)
  24. ^
    Twitter 
    (twitter.com)
  25. ^
    LinkedIn
    (www.linkedin.com)

Read more