In This Article

What is LockBit Ransomware? Types & How Does LockBit Spread

Craig Smilowitz
| Read Time 10 min read| Updated On - November 3, 2023

LockBit Ransomware

LockBit has emerged as the most prominent moniker in ransomware assaults, and it has now been implicated in numerous recent attacks, including the one that affected Royal Mail’s international operations. Here’s everything we know so far about LockBit and how it works.

What is LockBit Ransomware?

LockBit ransomware is a new group that has been keeping a low profile over the years but has recently gained attention. LockBit, formerly ABCD ransomware, has evolved into a distinct danger within the spectrum of extortion tools. It carries out its attacks mainly via email attachments.

The cyber assaults through LockBit ransomware can be traced back to September 2019, when it got its first nickname, “abcd virus.” The nickname was derived from the filename used when encrypting a victim’s data.

LockBit is a type of ransomware involving financial payment in return for decryption. It mainly targets businesses and government agencies rather than consumers. Its potential targets are the institutions that would be hampered by the inconvenience and have sufficient means to pay a large payment.

They are considered one of the most prolific and aggressive organizations in this industry, and their actions are raising anxiety among security professionals worldwide. In December 2022, a LockBit member assaulted the SickKids hospital in Canada, disrupting internal systems and communication lines, thus causing medical scans and lab testing to be delayed. In November, the US Department of Justice claimed that LockBit’s ransomware has been deployed against at least 1,000 victims globally, including in the US.

The following are some of the characteristics of LockBit which make it very unique;

  1. Triple-extortion method
  2. Sophisticated technology
  3. High-severity cyber attacks

Types of LockBit Ranosmware

LockBit has undergone continuous updates and revisions, with recent versions able to bypass safety prompts when running an application as an administrator. It also steals server data and includes additional threats in the ransom note. For example, LockBit now warns victims of potential public exposure of their private information if they fail to comply with the demands. Below are some of the most notable variants to watch out for:

Variant 1: . abcd extension – The original version of LockBit adds the “.abcd” extension to the encrypted files. It then leaves a ransom note named “Restore-My-Files.txt” in every folder, which contains the instructions for both payment and data recovery.

Variant 2: . LockBit extension – The latest variant of LockBit uses the “.LockBit” file extension for encrypted files. It bears the same characteristics as its predecessor, with some modifications to the backend code.

Variant 3: LockBit version 2 – The subsequent version of LockBit ransomware mitigates the need to download the Tor browser. Instead, it redirects victims to a website where they can view the instructions for making payments and recovering files.

Variant 4: LockBit version 3 – LockBit 3.0, also known as “LockBit Black,” operates as a Ransomware-as-a-Service (RaaS) model. It is more modular and evasive than previous versions and is deployed by affiliates who use various tactics to target businesses and critical infrastructure. It is highly configurable and can be modified during execution to suit the attacker’s objectives. It will only infect machines that do not have language settings matching a defined exclusion list, which is determined by a configuration flag set during compilation. Initial access is gained through various methods such as RDP exploitation, phishing campaigns, abuse of valid accounts, and the exploitation of public-facing applications. Once inside the network, LockBit 3.0 attempts to escalate privileges and perform actions such as gathering system information, terminating processes and services, launching commands, enabling persistence, and deleting log files and shadow copies. It also attempts to spread across the network using a preconfigured list of credentials or compromised local accounts with elevated privileges. After encrypting files, LockBit 3.0 leaves a ransom note, changes the host’s wallpaper and icons, and may send encrypted data to a command and control server.

It may also delete itself from the disk and rollback any Group Policy updates that were made. LockBit 3.0 affiliates use custom exfiltration tools, such as Stealbit, and publicly available file sharing services to exfiltrate sensitive company data before encrypting it.

How LockBit Ransomware Works

The LockBit ransomware behaves similarly to the “LockerGoga & MegaCortex” malware family. It, therefore, follows these phases in its operation;

  • Exploitation: The initial breach of LockBit ransomware appears similar to prior harmful assaults. It may utilize social engineering strategies such as phishing, in which attackers mimic trusted persons or authority to get access credentials. Brute force assaults on an organization’s intranet servers and network systems are also feasible options. Attack probes may only take a few days to finish if the network is not correctly configured.
    After LockBit has made it inside a network, the ransomware prepares the system to unleash its encrypting payload across every device it can. Yet, an attacker may need to complete a few more steps before making their ultimate move.
  • Infiltration: From this point on, the LockBit script is in charge of all activities. It is designed to leverage “post-exploitation” methods to escalate privileges and attain an attack-ready degree of access. It also roots through access accessible through lateral movement to assess target viability. LockBit will take any necessary precautions before distributing the encryption element of the ransomware. This includes turning off security programs and any other infrastructure allowing system recovery. The purpose of infiltration is to make unaided recovery impossible or so sluggish that paying the attacker’s ransom is the only viable option. When the victim is desperate to resume regular operations, they will pay the ransom money.
  • Deployment: After the network has been adequately prepped for LockBit, the ransomware will begin spreading to each system it can touch. As previously said, LockBit does not require much to finish this step. A single system unit with elevated access can send orders to other network units to download and run LockBit. All system files will be “locked” throughout the encryption process. Only a specific key generated by LockBit’s proprietary decryption program may be used to unlock victims’ PCs. In addition, copies of a basic ransom note text file are left in each system folder. It gives the victim instructions on recovering their system and has even contained blackmail threats in some LockBit versions.

How Does LockBit Ransomware Spread?

Ransomware is commonly disseminated by phishing emails that contain malicious files or through drive-by downloading. Drive-by downloading happens when a person accesses an infected website inadvertently, and malware is downloaded and installed without the user’s awareness.

LockBit employs tools (Windows Powershell or Server Message Block) in patterns that are common to almost all Windows computer systems. Hence, endpoint security systems struggle to detect malicious behavior. It also disguises the executable encrypting file as the common. PNG picture file type, fooling system defenses even further.

LockBit Self-spread

The most unique feature is its ability to self-produce, which means it spreads independently. LockBit’s programming is guided by pre-programmed automated methods. This distinguishes it from many previous ransomware assaults, which are motivated by actively residing in the network – often for weeks – to complete recon and monitoring.

When the attacker manually attacks a single host, it may identify additionally accessible hosts, link them to infected ones, and disseminate the virus using a script. This is performed and repeated without the need for any human interaction.

Impacts of LockBit Ransomware

Ransomware attacks seriously affect individuals, organizations, and governments whenever it occurs. LockBit is no different. The following are some of the consequences that faced organizations that have been victims of LockBit ransomware;

  • Data loss: LockBit ransomware can encrypt and lock critical data, making it inaccessible to the victim. If the victim fails to pay the ransom, they may lose access to their data permanently. For example, Whitworth University lost 715GB of data when they were attacked by LockBit in July 2022.
  • Reputational Damage: Accenture was attacked by LockBit in August 2021, where they demanded $50 million as ransom. The LockBit stole some of the Accenture information and posted them on LockBit’s Leak site.
  • Financial losses; LockBit ransomware attackers often demand payment for a decryption key to unlock the encrypted data. The cost of the ransom can be high and may be accompanied by additional expenses related to restoring systems and data.

Removal and Decryption of LockBit Ransomware

Endpoint devices require comprehensive protection requirements throughout your enterprise, given the problems that LockBit might bring. The first step is implementing an all-encompassing endpoint security solution, such as Kaspersky Integrated Endpoint Security.

If your enterprise is already affected, removing LockBit ransomware will not restore access to your files. Since encryption requires a “key” to unlock, you will still need a tool to recover your system. Instead, you can recover your computer files by reimaging them if you have pre-infection backup images.

How to Prevent and Protect Against LockBit Ransomware

Finally, you must implement safeguards to guarantee that your firm is resistant to ransomware or malicious assaults. Here are some techniques to help you prepare.

Patch Common Vulnerabilities and Exposures (CVEs)

The majority of the time, attackers use well-known, unpatched vulnerabilities to enter networks and access systems. Patch all CVEs as soon as possible by adhering to vendor and CISA KEV warnings. Follow warnings on CVEs critical to your organization to keep ahead of attackers.

Use Strong Passwords

Simple passwords—those that can be figured out after a few days of probing by an algorithm tool—are to blame for many account breaches. Ensure you use a safe password, such as picking lengthier ones with character variations and utilizing self-created guidelines to build passphrases.

Reassess and Remove Unnecessary Permissions

Increase the number of restrictions on permissions to prevent possible dangers from being ignored. Pay specific attention to those accessible by IT accounts with admin-level rights and endpoint users. Enterprise databases, collaboration platforms, web meeting services, and web domains must be protected.

Have System Backups

Unexpected events are inevitable; an offline copy is the only natural defense against irreparable data loss. Your company should regularly create backups to stay current with significant system updates. Consider using numerous rotating backup points to choose a clean period if a backup becomes contaminated with malware.

How Lepide Helps Combat LockBit Ransomware

The Lepide Data Security Platforms helps to detect and prevent the spread of ransomware as it begins to infect data stored in your on-premise or cloud file systems. Lepide uses threshold alerting, combined with script execution, to detect the symptoms of an attack, such as a large number of files being renamed in a short period of time. Once the threshold is met, Lepide can execute a custom script to shut down a user, computer, or server; preventing the spread of ransomware.

In addition to this, there are many ways you can use Lepide to reduce the risk of ransomware in the first place. You can use Lepide to reduce your threat surface area by identifying users with excessive permissions, open shares, inactive users, and more. Reducing your threat surface area will reduce the risk of ransomware attacks.

Conclusion

LockBit ransomware is a type of ransomware that has recently gained attention for its involvement in numerous attacks. It targets businesses and government agencies and attacks mainly via email attachments. LockBit is regarded as one of the most prolific and aggressive organizations in the ransomware industry, and their actions are raising anxiety among security professionals worldwide.

LockBit operates using a triple extortion method, sophisticated technology, and high-severity cyber-attacks. The ransomware behaves similarly to the “LockerGoga & MegaCortex” malware family and follows three phases of operation: exploitation, infiltration, and deployment. The impacts of LockBit ransomware include data loss, financial loss, damage to an organization’s reputation, and legal penalties.

Since late 2019, many organizations are still on with remote work. Remote work has proved to be the harbinger of ransomware attacks. LockBit group constantly updates its ransomware script to overpower and bypass the defense mechanisms. It is thus essential that all workers should take precautions.

If you’d like to see more of the Lepide Data Security Platform and how it can help to prevent and protect against LockBit ransomware, schedule a demo with one of our engineers.

Popular Blog Posts