How to Detect LockBit 3.0 (a.k.a. LockBit Black) Ransomware Attack?
What is LockBit 3.0 Ransomware?
The LockBit 3.0 ransomware (also known as LockBit Black) belongs to the LockBit ransomware family. A wave of ransomware attacks took place in September 2019 that resulted in the initial discovery of this group of ransomware programs. At first, LockBit was called the “.abcd virus”, but at that time, LockBit’s creators and users had no idea that their ransomware would evolve overtime. LockBit’s operators have targeted several countries since it was first used, including the UK, US, Ukraine, and France. The operators of these malicious programs offer Ransomware-as-a-Service (RaaS) programs, in which users pay to gain access to specific kinds of ransomware. In most cases, this involves a subscription. The LockBit ransomware has the ability to transmit statistics so users can see whether their use of it was successful or not.
How LockBit 3.0 is Different from LockBit 2.0?
Security researchers detected a new variant of LockBit ransomware in March 2022, less than a year after LockBit 2.0 first appeared. However, in late June 2022, the ransomware group officially unveiled LockBit 3.0, aka “LockBit Black,” in conjunction with launching its updated leak and bug bounty sites.
Figure 1: LockBit 3.0 New leak Website
Figure 2: LockBit 3.0 Bug Bounty Program Webpage
How LockBit 3.0 Operates?
LockBit 3.0 typically encrypts all the files on a victim’s device and modifies the victims’ desktop wallpaper to as shown in the Figure 3. In addition, the ransomware also leaves a ransom note on the Desktop of the infected machine. This ransom note consists of the warning message to pay the ransom amount along with the Tor browser links to pay the ransom as illustrated in Figure 4.
Figure 3: LockBit 3.0 encrypting files and modifying the Desktop background on the victim machine
Figure 4: LockBit 3.0 Ransomnote
How to Detect and Investigate LockBit 3.0 Ransomware Attack in Your Network?
ThreatResponder with it advance threat detection capabilities was able to detect the execution of LockBit 3.0 using its machine-learning driven detection engine. The process graph shown below illustrates how the chain of processes triggered by the LockBit 3.0 ransomware. The red coloured process in the below figure indicate the detected malicious processes. This feature is extremely helpful for security researchers to draw holistic analysis of the incident.
Figure 5: LockBit 3.0 Execution Process Tree
ThreatResponder’s Timeline feature has revealed various unknown facts regarding the LockBit 3.0 ransomware during our investigation
We have identified that LockBit 3.0 software gains the initial access through 3rd party frameworks like Cobalt Strike, SecGolish, or through the phishing emails [T1566]. In addition, the payload is a standard PE file with strong similarities to prior generations of LockBit as well as BlackMatter ransomware families. In addition, LockBit also exploit CVE-2018-13379 [T1133] to obtain initial access. LockBit 3.0 also attempts to acquire valid VPN accounts [T1078] from malicious brokers and other threat actor gangs and then attempts to gain credential-based access to Remote Desktop Protocol (RDP) and Virtual Private Network (VPN)[T1133].
After gaining the initial access on a victim machine, the ransomware leverages the command line utility [T1059] to further unpack and execute the malicious script on the victim machine.
Figure 6: Commandline execution
Defense Evasion and Persistence:
LockBit 3.0 writes a copy of itself to the %programdata% directory and %temp% directory, and subsequently launches from this process. It also creates new registry keys in the MACHINE\SOFTWARE registry hive to maintain persistence. In addition, it also deletes various files in order to stay stealthy and avoid from traditional detection tools.
Figure 7: Persistence attempt by LockBit 3.0
All the files that are present on the Desktop and all other folders are modified and encrypted with a randomized extensions and the Desktop background is modified to show the infection notification.
Latest Announcement by LockBit Black Ransomware Operators
According to DarkFeed threat Intelligence feed, “On July 6, 2022, the first bounty payment of 50 thousand dollars was made for the bug report in the encryption software, which was fixed on the same day. The bug was that it was possible to decrypt any vmdk or vhdx file for free, since the beginning of these files begins with zeros. In order to minimize the damage and the impact of payments for the decryptor from the current attacked companies, it was decided to postpone the public announcement of the award until the current day.”
Try ThreatResponder for Real-Time Cyber Threat Detection
Cyber security threats and ransomware attacks are increasing at a tremendous pace. It is extremely difficult for cyber security analysts and incident responders to investigate and detect cyber security threats using conventional tools and techniques. NetSecurity’s ThreatResponder, with its cloud-based machine learning threat detection engine and its diverse capabilities, can help your team detect the most advanced cyber threats, including APTs, zero-day attacks, and ransomware attacks. It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.
Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR), and ThreatResponder FORENSICS, the Swiss knife for forensic investigators in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.