Understanding LockBit
U

A SecPro Super Issue: Understanding LockBit

For those of you in the UK, you may be winding down for the week already and ready for the Queen’s Platinum Jubilee – a celebration of a monarch who has seen the world change from the low tech world of the 1950s to the technological revolution that we are living through today. In a world completely unimaginably different to those who witnessed a coronation in 1953, taking a minute to reflect on the leaps and bounds we have made as a species is something that people often forget to do.

Of course, the rise of modern computers saw another significant rise – cybercriminals. No one is more aware of the rising threat than cybersecurity professionals, so here’s some light reading for the long weekend. If you’re not in the UK, you can just enjoy a super issue without the special occasion.

Thanks for reading and we’ll see you again on Friday!

Cheers!
Austin Miller
Editor-in-Chief

Understanding the LockBit Ransomware

By Andy Pantelli

Breaking down the Bitwise Spider APT
 

Looking at the origins of the Adversary, how the group evolved, and how they became one of most prolific criminal gangs using Ransomware-as-a-Service.  We will take a look at the Tactics, Techniques & Procedures the adversary uses and break these down.

The origins of BitWise Spider began in September of 2019.  Known then as ABCD Ransomware the gang set about promoting and supporting their operation via Russian language forums.  Developing a strong professional operation until June 2021 when the group were banned from posting on Cyber Security forums.  This prompted a rebrand with the group changing name to BitWise Spider and at the same time releasing LockBit 2.0 ransomware & the StealBit information stealer.

This appears to be a milestone for the group which then saw increase in their reputation and popularity amongst the Dark Web Community having matured & added much more functionality into Lockbit 2.0 Ransomware-as-a-Service (RaaS).   We will take a deeper look in more detail later in the article at the TTPs (Tactics, Techniques & Procedures) used by the adversary.

Having become one of the most prolific Ransomware gangs the group looked to mature their software, and the business model.  LockBit operations were by now increasing and developing the recruitment and marketing with affiliates.  What exactly is an ‘affiliate’?

Ransomware-as-a-Service developers can maximize their product exposure by providing it to third parties, or ‘affiliates’ who in turn focus themselves on targeting victims and infecting their networks.  There is a monetary trade between the developers and the affiliates for the number of infections and the numbers of users within an infected organization.

This model worked for BitWise Spider successfully allowing them to focus on development and profit, but also provides a layer between the gang and the victim making detection or prosecution of the developers more difficult with obscurity.    Affiliate schemes are used by almost all Ransomware developers who provide the affiliate with a unique identifier in specific code within the Ransomware which directs any payout to the affiliate that caused the infection.

BitWise Spider comes of age

In March of 2022 the gang had matured their code, enriched features, added functionality and introduced new tactics.  This included data extortion as they began to detail new victims through their Dark Web site.  Using an array of techniques, tactics & procedures (TTP) the group were responsible for many high profile attacks such as the one in 2021 against Accenture, who were at the time were in the process of a marketing campaign to recruit new affiliates.  The Fortune 500 Company was later to confirm the breach with a $50m ransom demanded otherwise the company data would be leaked.  Accenture were soon forced to file a data breach in the October SEC filings after “extraction of proprietary information.” during the August attack.

LockBit has undergone some major development releasing a new version including several new features; automatic encryption of devices across Microsoft Windows Active Directory Domains, the removal of shadow copies, self-propagation, the ability to bypass User Account Control Settings (UAC), ESXi support, and even the capability of printing Ransom notes via the victim’s network connected printers.  Some of the techniques seen are publicly available such as privilege escalation by using the Mimikatz tool but also the group also claim to have the fastest encryption method which employs a multithread approach using some of the following methods to boost performance: 

• Open files with the FILE_FLAG_NO_BUFFERING flag, write by sector size
• Transfer work with files to Native API
• Use asynchronous file I/O
• Use I/O port completion
• Pass control to the kernel yourself, Google KiFastSystemCall

Not content with this improvement, the developers at BitWise Spider introduced StealBit to shift their tactics by employing data exfiltration as a double extortion tactic.  Victims of Ransomware may not be willing to pay the fee in some instances, this could be for a number of reasons, lack of financial resources, available backups, concerns that if a payment were to be made to the blackmailers then would the data even be unencrypted?  All this made criminal gangs look towards threatening victims of Ransomware that unless a payment were made to the gang then the malicious actors would release the data online or even sell it.

StealBit is developed and maintained by the group and as seen by the graphic compares favourably against other Ransomware tools:

The table represents hash values of selected StealBit samples that have been observed in the security community:


MITRE ATT&CK

Tactics, techniques & procedures (TTPs) observed to be used by the adversary:


Industries & Countries Targeted 

LockBit targets diverse industry sectors & geographical regions.  Most attacks are observed in the US, India & Brazil with the Commonwealth of Independent States being avoided.  Business sectors indicate the Healthcare closely followed by the Education Sector although the group have issued a statement to claim that they do not target “healthcare, charity or educational institutions”.  This has prompted the US Department of Health Services HHS) to issue “contradictory code of ethics” note warning the public not to rely on such statements and these are shown not be true.  

Initial Access

LockBit affiliates gain access via compromised servers, or by using RDP or VPN accounts using brute force insecure credentials.  A further delivery method is by exploiting Fortinet VPN CVE-2018-13379 vulnerability.  LockBit also makes use of Mimikatz to escalate privileges.

 

Execution

Executed by command line or by scheduled tasks and can be propagated in other machines.  It is also known to use PowerShell Empire post exploitation agent.

Persistence

Registry Run Keys / Start up Folders

Discovery

Advanced Port Scanner, Network Scanner & AdFind are used to enumerate connected machines.

Lateral movement

Self-Propagation via SMB using compromised credentials or Group Policy.  PsExec or Cobalt Strike is used for lateral movement.

Exfiltration

Data extracted to Cloud Storage Web Applications MEGA, or FreeFileSync.  Also used for exfiltration is the groups own StealBit.

Impact

Ransomware payload will encrypt victim machines upon execution.  This includes local and network drives.  Encrypting with AES-256.  Can print ransom note using connected printers.  The desktop wallpaper is also replaced. 

Ransom note, file name Restore-My-Files.txt


Tactics

The use of affiliates, marketing & the gangs Direct Leak Site to upload stolen data are direct tactics to propagate the monetization.  Offering Ransomware-as-a-Service provides a tactic to avoid direct involvement and obfuscate any law enforcement action.

Known target industries include and are not limited to Cryptocurrency, Academics, Aviation, Aerospace, Healthcare Insurance, Food and Beverage, Chemicals Energy Oil and Gas, Manufacturing, Hospitality, Real Estate Travel, Opportunistic, Logistics Transportation, Legal, Retail, and Government.

The known 74 target countries include Taiwan, China, Poland, Netherlands, Mexico, the United States, Belgium, Colombia, Denmark, Chile, Vietnam, and Peru.

The gang have developed a strong selling point with affiliates using the speed of the malware with its capabilities being well known.  The group maximizes this selling point through various means of publicity.  External factors influence the targeting of victims with a preference for victims that have concerns over GPDR in Europe. 

Techniques

As with many Ransomware gangs LockBit will the check system language to avoid encrypting systems in Russia or other nearby CIS states The Malware issues the commands GetSystemDefaultUILanguage and GetUserDefaultUILanguage to check if the system of user default UI is in the language list to avoid.

Azerbaijani (Cyrillic, Azerbaijan), Azerbaijani (Latin, Azerbaijan), Armenian (Armenia), Belarusian (Belarus), Georgian (Georgia), Kazakh (Kazakhstan), Kyrgyz (Kyrgyzstan), Russian (Moldova), Russian (Russia), Tajik (Cyrillic, Tajikistan), Turkmen (Turkmenistan), Uzbek (Cyrillic, Uzbekistan), Uzbek (Latin, Uzbekistan), and Ukrainian (Ukraine).

The malware uses and Ifstatement and calls ExitProcess to terminate itself if the user of system UI language is identified.

Strings seen in LockBit executables are encoded and then stored as a stack string. Before use they are decoded dynamically through computations such as addition, subtraction or XOR, this is the Stack String Anti-Analysis.

As with many major Ransomware variants LockBit resolves APIs dynamically to make the Inline Anti-Analysis more difficult but the gang have enhanced the technique by making the entire resolving process inline which makes the decompiled code much larger, and therefore more difficult & time consuming to analyse.

Then using methods to load the API libraries into memory, the malware uses hashing & obfuscation methods to access the DLL base and export table which returns the target API address.  After loading all required libraries LockBit will restrict access to its own process by calling NTOpenProcess to get a handle on the current process then resolve GetSecurityInfo to get the process security descriptor.

By initializing an SID for the EVERYONE group and using the RtlAddAccessDeniedAce to add the ACCESS_DENIED access control entry for the EVERYONE group the malware process is effectively protected.  Additional ACEs are iterated for each process that the malware uses.  Critical system messages are suppressed and calls to RtlAdjustPrivilege which enables the SE_TAKE_OWNERSHIP_PRIVILEGE. 

Privilege escalation

In the next stages LockBit will look to elevate privilege of the user account using the GetTokenInformation call to retrieve information about the user account associated with the Token.  Using a combination retrieving and comparing account SID the malware begins the process to escalate itself.

Logging

The malware then makes a number of calls to create hidden debug windows which can be viewed during the process by a combination of hot keys Shift+F1.


Command Line

Command-line is to be used with or without arguments.  Once encryption of the target file/directory is complete the process is terminated


Mutex

LockBit checks for, and avoids multiple Ransomware instances by checking the stack string \{\%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%%02X}”


Active Directory

LockBit seeks out the OS Version, if Windows Vista or above it tries to create and set up new group policies for other hosts within Active Directory using NtQueryInformationToken_1 and the NtOpenProcessToken commands the malware looks up the Admin account and Domain.  To then connect to the AD Domain LockBit will generate the LDAP display name for the Group Policy Object.

By resolving the stack string and formats it with the public key.  Manually extracting the DNS Domain Name, and name LockBit is able to create a new GPO, lastly the path is built by formatting the string LDAP://CN=<GPO GUID>,CN=Policies,CN=System,DC=<Domain component 1>,DC=<Domain Component 2> which allows the AD path and GPO to call CreateGPOLink to connect the GPO to the Active Directory Domain.

DNS Retrieval

LockBit formats ScheduledTasks.xml file to execute a taskkill.exe for each process in the process list before dropping in the Registy.pol file1 which contains the following list of registry paths and values:
• Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware: True
• Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring: True
• Software\Policies\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent: Never send
• Software\Policies\Microsoft\Windows Defender\Threats\Threats_ThreatSeverityDefaultAction: Enabled
• Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction\Low: Ignored
• Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction\Medium: Ignored
• Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction\High: Ignored
• Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction\Severe: Ignored
• Software\Policies\Microsoft\Windows Defender\UX Configuration\Notification_Suppress: Enabled

These following registry configurations disable Windows Defender features such as anti-spyware, real-time protection, submitting samples to Microsoft servers, default actions, and displaying notification on all network hosts.

Persistence

Before executing encryption routines LockBit configures persistence using Registry Keys if the Malware is interrupted by a system shutdown.  Once encryption is complete, the malware will remove the persistence key calling RegDeleValueW to prevent itself from running again if the user restarts the machine following encryption.


Deleting backups

LockBit will delete shadow copies by resolving the string /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no then passes the fields to ShellExecuteA. The command uses vssadmin and wmic to delete all shadow copies and bcdedit to disable file recovery.

Wallpaper

Setting the default file extension, desktop background and ransom note printing tasks are completed.


Printing

Using the call EnumPrintersW to retrieve printers’ information.  The internal function resolves two strings Microsoft Print to PDF and Microsoft XPS Document Writer to compare the printer name.  If the value is one of the two, the function will exit and the ransom note will not be printed.

This is to ensure that the note is not printed to a file and only to print from a physical printer.


Extension

All files encrypted by LockBit have the file extinction .lockbit after calling NtCreateFile and NtWriteFile resolves \Registry\Machine\Software\Classes\.lockbit stack string and calls NTCreateKey to create the registry extension, this is done after formatting using its public key.


File Encryption

Prior to encryption LockBit will enumerate all volumes on the target system using FindFirstVolumeW and FindNextVolumeW and proceeds to retrieve a list of Drive letters and any mounted folder paths.  Then each drive path is iterated from Z to A before being mounted to a specific drive letter by calling SetVolumeMountPointW.  Libsodium Cryptography is used for the public key crypto using functions bcrypt.dll and LoadLibraryA, it will use BCryptGenRandom for the RNG function or CryptGenRandom.  Next, as seen before the stack string is resolved and the public key is used to format it which is later used as a Registry key to store the victim crypto keys.  The malware calls Libsodium crypto_box_keypair to generate a random 32-bit private key and the corresponding public key.  Next it will encrypt the 64-bit buffer containing both keys using Libsodium crypto_box_easy then deletes the victims private key from memory.

After setting up the crypto keys, LockBit initialises its multithreading method we reference earlier it then traverses through all local drives using techniques to skip drives that are not available, or that have already been encrypted.  Files that are recognised as read-only changes the attribute to FILE_ATTRIBUTE_NORMAL making it writable and available for encryption.  The files are encrypted using 512 byte chunks and given the extension .lockbit Again calling the RNG function the malware randomly generates a 16-byte AES key and 16-byte AES IV and writes into the file structure before renaming the file before the encryption by populating a FILE_NAME_INFORMATION with the encrypted file name before calling NTSetInformationFile with the information class FileNameInformation.  In the final stages LockBit will create threads to traverse and encrypt other network hosts and network drives by using the GetAdaptorInfo the inet_addr call is made to convert the system IP address and mask.  Once the broadcast domain is identified LockBit will scan the network iterating from the network ID address and incrementing up to the broadcast address trying to connect over ports 135 or 445, if successful it will try to encrypt the network hosts.

Procedures

Indicators of Compromise

Further reading

Want to find out more about LockBit? Check out these links.

Stay up to date with the latest threats

Our newsletter is packed with analysis of trending threats and attacks, practical tutorials, hands-on labs, and actionable content. No spam. No jibber jabber.