Researchers Detail Techniques LockBit Ransomware Uses to Infect Its Targets


LockBit ransomware attacks are constantly evolving by using a wide variety of techniques to infect targets while taking steps to disable endpoint security solutions.

“The affiliates that use LockBit’s services conduct their attacks according to their preference and use different tools and techniques to achieve their goal,” Cybereason security analysts Loïc Castel and Gal Romano said† “As the attack progresses further up the kill chain, the activities of different cases tend to converge towards similar activities.”

LockBit, which operates on a ransomware-as-a-service (RaaS) model like most groups, was first observed in September 2019 and has since become the most dominant ransomware strain this year, surpassing other well-known groups such as Conti, Hive and Black Cat.

This means that the malware authors grant access to affiliates, who carry out the attacks in exchange for using their tools and infrastructure and earn as much as 80% of each successful ransom payment received from the victims.

LockBit also uses the popular technique of double extortion to exfiltrate large amounts of data before encrypting the target’s assets, leaving the cybercriminal syndicate with no fewer than 850 victims on its data breach site as of May 2022.

Attack Life Cycle – Case Study 1 Attack Life Cycle – Case Study 2

According to an leak site data analysis by Palo Alto Networks Unit 42, LockBit was responsible for 46% of all ransomware-related breaches for the first quarter of 2022. In June alone, the group tied to 44 attacksmaking it the most active ransomware strain.

LockBit ransomware attacks are known to use several avenues of initial infection: exploiting publicly visible RDP ports, relying on phishing emails to download malicious payloads, or exploiting unpatched server errors that allow the affiliated partners can gain remote access to the target network.

This step is followed by Credential Exploration and Credential Theft activities, which allow the actors to move laterally across the network, establish persistence, escalate privileges, and launch the ransomware. This also involves running commands to delete backups and undermine detection by firewalls and antivirus software.

In the three years since LockBit came on the scene, the RaaS scheme has received two notable upgrades, with threat actors LockBit 2.0 debuting in June 2021 and launching the service’s third installment, LockBit 3.0, with support for Zcash cryptocurrency last month. payment options and a bug bounty program – the first for a ransomware group.

The initiative claims to offer rewards of up to $1 million for finding security blind spots in its website and locker software, submitting brilliant ideas, doxing the head of the gang’s affiliate program or identifying ways it IP address of the server hosting the website could be revealed on the TOR network.

The bug bounty program is yet another sign that hacker groups are increasingly functioning as legitimate IT companies, with HR departments, regular feature releases, and even bonuses for solving challenging problems.

However, there is some evidence that LockBit 3.0, also known as LockBit Black, is inspired by another ransomware family known as BlackMatter, a rebranded version of DarkSide that was shut down in November 2021.

“Large chunks of code were ripped straight from BlackMatter/Darkside,” says Emsisoft researcher Fabian Wosar said in a tweet earlier this week. “Obviously, LockBit got their hands on the code from another group.”