LOCKBIT 3.0 TTP

Apr 1, 2024
TTP

Who is LOCKBIT3.0

LockBit 3.0, also known as LockBit Black, is a cybercriminal group that provides Ransomware as a Service (RAAS). With ransomware, a type of malicious software, LockBit 3.0 encrypts the victim’s files and steals their data. If the victim fails to pay the specified amount, they are threatened with the leak of their data.

LOCKBIT 3.0 History

LockBit was first observed in September 2019. Since then, it has evolved: LockBit 2.0 emerged in 2021, while the current version, LockBit 3.0, was discovered in June 2022. Government agencies have not officially attributed the group to any nation-state, but it has been noted that this ransomware group operates on a Russian-language basis, indicating its origin as a cybercriminal group.

The LockBit gang considers itself the "Robin Hood" of ransomware groups. The group promotes the purportedly "ethical" use of ransomware and claims that they will not target healthcare, education, charitable, or social service organizations.

According to a joint statement by various government agencies, LockBit 3.0 was the most widespread ransomware in the world in 2022. It was estimated to be responsible for 44% of all ransomware incidents globally in early 2023. While the average ransom amount per incident is typically nearly $1 million, LockBit victims pay an average ransom of approximately $85,000, indicating that LockBit targets small and medium-sized organizations.

LOCKBIT 3.0 TTP
TACTİC

CAPASITY

During compilation, LockBit 3.0 is configured with various options that determine its behavior. Additional arguments can be provided during execution to further alter its behavior. For instance, LockBit 3.0 accepts additional arguments for specific operations such as lateral movement and rebooting into Safe Mode. LockBit affiliates must provide a password argument for certain operations; otherwise, they cannot execute the ransomware. This password serves as a cryptographic key that encrypts the LockBit 3.0 application. This encryption renders the code unreadable and unexecutable, thus preventing detection and analysis.

LockBit 3.0 will refrain from infecting machines with language settings matching an exclusion list that includes languages such as Moldovan (Romanian), Syrian (Arabic), and Russian (Tatar). Whether the system language is checked at runtime depends on a configuration flag set during compilation. When an excluded language is detected, LockBit 3.0 halts execution without infecting the system

Instant Connection

Partners installing LockBit 3.0 ransomware typically gain initial access to victim networks through the following means:

Remote desktop protocol (RDP) exploitation [T1133]

Drive-by compromise [T1189], phishing campaigns [T1566]

Abuse of valid accounts [T1078]

Exploitation of public-facing applications [T1190]

Execution and Infection Process

LockBit 3.0 accomplishes the following functions among its operations:

Enumerating system information such as host name, host configuration, domain information, local drive configuration, remote shares, and attached external storage devices [T1082]

Terminating processes and services [T1489]

Initiating commands [TA0002]

Enabling automatic logon for persistence and privilege escalation [T1547]

Deleting log files, files in the recycle bin folder, and disk-resident shadows [T1485], [T1490]

As LockBit 3.0 endeavors to propagate across a victim network, it spreads using either a pre-configured list of hardcoded credentials established at compile time or compromises a local account with elevated privileges. [T1078]

When compiled, LockBit 3.0 can also enable propagation options using Group Policy Objects and PsExec. LockBit 3.0 utilizes the Server Message Block (SMB) protocol. It attempts to encrypt data stored on any local or remote device [T1486], but skips files associated with core system functions. After encrypting files, LockBit 3.0 leaves a ransom note with a new file name: .README.txt and changes the wallpaper and icons of the host computer with LockBit 3.0 branding [T1491.001]. If necessary, LockBit 3.0 can send encrypted host and bot information to a command and control (C2) server [T1027]. Upon completion, depending on the options set at compile time, LockBit 3.0 can self-delete from your disk [T1070.004] and erase any Group Policy updates applied.

Infiltration

LockBit has a proprietary data exfiltration tool called Stealbit, which was utilized by affiliates to pilfer victim data. Affiliates employ the open-source command-line cloud storage manager "Rclone" to execute commands on the victim and access the pilfered sensitive data through the following avenues:

https://mega.io

https://www.premiumize[.]com

https://anonfiles[.]com

https://www.sendspace[.]com

https://fex[.]net

https://transfer[.]sh

https://send.exploit[.]in

Leveraging Free Software and Open Source Tools

alt text

TECHNIQUES

alt text

PROCEDURE

Attack Vector

Deobfuscation and Unpacking the Payload

Protections Against Debugging and Other Controls

Privilege Escalation

Logging

Terminating Processes and Services

Deleting Backups

Victim Identifier Generation

File Encryption

Ransom Note

IoCs

SHA256: 43ced481e0f68fe57be3246cc5aede353c9d34f4e15d0afe443b5de9514d3ce4

MD5 (unpacked): eb9176b89f8a96d3963628b21b87c07d

SHA256 (unpacked):

ea5f8b184783979f3e32802b6942525b9f75cefae9d6e527c493a340cfc57c73

MD5: eb9176b89f8a96d3963628b21b87c07d

SHA256: EA5F8B184783979F3E32802B6942525B9F75CEFAE9D6E527C493A340CFC57C73

Mutex name = Global\{BEF590BE-11A6-442A-A85B-656C1081E04C}

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01

HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCCF266-43F6-BFD7-838DAE269E11}

SOFTWARE\Lockbit\full

SOFTWARE\Lockbit\Public

C:\Users\User\Desktop\LockBit-note.hta

Restore-My-Files.txt

.lockbit

Usage of AES-NI: AESKEYGENASSIST, AESENC, AESENCLAST.

Software\Microsoft\Windows NT\CurrentVersion\ICM\Calibration\DisplayCalibrator

{D2E7041B-2927-42fb-8E9F-7CE93B6DC937}

{3E5FC7F9-9A51-4367-9063-A120244FBEC7}

MD5: 7f0312a1f928c3aeab672ca8d5afc6a9