LockBit APT

Country of OriginBased out of Netherlands, operated by individuals of Russian descent. Not sponsored by Russian State.
State Sponsored[]Unknown [x] Unconfirmed [] Confirmed
Active SinceSeptember 2019
Discovered by
Target CountriesUS, India, and Brazil
Target OrganizationsHealthcare & Education are the biggest victims
Organization Size?
First discoveredSeptember 2019
ToolsUses malware called “StealBit”, which automates the exfiltration of data. This tool was introduced with the release of LockBit 2.0, which possess fast and efficient encryption capabilities.
TacticLockBit operators frequently gain initial access by exploiting vulnerable Remote Desktop Protocol (RDP) servers or compromised credentials purchased from affiliates. Initial access vectors also include phishing emails with malicious attachments or links, brute forcing weak RDP or VPN passwords, and exploiting vulnerabilities like CVE-2018-13379 in Fortinet VPNs.
TechniqueOnce inside a system, LockBit ransomware is often executed via command-line argumentsscheduled tasks, or PowerShell scripts like PowerShell Empire. LockBit uses tools like Mimikatz, GMER, Process Hacker, and registry edits to gather credentials, disable security products, and evade defenses. It enumerates network connections to identify high-value targets like domain controllers using scanners like Advanced Port Scanner.[1] In the case of LockBit 1.0, after implementing privilege escalation, the malware leverages a now-elevated process to execute a sequence of data recovery exceptions with the assistance of built-in Windows tools. Subsequently, it clears the logs, and then the software commences the file encryption process.

For lateral movement, LockBit spreads through SMB file sharing connections inside networks, using credentials gathered earlier. Other lateral movement techniques include distributing itself via compromised Group Policy objects, or using tools like PsExec or Cobalt Strike.

LockBit’s ransomware payload encrypts files and network shares using AES and RSA encryption. It encrypts only the first few KB of each file for faster processing and adds a “.lockbit” extension. LockBit also replaces the desktop wallpaper with a ransom note recruiting affiliates. It can print ransom notes to attached printers. The goal is to disrupt systems and restrict access to extort ransom payments
Organizations AttackedAccenture, Thales, La Poste Mobile, Corbeil Essonnes, Pendragon PLC, Continental, Volkswagen, California Finance Adminstration, Port of Lisbon, Hospital for Sick Children, Nuxe, Elsan Group, Royal Mail, Indigo Books, Occitania, China Daily, TSMC Group, Port of Nagoya, Industrial and Commercial Bank of China