Lockbit Ransomware-A Global Threat

Last Thursday, the U.S. branch of the Industrial and Commercial Bank of China (ICBC) experienced a ransomware attack, causing disruptions in the U.S. Treasury market. Notably, one of the latest victims of this cyber attack is the renowned defense and aerospace giant Boeing (BA.N).

In response to the ransomware incident, ICBC opted to pay the ransom, while Boeing took a different stance and chose not to comply. Instead, Boeing has actively engaged with law enforcement agencies to address and mitigate the fallout from the attack.

Unfortunately, last Friday the ransomware group, identified as LockBit, went public with the release of Boeing's confidential data. These events emphasized the requirements of a robust cyber resilience mechanism and collaboration with law enforcement to navigate these security breaches.

WHO IS BEHIND THE LOCKBIT?

Numerous research institutes have diligently monitored the widespread LockBit ransomware since its initial emergence in September 2019. The significance of this malicious software became more apparent in 2020 when its name was mentioned in the Russian-language cybercrime forums. This discovery led some security analysts to speculate that the group responsible for LockBit might have ties to Russia.

However, the situation took an intriguing turn when the alleged perpetrators provided a counter-narrative. On their dark web blog, the LockBit gang asserted "We are located in the Netherlands, completely apolitical, and only interested in money." This claim adds a layer of complexity to the attribution of cyber threats, showcasing the challenges of accurately identifying the origin and motivations behind sophisticated cybercriminal activities.

?WHAT IS LOCKBIT RANSOMEWARE?

The LockBit ransomware operation adopts the ransomware-as-a-service (RaaS) model, leveraging affiliates to disseminate the ransomware widely. These affiliates employ diverse tactics, techniques, and procedures (TTPs), launching attacks on a broad spectrum of businesses and critical infrastructure organizations across the globe.

Since its initial discovery in 2019, this ransomware has exhibited rapid growth and evolution. Notably, it has released updated versions over time, with LockBit 2.0 surfacing in mid-2021 and the more recent LockBit 3.0 making its debut in June 2022. In just three to four years, LockBit is a well-known ransomware threat and a continuously evolving cybersecurity challenge for cybersecurity professionals.

THREATENING

LockBit's blog functions like a notorious "Hall of Fame," showcasing a continuously expanding gallery of victim organizations. This virtual display is updated almost daily, featuring the names of entities that have fallen prey to the ransomware. Adding to the intensity, digital clocks accompany each victim's name, counting down the number of days remaining until the designated deadline for a ransom payment. Failing to meet this deadline prompts the LockBit gang to carry out its threat of publishing the sensitive data it has collected from the compromised organizations, underscoring the high-stakes nature of these cyber extortion schemes

HOW HARD IS TO DETECT THE LOCKBIT CRIMINAL GANG?

A 40-country alliance including US, has been actively working to combat the universal threat of ransomware. This global effort involves sharing intelligence among nations, specifically focusing on the cryptocurrency wallet addresses associated with criminal activities. The aim is to enhance cooperation and coordination in the fight against cybercriminals leveraging ransomware.

SPREADING THE Criminal NETWORK?

LockBit's effectiveness is linked significantly to its network of 'affiliates'—like-minded criminal groups enlisted to execute attacks using LockBit’s digital extortion tools, essentially operating as Ransomware as a Service (RaaS).

On LockBit's official website, the gang proudly showcases its achievements in successfully breaching various organizations. The site also presents a set of detailed rules, providing insight into the structured recruitment process for potential cybercriminal collaborators. One notable rule advises applicants to seek endorsements from their friends or acquaintances who are already affiliated with LockBit, emphasizing a form of internal validation within the criminal network. This recruitment approach underscores the organized and business-like nature of the LockBit operation, where affiliations and credibility play crucial roles in the recruitment and onboarding of new actors into their cybercriminal ecosystem.

HOW DOES LOCKBIT TARGET ORGANISATIONS?

LockBit employs various tactics to target organizations and deploy ransomware, coercing victims into paying to decrypt or unlock their data. Here are some of the methods used by the cybercriminals behind LockBit:

Phishing:

Phishing remains one of the most prevalent methods for spreading ransomware. Attackers send deceptive emails that appear legitimate, often containing malicious attachments or links. If a user opens an infected attachment or clicks on a malicious link, it can result in the installation of LockBit on the system.

Exploiting Software Vulnerabilities:

Cybercriminals may exploit vulnerabilities in an organization's systems, targeting unpatched software or known vulnerabilities to gain initial access to the network. Keeping software up-to-date and applying security patches is crucial in mitigating this risk.

Remote Desktop Protocol (RDP) Exploitation:

Attackers may attempt to exploit weak or compromised RDP credentials to gain remote access to an organization's systems. Once inside the network, they can move laterally and deploy ransomware, escalating the impact of the attack.

Malicious Websites and Downloads:

Visiting malicious websites or downloading files from untrusted sources can lead to the installation of malware, including ransomware. Cybercriminals employ various techniques to entice users into downloading and executing malicious files, making it essential for system administrators to stay vigilant against potential threats.

Insider Threats:

In some cases, individuals within an organization may intentionally or unintentionally facilitate a ransomware attack. This can result from malicious intent or through actions that inadvertently expose the organization to security risks, emphasizing the importance of internal security awareness and measures.

Understanding these methods is crucial for organizations to implement effective cybersecurity measures, including employee training to recognize phishing attempts, regular software patching, robust authentication protocols, and monitoring for suspicious activities to mitigate the risk of falling victim to LockBit and similar ransomware threats.

A Typical attack pattern

The generic attack pattern of LockBit 3.0 involves a series of steps aimed at gaining control and initiating its malicious activities on a victim's system:

Privilege Check:

Initially, the ransomware checks if it already possesses sufficient privileges by specifically examining membership in the Domain Admin group.

If this privilege is not found, LockBit 3.0 attempts to grant itself a predetermined list of fifteen privilege constants, enhancing its control over the system.

Operating System Normality Check:

Following privilege checks, LockBit 3.0 verifies whether the operating system started normally.

If Windows starts in safe mode, the ransomware refrains from running most of its functionality at that moment. Instead, it sets a registry key to ensure execution during the next normal boot, allowing it to bypass safe mode restrictions.

Windows Security Services Removal:

The first thread initiated by LockBit 3.0 focuses on removing Windows Security Services.

This process includes deleting the services, leading to a small taskbar notification briefly informing the user that the Windows Security Center service has stopped. Importantly, the service is not just stopped but completely deleted, preventing a simple restart via the notification.

Malicious Activity Launch:

With security services removed, LockBit 3.0 proceeds to launch several additional threads to commence its malicious activities.

These activities include the spreading of malware across the system and the encryption of files, rendering them inaccessible to the user.

File Encryption Using Salsa-20 Algorithm:

LockBit 3.0 employs the Salsa-20 algorithm, a modern and efficient stream symmetric cipher, to encrypt the victim's files.

The use of advanced encryption algorithms contributes to the ransomware's ability to secure and hold the victim's data hostage effectively.

Understanding these steps in the attack pattern is crucial however the TPP used by the affiliates may vary according to their target organizations.

How to prepare and protect against LockBit ransomware

Protecting against LockBit ransomware and similar threats requires a comprehensive and proactive approach to cybersecurity. Here are key practices to help organizations enhance their resilience:

1.??? Identify and reduce the attack surface:

• Implement Risk Assessment and Management culture within the organization to identify the critical assets and implement the required control to keep cybercriminals at bay.
• Organizations that have the capabilities to rapidly contain the extent of their attack surface will reduce the impact that threat actors will have if they successfully circumvent other controls.
• Implement the Zero Trust principle and architecture.

2.??? Test Your Incident Response Plans and Program:

• Organizations that continuously review, update, and test their incident response plans are much more likely to effectively respond and contain an active attack.
• Conduct tabletop exercises, purple teaming tests, and breach simulations (automated and manual) to strengthen their velocity and preparedness when responding to an active attack.

3.??? Implement Strong Authentication and Access Control:

• Use complex, unique passwords for all accounts.
• Avoid easily guessable passwords; opt for longer ones with character variations.
• Consider using passphrases created with self-defined rules.
• Activate Multi-Factor Authentication (MFA) and Utilize biometrics or physical authenticators, such as USB keys, where possible.
• Regularly audit and deactivate unused or outdated user accounts.

4.??? Ensure Secure System Configurations:

• Regularly review and update system configurations.
• Identify and address security gaps in existing setups.
• Periodically reassess standard operating procedures to stay current against evolving cyber threats.
• Reduce the attack surface by patching the system vulnerabilities at regular intervals.
• Segregate the Network and reduce the attack surface.

5.??? Maintain System-wide Backups:

• Create and maintain regular backups of critical data.
• Ensure backups are stored offline to prevent them from being compromised.
• Consider having multiple rotating backup points to restore from a clean period in case of a malware infection.

6.??? Comprehensive Cybersecurity Solution:

• Implement a robust and comprehensive enterprise cybersecurity solution.
• Include antivirus, anti-malware, intrusion detection, and other security measures.
• Regularly update and patch security software to address emerging threats.
• Integrate Yara Rules to enhance the detection capabilities of enterprise security.

By incorporating these basic practices into an organization's cybersecurity strategy, it can minimize the risk of falling victim to LockBit ransomware and other malicious attacks. Regular training and awareness programs for employees are also crucial components of a holistic cybersecurity approach.

Conclusion

All organizations shall focus on their defenses and visibility on a regular basis. A robust incident management program along with an effective Security operations center will enhance the strength against such attacks.

Unfortunately, paying a ransom is not always the end of the story or recommended practices, the more we pay ransom they are stronger. These ransomware groups are operating their criminal operations like a business lately they have introduced the bug bounty program. ?The introduction of a bug bounty program is typically associated with ethical hacking practices, but in this case, it was applied to a malicious and criminal context.

We need to understand that the criminals are evolving and expanding. so, Let’s create a global coalition that actively addresses the multifaceted challenges posed by LockBit ransomware, if we stick together, the international community can create a more resilient and coordinated defense against this evolving cyber threat.

?

Reference:

https://www.cisa.gov/sites/default/files/2023-03/aa23-075a-stop-ransomware-lockbit.pdf

https://live.paloaltonetworks.com/t5/community-blogs/threat-alert-cortex-vs-lockbit-3-0/ba-p/545191

https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html

?

?

?