LockBit 2.0: In-Depth Analysis, Detection, Mitigation, and Removal
Summary of LockBit 2.0 Ransomware
LockBit 2.0 emerged in August 2021, and is the evolution of the original LockBit RaaS (Ransomware-as-a-service). Linux versions of LockBit 2.0 were first observed in early 2022. LockBit practices double extortion – demanding payment for a decryptor, as well as for the non-release of stolen data. LockBit touts their ‘performance’ (speed/rate of encryption) as a selling point for their services. The group is also known for using custom or specialized tools such as StealBIT for exfiltration.
What Does LockBit 2.0 Ransomware Target?
LockBit ransomware typically targets the healthcare, finance, legal, and insurance industries. Targeting may vary across affiliates. Campaigns within the CIS (Commonwealth of Independant States) are discouraged.
How Does LockBit 2.0 Ransomware Spread?
LockBit 2.0 is delivered in multiple ways: through Cobalt Strike or a similar framework, and through email phishing. Additionally, SMB spreading functionality is integrated into LockBit, and it can be turned on and off.
LockBit 2.0 Ransomware Technical Details
LockBit is an ongoing ransomware affiliate program. The second revision ‘LockBit 2.0’, has been operating since early 2020.
Encryption is implemented in parts via the completion port (I/O), encryption algorithm AES + ECC. So far, none have managed to decrypt it. LockBit is known for its encryption speed and self-spreading function.
Operators behind LockBit 2.0 attempt to utilize LOLBINS and COTS options where possible. Within LockBit campaigns, there is often heavy use of PowerShell. WMIC, and/or SMB for example.
LockBit 2.0 can encrypt files regardless of online status meaning the encryption works offline. Affiliates have complete control over their campaigns via an administrative panel hosted via TOR (.onion domain). LockBit 2.0 shares many features with other modern and successful ransomware families. These include:
- Network detection and spreading via DFS/SMB/WebDav
- Automatic termination of processes that may interfere with the encryption or extraction processed (backup software, security agents/scanners)
- Blocking the launch of processes that may lead to termination of the encryption
- Removal of Shadow Copies
- Clearing of logs, self-cleaning
- Options for hidden or visible runtime modes
- Spread to hosts with Wake-On-Lan
- Interaction with networked printers
- Support for “all” versions of Windows
In January of 2022, versions of LockBit targeting Linux were observed in the wild. These initial payloads primarily target Linux-based ESXi servers.
Data Encrypted for Impact T1486
Network Share Discovery T1135
Remote Services: SMB/Windows Admin Shares T1021.002
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1547.001
Command and Scripting Interpreter T1059
Exploitation for Client Execution T1203
How to Detect LockBit 2.0 Ransomware
- The SentinelOne Singularity XDR Platform can identify and stop any malicious activities and items related to LockBit 2.0.
In case you do not have SentinelOne deployed, detecting this ransomware requires a combination of technical and operational measures, which are designed to identify and flag suspicious activity on the network. This allows the organization to take appropriate action, and to prevent or mitigate the impact of the ransomware attack.
- Use antimalware software, or other security tools, which are capable of detecting and blocking known ransomware variants. These tools may use signatures, heuristics, or machine learning algorithms, to identify and block suspicious files or activities.
- Monitor network traffic, and look for indicators of compromise, such as unusual network traffic patterns, or communication with known command-and-control servers.
- Conduct regular security audits and assessments, to identify vulnerabilities in the network and the system, and to ensure that all security controls are in place and functioning properly.
- Educate and train employees on cybersecurity best practices, including how to identify and report suspicious emails, or other threats.
- Implement a robust backup and recovery plan, to ensure that the organization has a copy of its data, and can restore it in case of an attack.
How to Mitigate LockBit 2.0
- The SentinelOne Singularity XDR Platform detects and prevents malicious behaviors and artifacts associated with LockBit.
If you do not have SentinelOne deployed, there are several steps that organizations can take to mitigate the risk of AtomSilo ransomware attacks.
Employees should be educated on the risks of ransomware, and on how to identify and avoid phishing emails, malicious attachments, and other threats. They should be encouraged to report suspicious emails or attachments, and to avoid opening them, or clicking on links or buttons in them.
Implement Strong Passwords
Organizations should implement strong, unique passwords for all user accounts, and should regularly update and rotate these passwords. Passwords should be at least 8 characters long, and should include a combination of uppercase and lowercase letters, numbers, and special characters.
Enable Multi-factor Authentication
Organizations should enable multi-factor authentication (MFA) for all user accounts, to provide an additional layer of security. This can be done through the use of mobile apps, such as Google Authenticator or Microsoft Authenticator, or through the use of physical tokens or smart cards.
Update and Patch Systems
Organizations should regularly update and patch their systems, to fix any known vulnerabilities, and to prevent attackers from exploiting them. This includes updating the operating system, applications, and firmware on all devices, as well as disabling any unnecessary or unused services or protocols.
Implement Backup and Disaster Recovery
Organizations should implement regular backup and disaster recovery (BDR) processes, to ensure that they can recover from ransomware attacks, or other disasters. This includes creating regular backups of all data and systems, and storing these backups in a secure, offsite location.
The backups should be tested regularly, to ensure that they are working, and that they can be restored quickly and easily.