Attribute | Value |
---|---|
Name | LockBit |
Aliases | ABCD |
Type | Malware |
Country of Origin | Based out of Netherlands, operated by individuals of Russian descent. Not sponsored by Russian State. |
State Sponsored | []Unknown [x] Unconfirmed [] Confirmed |
Active Since | September 2019 |
Discovered by | |
Target Countries | US, India, and Brazil |
Target Organizations | Healthcare & Education are the biggest victims |
Organization Size | ? |
First discovered | September 2019 |
Tools | Uses malware called “StealBit”, which automates the exfiltration of data. This tool was introduced with the release of LockBit 2.0, which possess fast and efficient encryption capabilities. |
Tactic | LockBit operators frequently gain initial access by exploiting vulnerable Remote Desktop Protocol (RDP) servers or compromised credentials purchased from affiliates. Initial access vectors also include phishing emails with malicious attachments or links, brute forcing weak RDP or VPN passwords, and exploiting vulnerabilities like CVE-2018-13379 in Fortinet VPNs. |
Technique | Once inside a system, LockBit ransomware is often executed via command-line arguments, scheduled tasks, or PowerShell scripts like PowerShell Empire. LockBit uses tools like Mimikatz, GMER, Process Hacker, and registry edits to gather credentials, disable security products, and evade defenses. It enumerates network connections to identify high-value targets like domain controllers using scanners like Advanced Port Scanner.[1] In the case of LockBit 1.0, after implementing privilege escalation, the malware leverages a now-elevated process to execute a sequence of data recovery exceptions with the assistance of built-in Windows tools. Subsequently, it clears the logs, and then the software commences the file encryption process. For lateral movement, LockBit spreads through SMB file sharing connections inside networks, using credentials gathered earlier. Other lateral movement techniques include distributing itself via compromised Group Policy objects, or using tools like PsExec or Cobalt Strike. LockBit’s ransomware payload encrypts files and network shares using AES and RSA encryption. It encrypts only the first few KB of each file for faster processing and adds a “.lockbit” extension. LockBit also replaces the desktop wallpaper with a ransom note recruiting affiliates. It can print ransom notes to attached printers. The goal is to disrupt systems and restrict access to extort ransom payments |
Procedures | |
Organizations Attacked | Accenture, Thales, La Poste Mobile, Corbeil Essonnes, Pendragon PLC, Continental, Volkswagen, California Finance Adminstration, Port of Lisbon, Hospital for Sick Children, Nuxe, Elsan Group, Royal Mail, Indigo Books, Occitania, China Daily, TSMC Group, Port of Nagoya, Industrial and Commercial Bank of China |