Analysis of LockBit Ransomware Samples and Considerations for Defense Against Targeted Ransomware

1.Overview


Recently, there has been an incident involving a financial institution falling victim to a ransomware attack. Information from various sources indicates a close association with the LockBit ransomware attack group. The use of the term “close association” by the Antiy CERT is qualitative due to LockBit operating as an attack organization based on the “Ransomware as a Service” (RaaS) model. They establish the infrastructure supporting ransom attacks, including the development and release of ransom attack malicious code payloads, provision of customized builders, creation of a unified ransom attack interface, and establishment of virtual currency payment channels. This enables various attack organizations and individuals to conduct operations by leveraging their “services.” In RaaS, the organization providing the service and the entities carrying out the attacks are typically not the same organization or individuals. They may even operate back-to-back. Moreover, payments are often conducted using encrypted digital currencies such as Bitcoin, adding significant complexity to comprehensive tracing and analysis of the event.
LockBit was named the most active ransomware attack group globally in 2022. It develops ransomware targeting various host systems and platforms, including Windows, Linux, macOS, and VMware virtualization. The ransomware generator allows for easy customization through simple interactions. LockBit encrypts only the first 4K data of the file header, resulting in a significantly faster encryption speed compared to other ransomware that encrypts the entire file. Due to the overwrite of sectors corresponding to the original file, victims cannot recover plaintext data before encryption through data recovery methods. The organization was first identified in September 2019, initially known as the ABCD ransomware due to the .abcd file extension on encrypted files. In June 2021, LockBit released version 2.0, introducing features to delete volume shadow and log files. It also launched the exclusive data stealing tool, StealBit, adopting a dual extortion strategy of threatening to expose (sell) enterprise data and encrypting data. In August 2021, the group’s attack infrastructure expanded to support DDoS attacks. In June 2022, the ransomware was updated to version 3.0, and due to code overlap with BlackMatter ransomware, it is also referred to as LockBit Black. This reflects potential personnel movement and capability exchange between different ransomware groups. Several organizations using LockBit RaaS have carried out numerous attack operations. They invade victim systems through third-party credential acquisition, weaponizing vulnerabilities, and deploying other malicious software. After infiltrating, they deploy ransomware, leading to a large number of victims facing ransom demands and data leaks. LockBit has become the most active ransomware attack group, even engaging in proactive spreading and PR activities.

2.Typical Cybersecurity Incidents in Recent Years


Attackers utilizing the LockBit ransomware organization’s RaaS services primarily gain initial access to victim systems through third-party credential acquisition, weaponizing vulnerabilities, and deploying other malicious software. After stealing data files, they deploy the LockBit ransomware to achieve encryption. The organization has a considerable number of affiliated members, and its Tor website sees almost daily additions of victim information from around the world. Since adopting the dual extortion strategy of “threatening to expose enterprise data + encrypting data for ransom,” the Tor website has published information on over 2,200 victim enterprises. As of 2023, more than 900 victim enterprise records have been released. If affiliated members and victim enterprises negotiate privately, their information is not disclosed on the Tor site, indicating that the actual number of victim enterprises may surpass the publicly disclosed figure.

Table 2.1: List of Typical Incidents Encountering LockBit Ransomware Attacks”

Date

Victim unit

Influence

August 2021

Irish IT consultancy Accenture

Stealed approximately 6 TB of data and demanded a ransom of $50
million

January
2022

French
Thales Group

Part of the data was made public; in
November of the same year, it suffered another ransomware attack, and about
9.5 GB of stolen data was made public.

February 2022

Bridgestone Americas Branch

The company
suspended some operations and data from the victim system was stolen.

June
2022

US
digital security company Entrust

Some data was stolen

July 2022

French telecom operator La Poste Mobile

As a result,
some systems were shut down, the official website was shut down for more than
10 days, and some user information was made public.

October
2022

Bank
of Brasilia

Some data was stolen and a ransom of 50
BTC was demanded.

November 2022

Continental

Stealed about 40
GB of data and demanded a ransom of $50 million

December
2022

California
Department of the Treasury

Approximately 76 GB of data stolen

January 2023

Royal Mail

International
export services were disrupted, approximately 45 GB of data was stolen, and a
ransom of US$80 million was demanded.

June
2023

TSMC
supplier Qinghao Technology

Some data was stolen and a ransom of $70
million was demanded.

August 2023

Montreal Electric Service Commission, Canada

Approximately 44
GB of data stolen

October
2023

Boeing
Airlines

Approximately 43 GB of data stolen

3.Overview of Attack Organizations and Corresponding Attack Situations


Table 3.1: Basic Information of LockBit Attack Organization

Organization Name:

LockBit

Former Name

ABCD

Appearance Time

September 2019

Typical Breach Methods

Apart from phishing attacks, third-party credential acquisition,
weaponization of vulnerabilities, and carrying other malicious software

Typical Encryption Suffix

9-digit individual ID composed of random
letters and numbers

Decryption Tools

No publicly available decryption tools discovered as of now

Targeted Systems for
Encryption

Windows, Linux, macOS, VMware, etc.

Operational Mode

Ransomware as a service, based on ransom payment and data sales

Modes of Intrusion

Encryption-induced paralysis, data theft,
DDoS service disruption

Commonly Targeted Industries

Finance, services, construction, education, IT, manufacturing

Common Countries/Regions

United States, United Kingdom, Germany,
Canada

Multiple Ransom Combinations

Yes

Ransom Letter Sample

4.Typical Tactics, Techniques, and Procedures (TTPs) in the Historical Linked Cyber Attack Activities


Organizations leveraging the LockBit RaaS infrastructure for ransomware attacks involve a considerable number of personnel with diverse operational styles, and many incidents lack detailed disclosure. Analyzing the entire attack lifecycle, including entry points, intrusion methods, lateral movement, and paths for stealing critical assets, is challenging due to limited information. We have compiled a list of common tactics and techniques based on the clues currently available and annotated them using the ATT&CK framework.

Figure 4.1: Common Tactical Behavior Patterns in LockBit-Related Ransomware Attacks

The corresponding list is as follows:

Table 4.1: Common Tactical Behavior List in LockBit-Related Ransomware Attacks

ATT&CK Stage

Specific Behavior

Notes

Initial access

Watering Hole Attack

Implanting malicious code in websites frequently visited by the
victim.

Exploitation of Public-Facing Applications

Exploiting vulnerabilities to access the victim’s system, such as
using Citrix-related vulnerabilities.

Exploitation of External Remote Services

Exploiting RDP to access the victim’s network

Phishing

Using phishing and spear-phishing to access the victim’s network

Use of Valid Accounts

Obtaining and abusing credentials of existing accounts as a means
to gain initial access

Implement

Using commands and script interpreters to execute malicious
commands

Deploying with batch scripts

Using third-party software deployment tools

Deploying with the Chocolatey command-line package manager

Utilizing system services

Executing commands or payloads using PsExec

Persistence

 

Perform boot or login using autostart

Enable automatic execution for persistence

Valid account

Use compromised user accounts to maintain persistence on target
networks

Elevate privileges

 

Abuse of elevated control mechanisms

Use ucmDccwCOM method in UACMe to bypass UAC

Perform boot or login using autostart

Enable automatic login for privilege escalation

Modify using domain policy

Create group policies for lateral movement and the ability to force
group policy updates

Use a valid account

Escalating privileges using compromised user accounts

Defense evasion

 

Execution scope protection

Entering the correct parameters will decrypt the main component or
continue to decrypt and decompress the data

Weaken defense mechanisms

Use tools such as PCHunter, PowerTool, and Process Hacker to
disable and uninstall processes and services related to security software

Delete beacon

Clear Windows event log files, ransomware self-deletes

Obfuscated files or information

Encrypted data will be sent to its command and control (C2)

Credential access

 

Brute force cracking

Use VPN or RDP brute force to achieve initial access

Get the credentials from where the password is stored

Use PasswordFox to get the password of Firefox browser

Operating system credential dump

Use ExtPassword or LostMyPassword for obtaining operating system
login credentials

Discover

 

Scan network services

Scan target network using SoftPerfect

Discover system information

Enumerate system information including hostname, host
configuration, domain information, local drive configuration, remote shares,
and mounted external storage devices

Discover system location

Computers whose language settings match the defined exclusion list
will not be infected

Lateral movement

Utilize remote services

Move laterally across the network and access domain controllers

Collect

Compress/encrypt collected data

Use 7-zip to compress or encrypt collected data before stealing it

Command and control

 

Use application layer protocols

Using FileZilla for C2 Communication

Use standard non-application layer protocols

Establishing a SOCKS5 or TCP tunnel from the reverse connection
using Ligolo

Use protocol tunneling

Use Plink to automate SSH operations on Windows

Utilize remote access software

Remote control using tools such as AnyDesk, Atera RMM or
TeamViewer

Data exfiltration

 

Automatic exfiltration of data

Use StealBit custom penetration tools to steal data from target
networks

Using web service postbacks

Use public file sharing services to steal a target’s data

Influence

corrupted data

Delete log files and empty recycle bin

Data Encryption That Causes Harmful Impact

Encrypt data on target systems to disrupt system and network
availability

Tampering with visible content

Change the host system’s wallpaper and icon to LockBit 3.0
wallpaper and icon respectively

Disable system recovery

Delete shadow copies on disk

Disable service

Terminate specific processes and services

5.Analysis of LockBit for Windows 3.0 Version Samples


Due to RaaS-supported ransomware attacks being carried out by multiple organizations utilizing a unified attack infrastructure, these organizations rely on their individual attack capabilities and access resources. They employ a common set of foundational code versions, iterating and refining payloads to evade detection. Therefore, RaaS combined with targeted ransomware analysis involves a multifactorial comprehensive examination, particularly focusing on the analysis of attack infrastructure, tactics, and sample attacks separately. LockBit has payloads targeting various common system platforms. In this article, we will first release a historical analysis of its For Windows 3.0 version, followed by the analysis of other samples in subsequent releases.

Table 5.1: Sample Labels

Virus family name

Trojan/Win32.LockBit

MD5

38745539B71CF201BB502437F891D799

Processor architecture

Intel 386 or later,
and compatibles

File size

162.00 KB
(165888 bytes)

file format

BinExecute/Microsoft.EXE[:X86]

Timestamp

2022-06-27
14:55:54

digital signature

none

Packing type

none

compiled language

C/C++

VT first upload time

2022-07-03 16:18:47

VT test results

64/72

Note: You can find more information about the LockBit virus family by searching for “LockBit” on the Virusview.net computer virus classification encyclopedia.

After the execution of LockBit 3.0 ransomware, it releases .ico and .bmp files in the %PROGRAMDATA% path. These files are used as icons for subsequently encrypted files and modified desktop wallpaper.

Image 5.1: Additional File Extensions

The ransomware releases a ransom note containing a Tor address for ransom communication.

Image 5.2: Ransom Note

The modified desktop background is as shown in the following image.

Image 5.3: Modified Desktop Background

LockBit 3.0’s code segment is encrypted, and upon execution, it decrypts based on the provided “-pass” command-line parameter. Without the correct password, execution is not possible. This method is employed to prevent the analysis of the core functionality.

Image 5.4: Decryption of the Code Segment

It uses the NtSetThreadInformation function to set the thread information to ThreadHideFromDebugger, aiming to interfere with analysts and researchers during the analysis process.

Image 5.5: Code Segment for Analysis Interference

It detects the system language, and if it is a specific language, it exits the program and ceases further execution.

Image 5.6: Language Check

The specific list of checked languages is as follows. By observing the systems it avoids, it’s evident that the LockBit organization itself exhibits strong Eastern European characteristics.

Table 5.2: List of Checked Languages

System Language

Arabic (Syria)

Russian (Moldova)

Armenian
(Armenian)

Russian (Russia)

Azerbaijani (Cyrillic Azerbaijani)

Tajik (Cyrillic Tajikistan)

Azerbaijani
(Latin Azerbaijani)

Turkmenistan
(Turkmenistan)

Belarusian (Belarus)

Tatar (Russia)

Georgian
(Georgia)

Ukrainian
(Ukraine)

Kazakh (Kazakhstan)

Uzbek (Cyrillic Uzbekistan)

Kyrgyzstan
(Kyrgyzstan)

Uzbek (Latin
Uzbekistan)

Romanian (Moldova)

 

It creates multiple threads for encryption and sets these threads to be hidden.

Image 5.7: Create a file encryption thread

6.Targeted Ransomware Attacks: Challenges to Cybersecurity and Considerations for Response


From the perspective of the consequences and losses caused by targeted ransomware attacks, we must alter our perception paradigm regarding the interplay between security risks and value. As targeted ransomware attacks have evolved into a combination of data theft, system and business paralysis, data trafficking, and exposure, the maximal risk is not only the irrecoverable breakdown of systems and business operations. Simultaneously, there is the looming danger of the core assets of the attacked enterprise—user information, critical data, documents, records, code, and more—being sold or exposed, resulting in more significant ripple effects. From a long-term perspective in both domestic and international contexts, a significant proportion of improvements in the security posture of government and enterprise institutions do not stem from proactive measures to enhance defense capabilities. Many enterprises and institutions consider the most probable security risk not to be a direct attack but rather the failure to meet compliance standards, leading to penalties. Consequently, this has established a logic of low-level construction and operation involving investment, compliance, and immunity. The consequences brought about by targeted ransomware attacks force IT decision-makers to assess extreme risks and evaluate the value of cybersecurity work through the lens of potential extreme losses. Avoiding prolonged business interruptions, irrecoverable data loss, the purchase of stolen data assets by competitors, or severe devaluation due to exposure are all extreme situations that IT decision-makers in every organization must address. An objective understanding of the threat scenario is a prerequisite for effective cybersecurity defense. Consequence deduction based on a baseline mindset is also part of this scenario. In terms of budget allocation, we typically use the proportion of cybersecurity spending to overall IT spending as a metric. This often places cybersecurity in a subordinate, auxiliary, or suppressed position within the broader IT landscape. Whether the consequences of cybersecurity risks should be the primary metric for security investment is also a point for consideration.
Looking at the operational mode of targeted ransomware attacks, we must recognize that, before the encryption and paralysis actions are triggered, there is a highly customized operational process similar to APT attacks. Attackers or professional attack teams exhibit a firm intent to attack, high-level capabilities, ample exploit resources, and access to a significant amount of exploitable vulnerability intelligence and attack entry resources. Some attackers may even be insiders. This is the reason why targeted ransomware attacks relying on RaaS can succeed repeatedly, even against large organizations with strong IT operational capabilities and defense investments. Whether serving as the last line of defense in ransomware protection through host system defenses or as the final means of response in backup and recovery, both are single points of failure. They play a partial role in detecting and blocking attacks, reducing the success rate of attacks, increasing the cost of attacks, and lowering the risk of losses within their own capability scope. However, they cannot single-handedly counter systematic attacks. We must seriously point out that equating targeted ransomware attacks to the early indiscriminate spread or widespread deployment of ransomware is a simplistic view. Considering ransomware defense as a straightforward battle between encryption paralysis and backup recovery is a highly outdated and one-sided security perspective. If there isn’t a comprehensive protection system and operational mechanism in place, and relying solely on data backup and recovery to address ransomware attacks is akin to having only one goalkeeper facing an entire opposing team.
From the characteristics of the kill chain in targeted ransomware attacks, we must firmly believe in a systematic approach and practical measures for preventing such attacks. In the face of systematic attacks, it is essential to insist on moving the defense perimeter forward, deploying proactively, creating depth, and establishing a closed-loop operation. Enhancing the ability to detect and intercept attackers’ reconnaissance and activities in the peripheral zones is crucial. This helps reduce the likelihood of attackers reaching the core zones. Improving the manageability of networks and assets is foundational work: actively shaping and reinforcing the security environment, strengthening constraints and management of the attack surface, controlling the upstream entry points in the supply chain, and initiating comprehensive log audit analysis and monitoring operations. Constructing defense in depth from the topological to the systemic side is key. Implementing layered defenses against attacker behaviors such as detection, delivery, vulnerability exploitation, code execution, persistence, and lateral movement is crucial. Special emphasis should be placed on building robust protection on the host and system side, serving as the last line of defense and a fundamental part of the overall defense. Building fine-grained governance capabilities around the identification and control of execution entities is vital. Ultimately, the protection system should achieve real-world operational effectiveness by perceiving, disrupting, blocking, and presenting the kill chain of targeted attacks.
Appendix 1: Partial Efforts by Antiy to Assist Regulatory Authorities, Clients, and the Public in Addressing Ransomware Attacks
ANTIY has consistently been dedicated to enhancing customers’ effective defense capabilities and working collaboratively with them to improve understanding and awareness of security.
ANTIY has been actively monitoring the evolution of ransomware attacks, consistently releasing threat assessment reports. On June 14, 2006, the company intercepted and analyzed the earliest domestic ransomware, redplus (Trojan.Win32.Pluder.a). Subsequently, they published important reports such as “Unveiling the True Face of Ransomware” (2015) [2], “In-Depth Analysis Report on ANTIY’s Response to Ransomworm ‘WannaCry'” [3], “Analysis of the Ransomware Sodinokibi Operation Organization” [4], and “Sample and Follow-up Analysis of Ransomware Attack on a US Fuel Pipeline Company” [5]. Particularly noteworthy is their prediction, made five months before the widespread outbreak of the WannaCry ransomworm, that ransomware attacks would trigger a resurgence of worms [6]. During the WannaCry ransomworm incident, ANTIY swiftly conducted analysis and provided users with protection manuals [7], startup guides [8], as well as immune tools, specialized killing tools, memory key retrieval, and recovery tools. In response to the “PETYA” ransomware disguised as a ransom attack, ANTIY was quick to accurately assess that it might not be a typical ransom attack. ANTIY CERT continuously tracks various ransomware families and RaaS attack organizations. They have released sample analysis reports and protection recommendations for popular ransomware families such as LockBit [9], GandCrab [10], and Sodinokibi. Notably, they launched a special series of articles titled “Understanding Ransom Attacks and Harms from Eight Perspectives” [11][12][13][14][15][16] on their vertical response platform, aiding governmental and enterprise clients, as well as the public, in understanding ransom attacks and enhancing awareness. In 2021, to strengthen prevention and response to ransomware attacks, under the guidance of the Network Security Management Bureau of the Ministry of Industry and Information Technology, the China Academy of Information and Communications Technology, in collaboration with ANTIY and other units, compiled and released the “Ransomware Security Protection Manual” [17]. This manual provides detailed and itemized recommendations on how to prevent ransomware attacks.
ANTIY relies on its independently developed AVL SDK antivirus engine to support its products and the collaborative ecosystem with engine partners in detecting and removing malicious code, including ransomware, with precision. The ANTIY Intelligent Terminal Defense System and the Ruijia Cloud Protection System are based on the fundamental concept of ANTIY’s execution entity governance. They assist clients in shaping a trusted and secure host environment. On the endpoint, ANTIY Intelligent Terminal Defense System establishes a combination of security mechanisms, including system reinforcement, host intrusion prevention system (HIPS), scan filtering, execution control, behavior protection, and focused data protection. These mechanisms create multiple layers of defense against ransomware attacks. The focused data protection mechanism, in particular, is designed to intercept bulk file reads and writes. In cases where other security mechanisms are bypassed and rendered ineffective, it attempts to achieve behavior interception and stop-loss. However, ANTIY does not believe in a one-size-fits-all solution for cybersecurity. The company is committed to ensuring that its engine and each product can maximize their value in their operational positions and undergo real-world testing in confrontations. For more information, you can refer to “ANTIY Products Help Users Effectively Defend Against Ransomware Attacks” [18].

Appendix 2: Reference


[1] “Ransomware attack on China’s biggest bank may have hit US Treasury market” [R/OL]. (2023-11-10), https://www.cnn.com/2023/11/10/investing/icbc-ransomware-attack-hnk-intl/index.html.
[2] ANTIY. “Unveiling the True Face of Ransomware” [R/OL]. (2015-08-03), https://www.antiy.com/response/ransomware.html
[3] ANTIY. “In-Depth Analysis Report on ANTIY’s Response to Ransomworm ‘WannaCry'” [R/OL]. (2017-05-13), https://www.antiy.com/response/wannacry.html
[4] ANTIY. “Analysis of the Ransomware Sodinokibi Operation Organization” [R/OL]. (2019-06-28), https://www.antiy.com/response/20190628.html
[5] ANTIY. “Sample and Follow-up Analysis of Ransomware Attack on a US Fuel Pipeline Company” [R/OL]. (2021-05-11), https://www.antiy.com/response/20210511.html
[6] ANTIY. “Review and Outlook of Network Security Threats in 2016” [R/OL]. (2017-01-06), https://www.antiy.com/response/2016_Antiy_Annual_Security_Report.html
[7] ANTIY. “ANTIY’s Protection Manual for WannaCry Ransomware” [R/OL]. (2017-05-13), https://www.antiy.com/response/Antiy_Wannacry_Protection_Manual/Antiy_Wannacry_Protection_Manual.html
[8] ANTIY. “ANTIY’s Monday Startup Guide for WannaCry Ransomware” [R/OL]. (2017-05-14), https://www.antiy.com/response/Antiy_Wannacry_Guide.html
[9] ANTIY. “ANTIY’s Effective Protection against LockBit2.0 Ransomware” [R/OL]. (2021-09-20), https://www.antiy.cn/observe_download/observe_296.pdf
[10] ANTIY. “GANDCRAB Ransomware Focuses on ‘Dash’,” ANTIY’s Effective Protection [R/OL]. (2018-02-28), https://www.antiy.com/response/20180228.html
[11] ANTIY. “Four Role Divisions in Ransom Attacks” [R/OL]. (2021-11-23), https://mp.weixin.qq.com/s/oMneQmmYQF5B4nWVulJl1g
[12] ANTIY. “Two Typical Patterns of Ransom Attacks” [R/OL]. (2021-11-23), https://mp.weixin.qq.com/s/nrbVpjA2-jfTzjojbyFpJA
[13] ANTIY. “Analysis of the Ransom Attack Kill Chain” [R/OL]. (2021-11-24), https://mp.weixin.qq.com/s/24bIz-e4_Ts-Th0ecCWfgQ
[14] ANTIY. “Four Ransom Types and Five Attack Characteristics” [R/OL]. (2021-11-25), https://mp.weixin.qq.com/s/RL4E9v4wvazgj2UNdbMypA
[15] ANTIY. “Ten Typical Ransomware Families” [R/OL]. (2021-11-26), https://mp.weixin.qq.com/s/Jmz58xQBcytCIWx51yxBTQ
[16] ANTIY. “Trends in Ransom Attack Development” [R/OL]. (2021-11-26), https://mp.weixin.qq.com/s/1wehEDr7dTo-wdJYzfoS-A
[17] China Academy of Information and Communications Technology. “Ransom Virus Security Protection Manual” [R/OL]. (2021-09), http://www.caict.ac.cn/kxyj/qwfb/ztbg/202109/P020210908503958931090.pdf
[18] ANTIY. “ANTIY Products Help Users Effectively Defend Against Ransomware Attacks” [R/OL]. (2021-11-01), https://mp.weixin.qq.com/s/nOfhqWiw6Xd7-mvMt2zfXQ