LockBit

Ars Technica (2020)
Dan Goodin (2020) "LockBit, the new ransomware for hire : A sad and cautionary tale" Ars Technica

Claims :
 * ARP tables, server message block, powershell encryptor script disguised as a PNG file, onion sites, jabber
 * Alleged Russian ties
 * Ransomware as a service, with money-back guarantee

Excerpts
After getting in, LockBit used a dual method to map out and infect victimized network. First, the ARP tables, which map IP addresses to device MAC addresses, helped to locate accessible system. Second, server message block, a protocol used for sharing files and folders among networked machines, allowed the infected nodes to connect to uninfected ones. LockBit would then execute a PowerShell script that spread the ransomware to those machines. The malicious file the PowerShell script downloaded was disguised as a PNG image. In fact, it was a executable program that encrypted the files on the machine.

LockBit had another trick. Before the ransomware encrypted data, it connected to an attacker-controlled server and then used the victim's machine IP address to determine where it was located. If it resided in Russia or another country belonging to the Commonwealth of Independent States, it would abort the process.

Once the data was locked up, organization computers were left with a desktop that contain this message as its wallpaper.

All your files are encrypted by LockBit. For more information, see Restore-My-Files.txt that is located in every encrypted folder

The ransomware note looked like this.

All your important files are encrypted! Any attempts to restore your files with the thrid-party [sic] software will be fatal for your files! RESTORE YOU [sic] DATA POSIBLE [sic] ONLY BUYING private key from us. There is only one way to get your files back:


 * 1. Download Tor browser and install it.
 * 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?E3D94FA5
 * 3. Follow the instructions on this page


 * 1) Attention! ###
 * 2) Do not rename encrypted files.
 * 3) Do not try to decrypt using third party software, it may cause permanent data loss.
 * 4) Decryption of your files with the help of third parties may cause increased price(they add their fee to our).
 * 5) Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN.
 * 6) Tor Browser user manual https://tb-manual.torproject.org/about

!!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don't forget about GDPR.

Using a Tor site, the organization paid the ransom and, after several hours, used the same anonymous service to obtain the decryption key. Those behind this attack had a support desk that communicated over the anonymized Jabber messenger to resolve several problems the organization had in rebuilding the locked-up network.

LockBit's creators offer a ransomware-as-a-service to customers. LockBit is sold in underground broker forums that often require sellers to put up a deposit that customers can recover in the event the wares don't perform as advertised. In a testament to their confidence and determination, the LockBit sellers have forked out almost $75,000.