Lockbit Ransomware a Major threat to enterprise security .png)
Decrypting LockBit: Motives, Tactics, and Strategies to Shield Your Organization from Cyber Threats
I recently came across the Apt Group, a well-known ransomware group whose primary goal is to disrupt the organization, demand money, and exfiltrate sensitive data to open-source platforms. Important security measures against such ransomware threats are highlighted in this blog.
Imagine seeing your organization’s systems locked with a ransom demand on the screen with LockBit. Here, we explore its motives, how it operates, and how to counter it.
Lockbit works as a Ransomware-as-a-Service (RaaS) model, through which cyber criminals implement it with ease using exfiltration, self-spreading, and complex encryption to affect organizations.
Lockbit’s Motives
1. Operation Disruption -Lockbit's first motive was to interrupt business operations and cause financial Damage
2. Extortion-The main motive to demand money, most of the time they do it in cryptocurrency for a ransom payment
In the beginning Lockbit initially targeted the USA, China, India, Indonesia and Ukraine. Over the time, they extended to France, Germany and UK.
As previously stated, LockBit uses a RaaS model in which hackers pay developers to use the ransomware. Developers get a 20–30% commission in exchange.
Methodology used by the Lockbit:
Exploit Phase: Gain access through phishing, vulnerabilities, and compromised credentials.
Infiltrate phase: Move laterally across the internal network to identify valuable data.
Deploy phase: Encrypt files, exfiltrate data, and leave ransom notes.
Ransomware Extensions:
• . abcd
• . lockbit
• . lockbitversion2
Initial Detection
• Unusual Activity: First, please be aware that there are suspicious outbound traffic
and unusual spikes in file-encryption requests.
• Indicators of Compromise (IOCs): Keep an eye out for any unauthorized registry
changes, suspicious PowerShell scripts, and ransom notes like .lockbit or .abcd.
1. Data Collection process: Gather logs from endpoints, firewalls, and SIEM tools.
2. Log Analysis process: Correlate events to identify the attack pattern (e.g., phishing email,
exploited vulnerability).
3. Hypothesis Refinement process: Evaluate the scope of compromise and
investigate possible data exfiltration.
Now we will dive into the Tools and Technique used by LockBit:
• It first employs a self-spreading mechanism. The LockBit ransomware group
uses several malware families, including LockerGoga and MegaCortex.
• AES + RSA Encryption: LockBit 4.0 employs a combination of AES and RSA encryption
for secure and effective data encryption.
• AES (Advanced Encryption Standard): A fast encryption algorithm that encrypts files
using a unique secret key.
• RSA (Rivest-Shamir-Adleman): A slower but highly secure encryption method used to
encrypt the AES key.
• Encryption Process:
• AES encrypts the victim's files with a randomly generated key.
• The AES key then undergoes encryption using RSA.
• Only the attackers possess the RSA private key, which allows them to decrypt the
AES key and restore access to the files.
NET Framework
• A software framework developed by Microsoft, supporting multiple programming
languages like C#, VB.NET, and F#.
• Used to create web applications, desktop applications, and various services.
• LockBit 4.0 leverages .NET for enhanced flexibility and portability of its malware.
CoreRT (Optimization for .NET)
• A compiler that optimizes .NET applications by removing unnecessary
components.
• Converts .NET code into a smaller, faster executable.
MPRESS (Packing & Obfuscation Tool)
• A packer that compresses and obfuscates executable files, making them harder to
analyse.
• Reduces file size and complicates security tool analysis.
• LockBit 4.0 uses MPRESS to avoid antivirus detection.
LockBit has progressed to its 4.0 version, which encrypts files and still presents a significant worldwide risk to businesses. By understanding its tactics and implementing best practices, you can gradually reduce your vulnerability.
• What Worked: Immediate containment and collaboration with law enforcement to
mitigate the attack.
• What Could Be Improved: Implementing Stronger third-party vendor assessments and
regular penetration testing could have prevented the breach.
For more information, explore our Managed Security Service Provider (MSSP)
References:
Lockbit 4.0 ransomware
LockBit 3.0 vs LockBit 4.0
Understanding Ransomware Threat Actors: LockBit | CISA
