The Cortex Threat Research team has been tracking the widely spread LockBit ransomware since it first emerged in September 2019. Since then, the operations have grown rapidly and new updated versions of the ransomware were released: LockBit 2.0 in mid-2021 and LockBit 3.0 that was released in June of 2022.
The LockBit ransomware operation follows the ransomware-as-a-service (RaaS) model and uses affiliates to distribute the ransomware. The affiliates deploy the ransomware using many varying tactics, techniques, and procedures (TTPs) and attack a wide range of businesses and critical infrastructure organizations worldwide. The operation of LockBit runs as any other “normal” business operation, which contributes to it becoming the most profitable and active ransomware group in the world with tens of victims every month.
In 2022, LockBit posted information about 801 breached organizations on their leak site, which was an increase of 95% in victim count compared to last year’s entries, according to the 2023 Unit 42 Ransomware and Extortion Report. As of May 25, 2022, LockBit 2.0 accounted for 46% of all ransomware-related breach events shared on leak sites in 2022. The LockBit 2.0 RaaS leak site has published names and information about more than 850 compromised organizations. It's believed that LockBit 3.0 will continue to lead in the ransomware threat landscape in 2023 as well.
LockBit 3.0, also known as “LockBit Black,” was created after some critical bugs were found in LockBit 2.0 in March of 2022. Besides those bug fixes, and even a public “bug bounty” program, LockBit 3.0 was added with additional features that makes it more evasive than ever.
Historically, the LockBit operation uses payloads designed for attacks on Windows, Linux, and VMware ESXi servers. However, in April 2023, an archive was uploaded to VirusTotal containing some test builds that suggests LockBit 3.0 also has payloads for encrypting macOS, ARM, FreeBSD, MIPS, and SPARC CPUs. This marks a significant shift in the ransomware threat landscape as it shows that attackers are now targeting Apple products, which were believed to be almost immune to such attacks.
Cortex XDR uses multi layers of protection, including behavioral threat protection and exploit protection, to protect customers against the LockBit ransomware.
As mentioned earlier in the blog, the LockBit ransomware operation follows the ransomware-as-a-service (RaaS) model and uses affiliates to distribute the ransomware. Those affiliates use different attack methods in order to penetrate an organization and eventually deploy the ransomware. Since it can differ from one affiliate to another, it poses a challenge trying to find a clear pattern of attack.
From the information available obtained by researchers and incident responders, the following methods were observed used as an initial infection vector in LockBit attacks:
- Gaining initial access to victim networks via Remote Desktop Protocol (RDP) exploitation.
- Gaining initial access to victim networks via drive-by compromise.
- Gaining initial access to victim networks via phishing campaigns.
- Gaining initial access to victim networks via abuse of valid accounts. Those accounts can be bought in hacking forums or achieved using brute force attacks.
- Gaining initial access to victim networks via exploitation of public-facing applications.
In a similar fashion to other ransomware emerged over the years, the LockBit group follows the growing trend of double extortion. As part of the attack, the operators steal sensitive files and information from their victims and later use it to extort the victims by threatening to publish the data unless the ransom is paid.
From the information available obtained by researchers and incident responders, the following tools were reported abused by LockBit’s affiliates to exfiltrate data:
- MEGA Ltd MegaSync
The affiliates operating the ransomware can also choose another tool to perform the data exfiltration - the LockBit team’s tool, StealBit.
StealBit, which was first introduced as part of LockBit 2.0, is given to the affiliates as part of their arsenal that also includes LockBit Windows version and LockBit Linux/ESXi version. According to the group behind it, it’s the fastest and easiest solution to perform data exfiltration.
Interestingly, the older build of StealBit didn’t require a password to operate, but the newer builds, created around July 2022, around the same time of LockBit 3.0, do require a password in order to run.
This is aligned with the overall attempts by the gang to keep their code from being analyzed and investigated by security researchers.
LockBit 3.0 is configured upon compilation with many different options that determine the behavior of the ransomware. Some are built in and some can be turned on by providing a parameter via command line. LockBit 3.0 is equipped with the following capabilities:
- Flexible Windows execution - can be run as an EXE, DLL, reflective DLL, or PowerShell.
- Automatic distribution in the network via admin shares
- Built in port scanner to search for all shares such as SMB, WebDav and DFS
- Printing the ransom note via network printers
- Ability to distribute via Group Policy Objects (GPO)
- Changes extensions, icons, ransom note and wallpaper
- Self Deletion
- Shutting down the machine
- Execute in safe mode to avoid security solutions
- Shutting down processes, services and security solutions
In addition, the group indicates that there is flexibility to add features as for affiliate’s requests, which provides a modular structure to the ransomware.
As mentioned, various parameters can be supplied to further modify the behavior of the ransomware:
|-pass (32 character value)||(Required) Password used to launch LockBit 3.0|
|-gdel||Remove LockBit 3.0 group policy changes|
|-gspd||Spread laterally via group policy|
|-path (File or path)||Only encrypts provided file or folder|
|-psex||Spread laterally via admin shares|
|-safe||Reboot host into Safe Mode|
|-wall||Sets LockBit 3.0 Wallpaper and prints out LockBit 3.0 ransom note|
Table 1. Argument supported by LockBit 3.0
The extension appended to newly encrypted files, as well as the ransom note, differ per victim and contain nine random digits (for example: T0p50Ce4N, Fx44f6z3n, 8GxwvnaA3).
A ransom note is dropped onto the victim’s machine, and contains information about what happened to the machine and how to contact the group and pay the ransom.
To make sure the ransom note is not missed, LockBit also changes the wallpaper and instructs the user to read the ransom note.
The encrypted files' icons are set to be the LockBit logo.
After execution, the ransomware attempts to delete itself. To do so, it drops another executable, in our example 8B76.tmp, that is in charge of removing tracks.
The .tmp file overwrites the contents of the ransomware binary and then renames the file multiple times, with the new file names based on the length of the original file name. In our example, LockBit.exe which has eleven characters (including the file name extension), is renamed as “AAAAAAAAAAA”, and then “BBBBBBBBBBB”, up to “ZZZZZZZZZZZ”, which is eventually deleted by the .tmp file.
This routine can likely be the LockBit ransomware group’s attempt to completely remove tracks and avoid recovery of the ransomware binary by forensic tools. This is aligned with the group’s many attempts to protect their tools from researchers.
Protections and Mitigations
Palo Alto Networks customers are protected against the LockBit ransomware, as well as the StealBit malware.
SmartScore, A unique ML-driven scoring engine that translates security investigation methods and their associated data into a hybrid scoring system, scored this incident a 100 score - the highest level of severity.
For Palo Alto Networks customers, our products and services provide the following coverage associated with this group:
- WildFire cloud-based threat analysis service accurately identifies the known samples as malicious.
- Advanced URL Filtering and DNS Security identify domains associated with this group as malicious.
- Cortex XDR detects user and credential-based threats by analyzing user activity from multiple data sources including endpoints, network firewalls, Active Directory, identity and access management solutions, and cloud workloads. It builds behavioral profiles of user activity over time with machine learning. By comparing new activity to past activity, peer activity, and the expected behavior of the entity, Cortex XDR detects anomalous activity indicative of credential-based attacks.
It also offers the following protections related to the attacks discussed in this post:
- Prevents the execution of known malicious malware, and prevents the execution of unknown malware using Behavioral Threat Protection and machine learning based on the Local Analysis module.
- Protects against credential gathering tools and techniques using the new Credential Gathering Protection available from Cortex XDR 3.4.
- Protects from threat actors dropping and executing commands from webshells using Anti Webshell Protection as of Cortex XDR 3.4.
- Protects against exploitation of different vulnerabilities including ProxyShell, ProxyLogon and OWASSRF using the Anti-Exploitation modules as well as Behavioral Threat Protection.
- Cortex XDR Pro detects post-exploit activity, including credential-based attacks, with Cortex Analytics.
If you think you may have been impacted or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:
North America Toll-Free: 866.486.4842 (866.4.UNIT42)
Palo Alto Networks has shared these findings, including file samples and indicators of compromise, with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.
Indicators of Compromise
LockBit 3.0 - .tmp file