LockBit 2.0 Ransomware Explained

Summary:

As an upgrade to LockBit, LockBit 2.0 first appeared in June 2021 as a ransomware service (RaaS). In the third quarter of the calendar year 2021, the LockBit 2.0 RaaS became particularly prolific, attracting affiliates via recruitment campaigns in underground forums. The LockBit 2.0 operators claimed that their encryption software was the fastest of any active ransomware strain as of June 2021, stating that this increased its effectiveness and disruption capabilities. Threat actors have used this ransomware to attack over 50 organizations in various industries. Recently, LockBit has been associated with an increasing number of developers and threat actors. Therefore, LockBit 2.0 ransomware attacks are likely to increase in the near future. This malicious program encrypts data and demands a ransom payment to decrypt it. As a result of this ransomware, files are rendered unusable, and victims are asked to pay a fee to regain access to their data.

The “.lockbit” extension is added to affected files during the encryption process. A file such as “1.jpg” would appear as “1.jpg.lockbit”, etc. The ransom note is displayed on the desktop wallpaper, as a pop-up window (“LockBit_Ransomware.hta”), and in the text file “Restore-My-Files.txt”.

RaaS, such as LockBit 2.0, utilizes double extortion techniques as part of their attack to pressure their victims into paying a ransom. Operators of LockBit 2.0 have occasionally used a leak site as well as DDoS attacks on victims’ infrastructure. In the past, groups such as BlackCat, Avaddon, and SunCrypt have engaged in triple extortion.

How it works?

The following tools and components ensure LockBit’s smooth operation:

The delsvc.bat file ensures that crucial processes, such as MySQL and QuickBooks, are unavailable. Additionally, it disables Microsoft Exchange as well as other related services.
The AV.bat file is used to uninstall the antivirus program ESET.
The LogDelete.bat program is used to delete the Windows Event Logs.
By running Defoff.bat, Windows Defender features such as real-time monitoring will be disabled.

LockBit’s executable is encoded. The ransomware decodes the required modules and strings as needed. Ransomware can evade detection by encoding its executables. The LockBit 2.0 ransomware checks the system and user settings. It does not attack the system if the language is set to specific languages. Below is a list of languages that LockBit 2.0 does not attack.

1. Armenian

2. Azeri – Cyrillic

3. Azeri-Latin

4. Belarusian

5. Georgian

6. Kazakh

7. Kyrgyz – Cyrillic

8. Russian – Moldova

9. Russian

10. Tajik

11. Turkmen

12. Uzbek

In order to prevent the victim from being able to retrieve their data using the built-in recovery services, LockBit 2.0 ransomware deletes shadow copies through the use of the commands below.

cmd.exe /c vssadmin Delete Shadows /All /Quiet	Delete volume shadow copies
cmd.exe /c bcdedit /set {default} recoveryenabled No	Disable Windows recovery
cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures	Ignore boot failures

The LockBit 2.0 ransomware deletes itself and the log files so that the victim cannot investigate the attack after it occurred.

cmd.exe /c wevtutil cl security	Delete security log
cmd.exe /c wevtutil cl system	Delete system log
cmd.exe /c wevtutil cl application	Delete application log
cmd.exe /c del /f /q “<PATH>\Lsystem-234-bit.exe”	Delete ransomware itself

Exfiltrating specific file types before encryption, LockBit affiliates primarily use the Stealbit application obtained directly from the LockBit panel. By utilizing Active Directory group policies, LockBit 2.0 provides automatic encryption of devices across Windows domains. In each affected directory within victim systems, the actor leaves a ransom note with instructions on how to obtain the decryption software.

Indicator of Compromise:

IP Addresses

139.60.160.200
93.190.139.223
45.227.255.190
193.162.143.218
168.100.11.72
93.190.143.101
88.80.147.102
193.38.235.234
174.138.62.35
185.215.113.39
185.182.193.120

Hashes

MD5	SHA-1	SHA-256
af9ff037caca1f316e7d05db86dbd882	844e9b219aaecb26de4994a259f822500fb75ae1	f3e891a2a39dd948cd85e1c8335a83e640d0987dbd48c16001a02f6b7c1733ae
b7f1120bcff47ab77e74e387805feabe	a185904a46b0cb87d38057fc591a31e6063cdd95	4de287e0b05e138ab942d71d1d4d2ad5fb7d46a336a446f619091bdace4f2d0a
4d25a9242eac26b2240336fb94d62b1e	c7b2d4a22f788b1b942f993fff33f233dca960ce	f32e9fb8b1ea73f0a71f3edaebb7f2b242e72d2a4826d6b2744ad3d830671202
84866fca8a5ceb187bca8e257e4f875a	038bc02c0997770a1e764d0203303ef8fcad11fb	acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c
f91095ae0e0632b0f630e0c4eb12ba10	6c4040f2a76e61c649e1ff4ac564a5951c15d1fa	717585e9605ac2a971b7c7537e6e311bab9db02ecc6451e0efada9b2ff38b474
b0916724ff4118bf213e31cd198c0afd	12ac32d012e818c78d6db790f6e11838ca75db88	4bb152c96ba9e25f293bbc03c607918a4452231087053a8cb1a8accb1acc92fd
6fc418ce9b5306b4fd97f815cc9830e5	95838a8beb04cfe6f1ded5ecbd00bf6cf97cd564	0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049
66b9ccb41b135f302b3143a5d53f4842	3d532697163e7c33c7c906e8efbb08282d3efd75	d089d57b8b2b32ee9816338e96680127babc5d08a03150740a8459c29ab3ba78

Impact

Malware, including ransomware, is commonly distributed through dubious channels, e.g., peer-to-peer networks (Torrent, Gnutella, eMule, etc.), unofficial and free file-hosting sites (freeware), and other third parties. Malware-proliferating content includes illegal activation tools (“cracks”) and fake updates. “cracking” tools can cause infections instead of activating licensed products. By exploiting vulnerabilities in outdated programs and installing malicious software in place of the promised updates, fraudulent updaters infect systems.

A large-scale operation during which thousands send deceptive or scam emails can also spread malware (ransomware). It is common for these letters to be referred to as “official,” “urgent,” “priority,” etc. Emails may contain infectious files attached to and linked within them. Malicious files can be in various formats, including archives (RAR, ZIP), executables (.exe, .run), PDFs, Microsoft Office documents, JavaScript, etc. Infection chains are initiated when files are executed, run, or otherwise opened.

Threat Summary:
Name	LockBit 2.0 virus
Threat Type	Ransomware, Crypto Virus, Files locker
Encrypted Files Extension	.lockbit
Ransom Demanding Message	Text presented in LockBit_Ransomware.hta, Restore-My-Files.txt, and desktop wallpaper
Cyber Criminal Contact	Websites on Tor network
Detection Names	Avast (Win32:LockBit-A [Ransom]), Combo Cleaner (Gen:Variant.Ransom.LockBit2.9), ESET-NOD32 (A Variant Of Win32/Filecoder.LockBit.E), Kaspersky (HEUR:Trojan-Ransom.Win32.LockBit.gen), Microsoft (Ransom:Win32/LockBit.STA), Full List Of Detections (VirusTotal)
Symptoms	Files on your computer cannot be opened, previously functional files now have a different extension (for example, my.docx.locked). Your desktop displays a ransom demand message. To unlock your files, cyber criminals demand payment of a ransom (usually in bitcoins).
Distribution methods	Malicious email attachments (macros), torrent websites, and advertisements.
Damage	The files are encrypted and cannot be opened without paying a ransom. Other malware infections that steal passwords can also be installed with ransomware infection.
Malware Removal (Windows)	You should scan your computer with legitimate antivirus software to eliminate any possible malware infections. Our security researchers recommend Computer cleaners and antivirus programs.

Mitigation

Users and administrators should take the following preventive measures to protect their computer networks against ransomware infections/attacks:

All backup data should be encrypted, immutable (i.e., cannot be modified or deleted) and cover the entire organization’s data infrastructure.
Always be cautious when opening attachments in unsolicited e-mails, even if they come from people in your contact list. Do not click on any URL contained in an unsolicited e-mail, regardless of whether it appears benign. If the URL is genuine, please close out the e-mail and go directly to the organization’s website via your web browser.
Backup and restore data regularly, and maintain offline backups. It is essential to follow this procedure to ensure that the organization will not be severely disrupted and that its data will not be irretrievable.
Conduct vulnerability assessments and penetration testing (VAPT) and information security audits of critical networks and systems, particularly database servers, from CERT-IN accredited auditors. Regularly conduct audits.
Employ least-privileged accounts and disable remote desktop connections. Set an account lockout policy limiting the number of users accessing Remote Desktop. Configure and log RDP properly.
Encrypt both data at rest and data in transit.
Ensure that administrative shares are not accessed in an unnecessary manner.
Ensure that all systems are equipped with up-to-date antivirus software.
Ensure that the information stored in the databases is accurate and up-to-date regularly.
Establish a strict policy for using external devices (USB drives)
File types such as exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf are blocked.
Implement domain-based message authentication, reporting, and conformance (DMARC), Domain Keys Identified Mail (DKIM), and Sender Policy Framework (SPF) for your domain, which is an email validation system designed to detect email spoofing by which most ransomware samples successfully reach corporate email accounts.
In Microsoft Office applications such as Word, Excel, etc., disable ActiveX content.
In the event that PowerShell / Windows script hosting is not required, consider disabling it.
Install Enhanced Mitigation Experience Toolkit or similar anti-exploitation software at the host level.
Limit the ability of users to install and run unwanted software applications (permissions).
Multi-factor authentication should be implemented for all services to the extent possible, particularly webmail, virtual private networks, and accounts that have access to critical systems.
Only a limited number of administrative machines can connect to administrative shares via server message block (SMB) by using a host-based firewall.
Protect critical files in the Windows Operating System by enabling protected files.
Robust, unique passwords should be implemented for all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts).
Segmenting and segregating networks into security zones is important in protecting sensitive information and critical services.
Establish a separation between the administrative network and the business processes by using physical controls and virtual local area networks.
Strictly implementing Software Restriction Policies (SRP) to block binaries running from the %APPDATA% and %TEMP% paths. These are the locations where ransomware samples are generally dropped and executed.
Strong authentication protocols, such as Network Level Authentication (NLA) in Windows, should be used.
The integrity of the codes/scripts being used in the database, authentication, and sensitive systems should be ensured.
The ransom must not be paid by individuals or organizations, as this does not guarantee the release of the files. Law enforcement agencies and CERT-In should be notified of such instances of fraud.
Updating the operating system third-party applications (MS Office, browsers, and browser plugins).
Use firewalls to restrict access and allow only selected remote endpoints. VPNs may also be used with dedicated pools for RDP access.
Use safe browsing practices when browsing the Internet. Make sure that the web browsers are sufficiently secure with appropriate content controls.
Workstations should be configured with personal firewalls.
RDP Gateways can be used to improve the management of RDP sessions
Remote Desktop’s listening port should be changed.
IPSec or SSH tunnels can be used to connect to Remote Desktop for highly critical systems.

How to Defend Your Network from Ransomware Attacks?

Cyber security threats, ransomware attacks, and Zero-day vulnerabilities are increasing tremendously. It is extremely difficult for cyber security analysts and incident responders to investigate and detect cyber security threats using conventional tools and techniques. NetSecurity’s ThreatResponder, with its diverse capabilities, can help your team detect the most advanced cyber threats, including APTs, zero-day attacks, rootkits, file-less malware, and ransomware attacks. It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.

Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR), and ThreatResponder FORENSICS, the Swiss knife for forensic investigators in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.

Start a Free Demo

Disclaimer

The page’s content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that the contents of this page are copyrighted by NETSECURITY CORPORATION. Any violation/misuse/unauthorized use of this content “as is” or “modified” shall be considered illegal and subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).