NAKIVO > Blog > Multiplatform

LockBit Ransomware: What You Need to Know to Protect Against It

Published: February 8, 2024

Written by: NAKIVO Team

LockBit continues to be a top threat for organizations in the very diverse ransomware landscape. In the first half of 2023, there were more successful LockBit attacks than using any other ransomware family, with BlackCat and Clop coming in second and third.

LockBit continued to successfully breach the world’s top companies and governmental agencies throughout 2023. In October, for example, the LockBit group took responsibility for a Canadian Government personal data breach, stating that 1.5 terabytes of archive documents, including the personal data of state officials, were stolen. Other prominent victims have included Boeing, the US arm of ICBC (China’s biggest bank), and the Ministry of Defense in the UK.

Say no to ransoms with NAKIVO

Say no to ransoms with NAKIVO

Use backups for fast data recovery after ransomware attacks. Multiple recovery options, immutable local and cloud storage, recovery automation features and more.

DISCOVER SOLUTION

What Is LockBit Ransomware?

LockBit is a type of double extortion ransomware developed by the criminal group of the same name, with the first LockBit attacks going back to 2019. The LockBit group develops and markets the ransomware to affiliates based on a ransomware-as-a-service (RaaS) model in return for a share of the profits from received ransom payments. Recruited affiliates use this ransomware to conduct attacks. It has been deemed a double extortion ransomware because LockBit also exfiltrates data, and cyber attackers then threaten to post this data on leak sites.

The Evolution of LockBit Ransomware

The LockBit ransomware has undergone several iterations since it was first identified as ABCD ransomware, becoming more sophisticated as it has evolved. LockBit is constantly being improved to infiltrate protected networks and remain undetected. Attackers actively investigate security systems to find vulnerabilities and use social engineering and other techniques to ensure the success of their attacks.

Let’s look at the iterations to date:

ABCD

ABCD was the initial version of ransomware by the LockBit group, first detected in September 2019. The name reflects the .abcd extension added to files after encryption. This ransomware version also generated a notepad file titled Restore-My-Files.txt in each folder containing encrypted data. The file describes the ransom payment and data restoration procedures.

LockBit

LockBit 1.0 or just LockBit is the second version of this ransomware, adding the .LockBit extension to the encrypted files instead of .abcd. This iteration is not that different from the ABCD one in terms of design and execution. Only a few changes were made to the backend code.

LockBit 2.0

LockBit 2.0, first spotted in action in June 2021, was revised and updated to become a more serious threat. This version leverages the advanced encryption standard (AES) and elliptic curve cryptography (ECC) algorithms to encrypt data. Attackers use tools commonly used by IT teams in most organizations to execute malicious code and spread it through systems. With version 2.0, hackers used Windows Management Instrumentation (WMI) commands, SMB protocol connections, and PowerShell tools.

LockBit 2.0 works offline, and after infection, the encryption goes on regardless of whether the machine is connected to a network or not. Besides, LockBit 2.0 has an admin control panel available via a TOR browser, enabling cybercriminals to keep track of their attacks.

LockBit 3.0 aka LockBit Black

LockBit Black or LockBit 3.0 was the next release in June 2022. This version is even more evasive and modular than its predecessors, adding customizable options to be used during the compilation and execution of the payload. The behavior of LockBit Black can be further modified after execution with additional arguments. In addition, this version integrates features from other ransomware like Blackcat and Blackmatter.

LockBit 3.0 affiliates have to provide the right password to execute the ransomware, that is, decode the executable with a cryptographic key. That level of protection enables LockBit 3.0 to trick malware scanners, preventing them from analyzing the code.

It is difficult to detect the LockBit 3.0 executable components by antivirus and anti-malware solutions using a signature-based detection principle because the executable’s encrypted component varies. This component uses a cryptographic key for encryption while also generating a unique hash. After the attacker enters the right password (meaning the decryption key is correct), the main detail of LockBit 3.0 gets decrypted. Then, the code is decrypted and decompressed, enabling further ransomware execution.

LockBit Green

LockBit Green, released in January 2023, is the fifth LockBit version specifically modified to target cloud-based services. This generation got a new look and set of features and functions from the previous versions. However, LockBit Green has code parts that used to belong to a different locker ransomware Conti, which is not active now.

LockBit Ransomware File Extensions

After the successful invasion and data encryption, LockBit changes the original files’ extension to one of the following:

  • .abcd (past-gen ABCD ransomware)
  • .lockbit (LockBit and LockBit 2.0)
  • A random 9-character chain (LockBit 3.0 and LockBit Green)

The Main Stages of a LockBit Ransomware Attack

A LockBit ransomware attack usually proceeds in 3 stages:

  1. Breach. Attackers bypass an organization’s security perimeter by sending phishing emails, faking the identities of executives to receive admin credentials, using brute force attacks on internal nodes and networks, and other methods. Exploits for Remote Desktop Protocol and public-facing applications are also actively used.

    Once attackers introduce LockBit into the organization’s network, they complete the preparation stage to increase the future reach and damage of the ransomware attack. Organizations with simple non-segmented networks have significantly less time to react to a breach.

  2. Infiltration. The LockBit code starts participating in the attack. The script completes all activities from here on out and uses privilege escalation techniques to gain the required access. Then, the ransomware disables internal security firewalls, and malware detection and notification solutions to gain more possibilities for destruction actions and stay under the security team’s radar.

    The main focus of the ransomware here is to reach as much data as possible, thus increasing damage and preventing independent data recovery.

    During this stage, Lockbit ransomware can do the following actions to achieve the required level of access:

    • Termination of services and processes
    • Execution of commands
    • Deletion of log files

    LockBit 3.0 can bypass Windows UAC by executing a malicious code with elevated privileges using the Component Object Model, for example:

    %SYSTEM32%\dllhost.exe/Processid:{A14CF3B9-5C92-2583-2846-D359234FBB37}

    Lockbit deletes shadow copies by using Windows Management Instrumentation (WMI). First, the ransomware queries and identifies shadow copies:

    select * from Win32_ShadowCopy

    Then the ransomware deletes shadow copies with DeleteInstance.

    Services with these names are killed by the LockBit ransomware: vss, sql, svc$, memtas, mepocs, mepocs, sophos, backup, GxVss, GxBlr, GxFWD, GxCVD and GxCIMgr.

    The following processes are killed: sql, oracle, ocssd, dbsnmp, synctime, agntsvc, isqlplussvc, xfssvccon, mydesktopservice, ocautoupds, encsvc, firefox, tbirdconfig, mydesktopqos, ocomm, ocomm, sqbcoreservice, excel, infopath, msaccess, mspu, onenote, outlook, powerpnt, steam, thebat, thunderbird, visio, winword, wordpad and notepad.

    After killing processes, the previously opened files used by these processes can be modified or deleted.

  3. Deployment. This stage is initiated when attackers consider an organization’s infrastructure weakened enough to start executing encryption. The compromised system node with the required permissions then orders other workloads in the network to download and execute the malware code.

    The LockBit attackers can use StealBit to exfiltrate the interesting data before this data is encrypted. The potential of a data leak is another component of LockBit ransomware attacks.

    After that, the data on the nodes at reach is encrypted, and LockBit adds a .txt file containing payment instructions to every folder. The typical name format of .txt files is RansomwareID.README.txt.

One of the most disturbing features LockBit has is self-spreading, which simplifies the job for attackers and speeds up attacks in general. After gaining admin access to an organization’s environment, a hacker only needs to launch the ransomware, the code does the rest to deliver LockBit executables to other reachable hosts.

The decryption of encrypted files is possible only after complying with hackers’ demands and receiving the proprietary tool from LockBit developers. As mentioned above, another reason to comply would be to prevent the public sharing of sensitive or personal data.

The Signs of a LockBit Infection

Lockbit ransomware changes registry values, including the values responsible for editing and updating the group policy. The command to update group policies after changes by LockBit is:

powershell Get-ADComputer -filter * -Searchbase '%s' | Foreach-Object { Invoke-GPUpdate -computer $_.name -force -RandomDelayInMinutes 0}

Some of the signs in registry point upon Lockbit infection can include:

  • Ransomware icon:

    HKCR\. <Malware Extension>

    HKCR\<Malware Extension>\DefaultIcon

    with the value linked to C:\ProgramData\<Malware Extension>.ico

  • Ransomware desktop wallpaper:

    HKCU\ControlPanel\Desktop\WallPaper

    with the value of C:\ProgramData\<Malware Extension>.bmp

  • Enabling automatic Windows logon:

    SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon with the appropriate values

    AutoAdminLogon 1

    DefaultUserName

    DefaultDomainName

Keep in mind the paths where ransomware deploys its files:

  • ADMIN$\Temp\LockBit3.0_Filename.exe
  • %SystemRoot%\Temp\LockBit3.0_Filename.exe
  • \Domain_Name\sysvol\Domain_Name\scripts\Lockbit3.0_Filename.exe (on a Domain Controller)

How to Protect Data Against the LockBit Threat

Protecting your systems against ransomware and malware in general involves two aspects:

  1. Security measures, that is trying to prevent infection in the first place
  2. Data protection strategies: recovering after an incident with minimal data loss and downtime – without paying the ransom

Let’s look at each of these in more detail.

Security measures

  • Regularly update OS, software, and firmware as outdated components may have vulnerabilities that hackers can exploit to inject ransomware into your infrastructure. Developers tend to patch such revealed backdoors and security weaknesses quickly to keep customers protected.
  • Apply network segmentation to configure your organization’s network into separate compartments. An intruder scanning through the segmented network for the first time does not know which data is in which segment. Therefore, a hacker may need significantly more time and effort for reconnaissance and effective intrusion. Although this does not seem to be the case specifically for LockBit, some cybercriminals using other versions of ransomware may choose not to attack an organization with a secure segmented network.
  • Disable unused ports on your network. An open port is just an additional vulnerability that a bad actor can use to get unauthorized access to internal nodes and conduct an attack.
  • Monitor networks for behavior anomalies using active monitoring solutions for networks and nodes. This can significantly increase your situational awareness at any given moment. Besides enabling thorough testing and eliminating network bandwidth bottlenecks whenever they appear, active monitoring helps to detect vulnerabilities quickly. Fast response times can help you mitigate the attack outcomes or even prevent malware from spreading.
  • Use real-time threat detection antivirus. Despite the commonalities with monitoring solutions, antivirus solutions can provide you with device monitoring capabilities, including servers and workstations in addition to network monitoring.

    It is true that LockBit is sneaky and able to trick malware scanners, but hackers can use other, less stealthy tools to set up and support their attacks. An active real-time antivirus will notify you after something goes wrong inside an organization’s environment.

  • Integrate anti-phishing solutions to counter the social engineering techniques used by LockBit affiliates to compromise an organization’s security. Disabling email hyperlinks and adding warning banners for emails from outside an organization can help you reduce the risk of an inattentive team member hitting a phishing link.

Data protection strategies

Given that LockBit can introduce itself undetected and trick threat monitoring tools, you need to have a second line of defense in place to ensure that you can recover after a ransomware incident actually occurs. Your incident response plan should include a data backup and disaster recovery strategy.

Create a data protection plan.

  • Identify critical VMs and applications. To avoid data loss, maintain uptime, and ensure compliance even after a ransomware attack, you should use backup and replication to protect your machines. The first step in a data protection strategy is taking stock of the critical data and machines needed for business continuity. The next step is determining how critical each machine is to help you determine the frequency of backups, retention policies, and recovery objectives.
  • Define business RPOs and RTOs. With a clear understanding of where your critical data resides, you can set the right recovery point objective (RPO) and recovery time objective (RTO) for each type of production machine. RPO and RTO refer to the maximum amount of data loss and downtime your business can tolerate.
  • Set a data protection testing schedule. Conduct regular backup and DR strategy testing and ensure that each team member understands their role in the recovery process. The worst time to find out that your data is unrecoverable is when the original data is already lost or encrypted.

Follow the 3-2-1-1 backup rule.

  • Keep as many data copies as you can. Decide on the number of backups to create and on the retention policy based on how critical a machine or application is. For the best chances of recovery, apply the 3-2-1 backup strategy: create at least three (3) copies of your data at all times: the primary data and two backup copies. Second, store data on two (2) different types of media. Third, keep one (1) copy offsite to ensure recovery in the event of a disaster hitting your production site.
  • Protect backups against ransomware. Attackers are a threat to backup data as much as it is a threat to production machines. That is why, nowadays, the backup rule has been expanded to include an additional immutable copy. Immutability uses the write-once-read-many model to protect data against corruption, encryption, and deletion. This means that new ransomware attacks cannot tamper with this data, and an immutable copy can be used for recovery if production data is inaccessible.

Using NAKIVO’s Data Protection Solution

A dedicated data protection solution allows you to automate data protection processes to avoid overextending your resources and prevent retention gaps. NAKIVO Backup & Replication is a comprehensive data protection solution that supports virtual, physical, cloud, SaaS workloads and hybrid infrastructures. By implementing NAKIVO’s solution, you will have complete control and visibility into your data protection infrastructure via the web interface, regardless of the platforms used: VMware vSphere, Microsoft Hyper-V, Windows, Linux, Microsoft 365, etc.

The solution also delivers all the features needed to apply the 3-2-1-1 rule, including immutability and backup data tiering:

  • Backup immutability backups sent to cloud (Amazon S3, Wasabi, Backblaze B2, and other S3-compatible platforms), local storage based on Linux (including NAS devices)
  • Backup copy automation with Job Chaining to allow you to diversify storage with offsite and tape backups by creating automated workflows
  • Security features to prevent unauthorized access, including two-factor authentication (2FA) and role-based access controls (RBAC) to help you apply the principle of least privilege (PoLP), limiting the access permissions of team members based on their responsibilities in your organization
  • Integrated DR features like Real-Time Replication and Site Recovery can help you meet RPOs of 1 second and the tightest RTOs
  • Full and granular recovery options provide you with the flexibility to recover exactly what you need in the shortest time

Try NAKIVO Backup & Replication

Try NAKIVO Backup & Replication

Get a free trial to explore all the solution’s data protection capabilities. 15 days for free. Zero feature or capacity limitations. No credit card required.

Try for Free

People also read

Picture
3-2-1 Backup Rule: Implementing Efficient Data Protection
Picture
8 Proven Practices to Protect Against Ransomware
Picture
Active Directory Backup Best Practices