LockBit 2.0 Ransomware Explained
Summary:
As an upgrade to LockBit, LockBit 2.0 first appeared in June 2021 as a ransomware service (RaaS). In the third quarter of the calendar year 2021, the LockBit 2.0 RaaS became particularly prolific, attracting affiliates via recruitment campaigns in underground forums. The LockBit 2.0 operators claimed that their encryption software was the fastest of any active ransomware strain as of June 2021, stating that this increased its effectiveness and disruption capabilities. Threat actors have used this ransomware to attack over 50 organizations in various industries. Recently, LockBit has been associated with an increasing number of developers and threat actors. Therefore, LockBit 2.0 ransomware attacks are likely to increase in the near future. This malicious program encrypts data and demands a ransom payment to decrypt it. As a result of this ransomware, files are rendered unusable, and victims are asked to pay a fee to regain access to their data.
The “.lockbit” extension is added to affected files during the encryption process. A file such as “1.jpg” would appear as “1.jpg.lockbit”, etc. The ransom note is displayed on the desktop wallpaper, as a pop-up window (“LockBit_Ransomware.hta”), and in the text file “Restore-My-Files.txt”.
RaaS, such as LockBit 2.0, utilizes double extortion techniques as part of their attack to pressure their victims into paying a ransom. Operators of LockBit 2.0 have occasionally used a leak site as well as DDoS attacks on victims’ infrastructure. In the past, groups such as BlackCat, Avaddon, and SunCrypt have engaged in triple extortion.
How it works?
The following tools and components ensure LockBit’s smooth operation:
- The delsvc.bat file ensures that crucial processes, such as MySQL and QuickBooks, are unavailable. Additionally, it disables Microsoft Exchange as well as other related services.
- The AV.bat file is used to uninstall the antivirus program ESET.
- The LogDelete.bat program is used to delete the Windows Event Logs.
- By running Defoff.bat, Windows Defender features such as real-time monitoring will be disabled.
LockBit’s executable is encoded. The ransomware decodes the required modules and strings as needed. Ransomware can evade detection by encoding its executables. The LockBit 2.0 ransomware checks the system and user settings. It does not attack the system if the language is set to specific languages. Below is a list of languages that LockBit 2.0 does not attack.
1. Armenian
2. Azeri – Cyrillic
3. Azeri-Latin
4. Belarusian
5. Georgian
6. Kazakh
7. Kyrgyz – Cyrillic
8. Russian – Moldova
9. Russian
10. Tajik
11. Turkmen
12. Uzbek
In order to prevent the victim from being able to retrieve their data using the built-in recovery services, LockBit 2.0 ransomware deletes shadow copies through the use of the commands below.
cmd.exe /c vssadmin Delete Shadows |
Delete volume shadow copies |
cmd.exe /c bcdedit /set {default} recoveryenabled |
Disable Windows recovery |
cmd.exe /c bcdedit /set {default} |
Ignore boot failures |
The LockBit 2.0 ransomware deletes itself and the log files so that the victim cannot investigate the attack after it occurred.
cmd.exe /c wevtutil cl security |
Delete security log |
cmd.exe /c wevtutil cl system |
Delete system log |
cmd.exe /c wevtutil cl application |
Delete application log |
cmd.exe /c del /f /q |
Delete ransomware itself |
Exfiltrating specific file types before encryption, LockBit affiliates primarily use the Stealbit application obtained directly from the LockBit panel. By utilizing Active Directory group policies, LockBit 2.0 provides automatic encryption of devices across Windows domains. In each affected directory within victim systems, the actor leaves a ransom note with instructions on how to obtain the decryption software.
Indicator of Compromise:
IP Addresses
139.60.160.200
93.190.139.223
45.227.255.190
193.162.143.218
168.100.11.72
93.190.143.101
88.80.147.102
193.38.235.234
174.138.62.35
185.215.113.39
185.182.193.120
Hashes
MD5 |
SHA-1 |
SHA-256 |
af9ff037caca1f316e7d05db86dbd882 |
844e9b219aaecb26de4994a259f822500fb75ae1 |
f3e891a2a39dd948cd85e1c8335a83e640d0987dbd48c16001a02f6b7c1733ae |
b7f1120bcff47ab77e74e387805feabe |
a185904a46b0cb87d38057fc591a31e6063cdd95 |
4de287e0b05e138ab942d71d1d4d2ad5fb7d46a336a446f619091bdace4f2d0a |
4d25a9242eac26b2240336fb94d62b1e |
c7b2d4a22f788b1b942f993fff33f233dca960ce |
f32e9fb8b1ea73f0a71f3edaebb7f2b242e72d2a4826d6b2744ad3d830671202 |
84866fca8a5ceb187bca8e257e4f875a |
038bc02c0997770a1e764d0203303ef8fcad11fb |
acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c |
f91095ae0e0632b0f630e0c4eb12ba10 |
6c4040f2a76e61c649e1ff4ac564a5951c15d1fa |
717585e9605ac2a971b7c7537e6e311bab9db02ecc6451e0efada9b2ff38b474 |
b0916724ff4118bf213e31cd198c0afd |
12ac32d012e818c78d6db790f6e11838ca75db88 |
4bb152c96ba9e25f293bbc03c607918a4452231087053a8cb1a8accb1acc92fd |
6fc418ce9b5306b4fd97f815cc9830e5 |
95838a8beb04cfe6f1ded5ecbd00bf6cf97cd564 |
0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049 |
66b9ccb41b135f302b3143a5d53f4842 |
3d532697163e7c33c7c906e8efbb08282d3efd75 |
d089d57b8b2b32ee9816338e96680127babc5d08a03150740a8459c29ab3ba78 |
Impact
Malware, including ransomware, is commonly distributed through dubious channels, e.g., peer-to-peer networks (Torrent, Gnutella, eMule, etc.), unofficial and free file-hosting sites (freeware), and other third parties. Malware-proliferating content includes illegal activation tools (“cracks”) and fake updates. “cracking” tools can cause infections instead of activating licensed products. By exploiting vulnerabilities in outdated programs and installing malicious software in place of the promised updates, fraudulent updaters infect systems.
A large-scale operation during which thousands send deceptive or scam emails can also spread malware (ransomware). It is common for these letters to be referred to as “official,” “urgent,” “priority,” etc. Emails may contain infectious files attached to and linked within them. Malicious files can be in various formats, including archives (RAR, ZIP), executables (.exe, .run), PDFs, Microsoft Office documents, JavaScript, etc. Infection chains are initiated when files are executed, run, or otherwise opened.
Threat Summary: |
|
Name |
LockBit 2.0 virus |
Threat |
Ransomware, |
Encrypted |
.lockbit |
Ransom |
Text presented in |
Cyber |
Websites on Tor |
Detection |
Avast |
Symptoms |
Files on your |
Distribution |
Malicious email |
Damage |
The files are |
Malware |
You should scan |
Mitigation
Users and administrators should take the following preventive measures to protect their computer networks against ransomware infections/attacks:
- All backup data should be encrypted, immutable (i.e., cannot be modified or deleted) and cover the entire organization’s data infrastructure.
- Always be cautious when opening attachments in unsolicited e-mails, even if they come from people in your contact list. Do not click on any URL contained in an unsolicited e-mail, regardless of whether it appears benign. If the URL is genuine, please close out the e-mail and go directly to the organization’s website via your web browser.
- Backup and restore data regularly, and maintain offline backups. It is essential to follow this procedure to ensure that the organization will not be severely disrupted and that its data will not be irretrievable.
- Conduct vulnerability assessments and penetration testing (VAPT) and information security audits of critical networks and systems, particularly database servers, from CERT-IN accredited auditors. Regularly conduct audits.
- Employ least-privileged accounts and disable remote desktop connections. Set an account lockout policy limiting the number of users accessing Remote Desktop. Configure and log RDP properly.
- Encrypt both data at rest and data in transit.
- Ensure that administrative shares are not accessed in an unnecessary manner.
- Ensure that all systems are equipped with up-to-date antivirus software.
- Ensure that the information stored in the databases is accurate and up-to-date regularly.
- Establish a strict policy for using external devices (USB drives)
- File types such as exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf are blocked.
- Implement domain-based message authentication, reporting, and conformance (DMARC), Domain Keys Identified Mail (DKIM), and Sender Policy Framework (SPF) for your domain, which is an email validation system designed to detect email spoofing by which most ransomware samples successfully reach corporate email accounts.
- In Microsoft Office applications such as Word, Excel, etc., disable ActiveX content.
- In the event that PowerShell / Windows script hosting is not required, consider disabling it.
- Install Enhanced Mitigation Experience Toolkit or similar anti-exploitation software at the host level.
- Limit the ability of users to install and run unwanted software applications (permissions).
- Multi-factor authentication should be implemented for all services to the extent possible, particularly webmail, virtual private networks, and accounts that have access to critical systems.
- Only a limited number of administrative machines can connect to administrative shares via server message block (SMB) by using a host-based firewall.
- Protect critical files in the Windows Operating System by enabling protected files.
- Robust, unique passwords should be implemented for all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts).
- Segmenting and segregating networks into security zones is important in protecting sensitive information and critical services.
- Establish a separation between the administrative network and the business processes by using physical controls and virtual local area networks.
- Strictly implementing Software Restriction Policies (SRP) to block binaries running from the %APPDATA% and %TEMP% paths. These are the locations where ransomware samples are generally dropped and executed.
- Strong authentication protocols, such as Network Level Authentication (NLA) in Windows, should be used.
- The integrity of the codes/scripts being used in the database, authentication, and sensitive systems should be ensured.
- The ransom must not be paid by individuals or organizations, as this does not guarantee the release of the files. Law enforcement agencies and CERT-In should be notified of such instances of fraud.
- Updating the operating system third-party applications (MS Office, browsers, and browser plugins).
- Use firewalls to restrict access and allow only selected remote endpoints. VPNs may also be used with dedicated pools for RDP access.
- Use safe browsing practices when browsing the Internet. Make sure that the web browsers are sufficiently secure with appropriate content controls.
- Workstations should be configured with personal firewalls.
- RDP Gateways can be used to improve the management of RDP sessions
- Remote Desktop’s listening port should be changed.
- IPSec or SSH tunnels can be used to connect to Remote Desktop for highly critical systems.
How to Defend Your Network from Ransomware Attacks?
Cyber security threats, ransomware attacks, and Zero-day vulnerabilities are increasing tremendously. It is extremely difficult for cyber security analysts and incident responders to investigate and detect cyber security threats using conventional tools and techniques. NetSecurity’s ThreatResponder, with its diverse capabilities, can help your team detect the most advanced cyber threats, including APTs, zero-day attacks, rootkits, file-less malware, and ransomware attacks. It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.
Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR), and ThreatResponder FORENSICS, the Swiss knife for forensic investigators in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.
Disclaimer
The page’s content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that the contents of this page are copyrighted by NETSECURITY CORPORATION. Any violation/misuse/unauthorized use of this content “as is” or “modified” shall be considered illegal and subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).