The rise and rise of ransomware

The Evolution of LockBit: From Takedown to Rebranding

LockBit is a prominent ransomware group that has made headlines for its sophisticated attacks and resilient operations. Known for its efficient and automated malware, LockBit has consistently evolved, adapting to law enforcement takedowns and market demands. The following delves into the history, modus operandi (MO), and recent exploits of LockBit, particularly focusing on their takedown, rebranding, and the infamous SEXi attack vector. The leader of the LockBit ransomware group, Dmitry Yuryevich Khoroshev, was recently outed and charged by the US Department of Justice. Khoroshev, a 31-year-old Russian national, has been identified as the mastermind behind the LockBit operations from its inception in 2019. He operated under the alias "LockBitSupp" and played a key role in developing and managing the ransomware-as-a-service (RaaS) platform. If captured by the US DoJ he faces over 185 years’ incarceration.

LockBit's Rise and Takedown

LockBit first appeared on the cybersecurity radar in 2019, quickly gaining notoriety for its automated propagation and effective encryption methods. The group targeted various sectors, including healthcare, finance, and critical infrastructure, demanding hefty ransoms in exchange for decryption keys and the promise not to leak stolen data.

In 2021, LockBit faced significant challenges as international law enforcement agencies (Operation Cronos) collaborated to disrupt its operations. Several of its infrastructure components were seized, and affiliates were arrested. Despite these efforts, LockBit managed to persist by decentralizing its operations and enhancing its encryption techniques.

Rebranding and Relaunch

Following the takedown attempts, LockBit rebranded itself as LockBit 2.0 in mid-2021. The new version boasted improved encryption speeds, better evasion techniques, and an affiliate-friendly ransomware-as-a-service (RaaS) model. This rebranding not only revitalized its operations but also attracted a larger pool of affiliates eager to deploy the ransomware.

LockBit 2.0 introduced a more robust data exfiltration strategy, ensuring that victims were doubly pressured to pay the ransom to avoid data leaks. Their double extortion tactic became a hallmark of their operations, significantly increasing their ransom payment success rate.

Modus Operandi

Initial Access: Gaining entry through phishing emails, exploiting vulnerabilities, or purchasing access from other cybercriminal groups.

Lateral Movement: Using tools like Cobalt Strike and Mimikatz to move laterally across networks and escalate privileges.

Data Exfiltration: Stealing sensitive data before encryption to use as leverage in double extortion schemes.

Encryption: Deploying the ransomware payload to encrypt files across the network, rendering systems unusable.

Ransom Demands: Demanding payment in cryptocurrency in exchange for decryption keys and promises not to leak the stolen data.

LockBit employs the tactic of coercing or bribing insiders to facilitate the deployment of their ransomware. This method involves offering significant financial incentives to employees or contractors within target organizations to gain access to their systems.

Recruitment of Insiders: LockBit has been known to actively recruit corporate insiders by promising million-dollar payouts. They have specifically targeted employees who have access to valuable network credentials, such as RDP (Remote Desktop Protocol) and VPN (Virtual Private Network) credentials. The insiders are instructed to execute a provided virus on their work computer, which grants remote access to the LockBit gang, enabling them to deploy the ransomware and steal data without immediate detection.

Direct Offers: In their LockBit 2.0 rebranding, they included messages on infected devices' wallpapers, offering "millions of dollars" to insiders who can provide access to their company’s networks. These offers were aimed at enticing insiders to compromise their own organization in exchange for financial gain.

Cases of Insider Cooperation: While specific cases where insiders were caught facilitating attacks for LockBit are not always publicly detailed due to ongoing investigations and legal processes, the FBI has documented instances where cybercriminals attempted to bribe employees. For instance, a Russian national was arrested for trying to recruit a Tesla employee to plant malware on the company's network

Impact and Mitigation: The use of insider threats significantly complicates the security landscape for organizations. It highlights the need for comprehensive security protocols that not only focus on external threats but also on monitoring and safeguarding against potential internal compromises.

LockBit's aggressive recruitment of insiders demonstrates their adaptability and the lengths to which they will go to ensure the success of their operations.

The SEXi Attack Vector: One of the recent and sophisticated attack vectors employed by LockBit is the SEXi (Stealthy Exfiltration and eXfiltration Infiltration) technique. This method focuses on evading detection during data exfiltration, making it challenging for traditional security measures to identify and block the attack.

The SEXi vector involves: Stealthy Data Transfer: Using encrypted communication channels and legitimate services like cloud storage to transfer stolen data without raising suspicion.

Minimal Footprint: Employing lightweight tools that leave minimal traces on the victim’s network.

Advanced Obfuscation: Utilizing sophisticated obfuscation techniques to hide the presence of malware and exfiltration activities.

LockBit’s use of SEXi has made their attacks more effective, as they can exfiltrate large amounts of data without triggering standard security alarms.

Recent Exploits

LockBit has continued to evolve, with notable attacks in late 2023 and early 2024 targeting high-profile organizations. These attacks have leveraged the SEXi vector to steal sensitive information and encrypt critical systems. The group’s adaptability and advanced tactics have made it a formidable adversary in the cybersecurity landscape.

LockBit’s journey from its inception to its current state as LockBit 2.0 highlights the resilience and adaptability of modern ransomware groups. Despite significant takedown efforts, LockBit has managed to rebrand and innovate, maintaining its position as a leading threat actor. The introduction of advanced techniques like the SEXi attack vector underscores the importance of continuous vigilance and advanced security measures to protect against such evolving threats.

?