Ransomware Profile: LockBit

[harlan4096]

LockBit is a strain of ransomware that blocks users from accessing infected systems until the requested ransom payment has been made. It has been highly active since it emerged in September 2019 and has impacted thousands of organizations around the world. Many of LockBit’s attack functions are automated, making it one of the most efficient ransomware variants on the market.

What is LockBit?

LockBit is a ransomware variant that encrypts files using AES encryption and demands a large ransom (typically high five-figures) for their decryption. Whereas most modern strains of ransomware are manually operated, LockBit’s processes are largely automated, which allows the ransomware to propagate and infect other hosts with minimal human oversight after the initial point of compromise.

LockBit operates under the ransomware-as-a-service (Raas) business model, whereby ransomware developers lease their ransomware to affiliates who receive a portion of ransom payments in exchange for dropping the malware onto victims’ networks.

Double extortion, in which threat actors use stolen data to pressure victims into paying the ransom, has become standard procedure among most ransomware groups and LockBit is no exception. LockBit claims to offer the fastest data exfiltration on the market through StealBit, a data theft tool that can allegedly download 100 GB of data from compromised systems in under 20 minutes.

The history of LockBit

LockBit was first observed in September 2019. It was originally known as ABCD ransomware due to the .abcd file extension that older versions of the ransomware would append to encrypted files. In later versions, the file extension was changed to .LockBit.

In May 2020, LockBit began working with Maze in what some referred to as a “ransomware cartel”. It is believed that the two groups shared tactics and resources, with LockBit using Maze’s leak site to publish stolen files. LockBit went on to launch its own leak site in September 2020.

In August 2020, INTERPOL warned of a spike in LockBit attacks on medium-sized companies in the Americas as part of its Cybercrime: Covid-19 Impact report (Note: link starts PDF download).

In June 2021, LockBit launched LockBit 2.0 along with an advertising campaign to recruit new affiliates.

Since LockBit was first discovered, there have been 9,955 submissions to ID Ransomware, an online tool that helps the victims of ransomware identify which ransomware has encrypted their files. We estimate that only 25 percent of victims make a submission to ID Ransomware, which means there may have been a total of 39,976 LockBit incidents since the ransomware’s inception.

LockBit ransom note

After the encryption process is complete, LockBit drops a ransom note called “Restore-My-Files.txt” in all infected directories and changes the desktop wallpaper on the target system. The note contains instructions on how to make payment and warns the victim to avoid using third-party decryption software and recovery services. The ransom note also contains a link to a payment portal where victims can “Chat with support” and access a one-time free decryption to verify that the attackers have a legitimate copy of the decryption key.
...

Continue Reading