Lockbit 2.0 to 3.0

Lockbit 2.0 first appeared in cybersecurity reports in early 2022. The group gradually deployed this new version, testing its features before a full-scale launch. Victims quickly accumulated, including well-known companies like TitanHQ and Travelex.

In February 2022, law enforcement managed to infiltrate Lockbit’s systems and seize millions of dollars in ransom, forcing the group to temporarily suspend its activities. However, by March 2022, Lockbit resumed operations, launching a series of notable attacks. Lockbit 3.0 was released in May 2022, with significant improvements to avoid antivirus detection and introducing a function to delete backups.

The ransomware evolved into Lockbit 2.0 and then Lockbit 3.0, with each version introducing more sophisticated evasion techniques and destructive capabilities, such as deleting backups to prevent data recovery.

In September 2022, an internal disagreement led to the release of Lockbit 3.0’s source code on GitHub. According to Kaspersky, this leak resulted in the creation of over 400 variants of Lockbit 3.0 under the ransomware-as-a-service (RaaS) model, allowing other cybercriminals to use its malicious software for a commission. Initially known as “abcd” due to the extension added during data encryption, Lockbit quickly made a name for itself in cybercrime.

Modus Operandi

1.Infection Methods

Lockbit uses a variety of methods to infiltrate its victims’ computer systems, including :

• • Phishing: Lockbit sends fraudulent emails to gather sensitive information. In February 2023, Lockbit used a sophisticated phishing campaign to infiltrate Royal Mail, resulting in a ransom demand of $80 million.

  • Exploitation of Security Flaws: Targeting outdated or unprotected systems. In 2022, Lockbit exploited a vulnerability in an enterprise’s RDP service to gain initial access and used tools like PsExec to move laterally across the network, encrypting data on multiple systems and demanding a substantial ransom.

  • Malware Installation: Using backdoors for stealthy access. Recently, Lockbit used ConnectWise RMM software to penetrate the systems of several clients of a managed services provider, installing malicious versions of the software to establish persistence and exfiltrate data before deploying ransomware.

2. Attack Phases

• • Exploitation: Using social engineering or brute force attacks to infiltrate a network and obtain VPN or RDP credentials.

  • Infiltration: Gaining elevated privileges and preparing for ransomware deployment. For example, in a 2023 attack, Lockbit used tools like Mimikatz to steal administrator credentials, allowing control over more systems.

  • Persistence: Maintaining access to the compromised network by enabling automatic logon or continually using compromised credentials.

  • Defense Evasion: Avoiding detection and disabling network defenses using tools like Defender Control to disable EDR processes and services or clearing event log files to hide traces.

  • Lateral Movement: Moving laterally within the compromised network using remote desktop software like Splashtop or targeting SMB shares with Cobalt Strike.

3. Data Encryption

Once initial access is obtained, Lockbit affiliates execute malicious commands to deploy the ransomware, such as using batch scripts to execute malicious commands via the Windows Command Shell or using Chocolatey to deploy malicious software on infected systems.

To maximize the impact of their attacks and make data access impossible, Lockbit affiliates use various destructive techniques:

• • Data Encryption: Encrypting data on target systems to disrupt their availability.
  • Internal Defacement: Changing the system’s wallpapers and icons to the Lockbit 3.0 branding.
  • System Recovery Inhibition: Deleting volume shadow copies to prevent data recovery.

4. Ransom Demand

• • After encryption, Lockbit displays a ransom note demanding payment in cryptocurrency under the threat of data destruction or disclosure.

How to Protect Against Lockbit?

Organizations are encouraged to implement mitigation measures developed by CISA and NIST to strengthen their cybersecurity posture against Lockbit’s activities.

• Initial Access: Use sandboxed browsers, enforce strong password policies, utilize MFA, segment networks, and filter malicious emails.

• Execution: Control network connections and enable advanced PowerShell logging.

• Privilege Escalation: Restrict command-line activities and use Credential Guard.

• Defense Evasion: Establish application whitelisting and enforce local security policies.

• Credential Access: Limit NTLM usage with security policies.

• Discovery: Disable unused ports.

• Lateral Movement: Monitor network activities with surveillance tools.

• Command and Control: Create trust zones for sensitive assets and adopt Zero Trust architecture for VPNs.

• Exfiltration: Block connections to malicious systems with a TLS proxy and restrict access to public file-sharing services.

• Impact: Maintain multiple copies of sensitive data in secure locations and regularly update offline backups.
• Security Controls Validation: Continuously test and validate your security program against MITRE ATT&CK techniques to ensure optimal protection.

Cronos Operation

In February 2022, law enforcement took action and infiltrated Lockbit’s systems, seizing millions in ransom and forcing the group to suspend activities temporarily. Lockbit resumed attacks by March 2022, targeting prominent companies.

The first arrests related to Lockbit began in October 2022 during Operation Cronos, conducted by authorities from 11 countries. In October 2022, Canadian authorities intercepted Mikhael Vasiliev, suspected of being a significant member of Lockbit, revealing his involvement in over a hundred attacks in France and links to other hacker groups like Blackcat, Ragnarlocker, and Darkside.

In May 2023, the FBI offered a $10 million reward for information leading to the identification of Mikhail Pavlovich Matveev, alias “Wazawaka,” crucial in developing Lockbit’s ransomware. Despite these efforts, Lockbit remains defiant. In June 2023, seven international cybersecurity agencies published a guide to help companies defend against Lockbit.

In February 2024, a major police operation led to the seizure of Lockbit’s infrastructure. This operation, the result of years of meticulous investigation by Europol, the NCA, and national authorities, involved collecting evidence, analyzing millions of financial transactions, and conducting complex surveillance operations to identify network members.

The operation seized dozens of servers and over 200 cryptocurrency wallets. Authorities also obtained a thousand decryption keys, allowing the creation of decryption software freely available to Lockbit victims. Additionally, the source code and documents explaining the group’s expansion were discovered.

Lockbit’s Reputation in Tatters?

In a dramatic turn for global cybersecurity, Operation Cronos dealt a significant blow to the criminal franchise LockBit by revealing approximately 190 affiliate accounts. This revelation comes from the cybersecurity intelligence firm Recorded Future and highlights the significant reduction in options for the gang. LockBit’s ability to rebound has been severely hampered largely due to the negative publicity surrounding the gang.

By suggesting that LockbitSupp is now collaborating with law enforcement to reveal former partners, authorities have used an obvious attempt to nip any organizational recovery in the bud. This maneuver aims to deter any future association with LockbitSupp.