After a brief slowdown in activity from the LockBit ransomware gang following increased attention from law enforcement, LockBit is back with a new affiliate program, improved payloads and a change in infrastructure. According to IBM X-Force, a major spike in data leak activity on the gang’s new website indicates that their recruitment attempts have been successful. IBM’s data shows that LockBit is nearly six times more active than other groups, such as the Conti ransomware operators. This blog post delves into LockBit’s 2.0 version, its recent activity and an analysis of the new payloads.
LockBit is a ransomware-as-a-service (RaaS) gang that writes and distributes its malware through affiliates. RaaS has become an increasingly popular business model for ransomware operators in the past few years, helping gangs expand their reach without growing their core team or their expenses. These groups are able to make a profit while turning over the actual deployment of their ransomware payloads to affiliates, who also shoulder part of the risk of being exposed by law enforcement.
Announcing LockBit 2.0
The LockBit gang was first found advertising their affiliate program in January 2020 on a well-known, Russian-speaking forum known as XSS. This underground forum has been used by many RaaS gangs in the past to advertise their malware and hunt for new affiliates. That includes gangs like REvil/Sodinokibi, DarkSide, Netwalker and others. But with increased attention from law enforcement, XSS banned all ransomware topics from their forum in early 2021.
With this avenue shut down, LockBit’s owners pivoted to using their own infrastructure for advertising. At the end of June 2021, those behind LockBit posted a page on their leak site (bigblog[.]at) announcing recruitment for their LockBit 2.0 affiliate program.
Figure 1: LockBit’s June 2021 advertisement with new features, seeking new affiliates (source: bigblog[.]at)
According to their post, the affiliate is responsible for gaining access to “the core server”, likely referring to a domain controller, and then the rest will be carried out by the LockBit payload.
The group mentions their payload does not operate in Russian-language speaking countries and specifies that they will only work with experienced penetration testers. Additionally, the group claims their ransomware is faster than any other ransomware families and includes a table for comparing supposed encryption speeds against other prolific ransomware codes.
The affiliate also gets to decide the ransom amount and will receive the payment directly, sending the LockBit gang’s cut of the profit after the ransom is paid.
Figure 2: LockBit operators’ encryption speed comparison vs. top competitors (source: bigblog[.]at)
To facilitate extortion if a victim refuses to pay for a decryption key, LockBit also includes access to an information stealer they call StealBit, which allegedly exfiltrates files from victim networks to the LockBit blog. This malware is also touted as a high-speed uploader, which is supposed to reassure affiliates that their operation will be swift.
X-Force researchers were able to identify files submitted to VirusTotal in August 2021 that may be samples of the StealBit malware, but analysis is still ongoing at the time of this publication.
Figure 3: LockBit operators boast StealBit’s upload speeds (source: bigblog[.]at)
A spike in victims’ data exposure
Prior to the announcement of LockBit 2.0’s affiliate program, the last dark web leak from the gang appears to have been published on December 30, 2020. Posting activity resumed approximately seven months later on July 21, 2021, shortly after new recruitment attempts began, with about 76 new posts published within a six-day period.
Figure 4: Stolen data posts created per day on bigblog[.]at
Looking at other ransomware families’ leak sites in the three-week period since LockBit’s return (7/21/2021-8/11/2021), LockBit appears to be currently operating one of the most active ransomware leak sites.
Figure 5: Leak site activity by the number of posts within the monitored period
Victims by industry, geography
With regards to victims, IBM X-Force identified the below industries and geographies being impacted by LockBit and its affiliates:
Figure 6: Top LockBit victims by industry (source: IBM X-Force)
Figure 7: Top LockBit victims by region (source: IBM X-Force)
While a few regions and industries have multiple victims involved, IBM was unable to identify any clear targeting patterns. Each LockBit affiliate likely has its own choices of targeting, which may be targeted or opportunistic.
Given the timing of the new affiliate program being advertised and the spike in activity, IBM X-Force suspects that LockBit was able to recruit affiliates who had already begun compromising networks.
LockBit’s use of a data leak site first appeared in September 2020. Their leak sites and support sites (where victims can purchase a decryptor) are offered at both surface and dark web addresses. Along with the observed uptick in activity, IBM researchers discovered the use of newly registered infrastructure for these sites.
LockBit’s primary blog that publishes victim data and advertises its affiliate program is currently being hosted on the clear web at bigblog[.]at. Whois information for this domain indicates that LockBit registered the domain on July 6, 2021. Pivoting off the unique registrant email reveals that their new clear web decryptor site, decoding[.]at, was also registered on the same date.
IBM X-Force was able to uncover the domain locksupp[.]at, which was leveraging the same name servers as decoding[.]at. Whois and nameserver history indicates that this domain was in use around June 6, 2021, but it appears it was suspended by June 29, 2021. It is not currently reachable and its purpose is unknown at this time.
X-Force identified over a dozen new submissions of LockBit samples to VirusTotal occurring since the launch of the LockBit 2.0 affiliate program. Analysis was performed on several of these samples to determine any changes in these new variants.
Much of LockBit’s functionality remains the same in version 2.0, with a similar encryption routine. A hybrid AES/RSA encryption approach is still used. The two minor updates are the renaming of the registry key in which the RSA public session key is stored and the creation of a file used as a mutex while files are being encrypted. Additionally, the registry run key used for persistence is now a GUID-type string instead of an alpha-numeric string.
On top of these minor changes, two major additions were discovered: the addition of a new deployment technique and the physical printing of ransom notes.
Active directory deployment
One of the most significant changes identified during the analysis was the implementation of a novel technique for deployment. The payload has the capability to automatically deploy itself to Microsoft Active Directory clients via Group Policy Objects (GPO). When executed on an Active Directory Domain Controller, LockBit 2.0 creates several GPOs to carry out the infection process. The Windows Defender configuration is altered to avoid detection. It refreshes network shares, stops certain services and kills processes. The LockBit executable is then copied into the client desktop directories and executed. PowerShell is used to apply the new GPOs to all domain-joined hosts in a specified organization unit (OU).
The following is an example of the ransom note left behind after files are encrypted:
Figure 8: LockBit’s post-encryption ransom note (source: IBM X-Force)
Another interesting addition to the extortion techniques is a new LockBit functionality to repeatedly print the ransom note to any printers connected to the victim host.
A growing threat to watch for
LockBit does not appear to be slowing down, with regular leaks being published daily since the launch of their 2.0 affiliate program. It is likely that the ransomware payload will also continue to evolve and expand its capabilities. This ransomware group and the many others currently operating in the threat landscape present a major threat to organizations in all industries and geographies, except those in the Commonwealth of Independent States (CIS) countries where most malware operators avoid attacking local organizations.
Organizations should prioritize protecting their networks and data from this threat or risk joining the growing list of victims of RaaS affiliates. The following are a few actions companies can take that can help mitigate risks and minimize damage:
- Establish and drill an incident response team. Whether in-house or as a retained service, the formation of an incident response team and drilling the most relevant attack scenarios can make a big difference in attack outcomes and costs.
- Establish and maintain offline backups. Ensure you have files safely stored from attacker accessibility with read-only access. Also, consider the use of offsite/cold storage solutions. The availability of backup files is a significant differentiator for organizations that can help them recover from a ransomware attack.
- Implement a strategy to prevent unauthorized data theft, especially as it applies to uploading large amounts of data to legitimate cloud storage platforms that attackers can abuse. Consider blocking outbound traffic to unapproved cloud hosting services.
- Employ user and entity behavior analytics to identify potential security incidents. When triggered, assume a breach has taken place. Audit, monitor and quickly act on suspected abuse related to privileged accounts and groups.
- Deploy multifactor authentication on all remote access points into an enterprise network — with particular care given to secure or disable remote desktop protocol (RDP) access. Multiple ransomware attacks have been known to exploit weak RDP access to gain initial entry into a targeted network.
- Use penetration testing to identify weak points in enterprise networks and vulnerabilities that should be prioritized for patching. In particular, we recommend implementing mitigations for CVE-2019-19781, which multiple threat actors have used to gain initial entry into enterprises in 2020 and 2021 — including for ransomware attacks.
- Consider prioritizing the immediate remediation, as applicable, of the following frequently exploited software vulnerabilities:
- Restrict port access on TCP port 3389
- Apply multifactor authentication to remote access logins
- Remediate RDP vulnerabilities such as Windows RDP CVE-2019-0708 (BlueKeep)
- Segment networks according to the data they host.
- Encrypt the data most likely to be stolen in an attack.
- Consider adopting a zero trust approach and framework to better control what users can access and potentially halt an attack in its tracks.
If you are experiencing cybersecurity issues or an incident, contact X-Force for assistance: U.S. Hotline: 1-888-241-9812 | Global Hotline: +(001) 312-212-8034. Learn more about X-Force’s threat intelligence and incident response services.
Indicators of compromise
Scroll to view full table