Ransomware Group Deep Dive: LockBit
Ransomware groups, also known as ransomware gangs, have always been slippery and mysterious. When one group dissolves or is shut down by the authorities, the surviving members often take their skills and knowledge to other groups, rebranding under a different name.
Despite the constantly shifting threat landscape, it’s crucial for security-conscious businesses to be aware of the biggest and most dangerous ransomware groups at any point in time. That’s exactly why we’re writing about LockBit: a rapidly evolving and highly efficient ransomware variant that has become one of the world's most prolific types of malware.
According to IT security consulting firm NCC Group, 40% of all ransomware attacks in August 2022 were infections with the LockBit 3.0 ransomware strain. This made LockBit by far “the most threatening ransomware threat actor” that month.
So what is the LockBit ransomware group, exactly, and how does LockBit ransomware work? This article will discuss everything you need to know, from the biggest LockBit attacks to how to defend against LockBit ransomware.
What Is the LockBit Ransomware Group?
The LockBit ransomware group first appeared in September 2019, when it was known as “ABCD” ransomware (named after the .abcd file extension that it left on encrypted files). Since then, LockBit ransomware has gone through multiple iterations, from LockBit 1.0 through 2.0 to the current LockBit 3.0 version, which appeared in June 2022.
LockBit is a “ransomware as a service” (RaaS) operation, which means that the ransomware’s developers sell access to the malware to other criminal gangs. Like many other ransomware gangs, LockBit engages in double extortion tactics, threatening not only to revoke access to victims’ files but also to leak their contents on the Dark Web.
In an unusual move, LockBit announced in June 2022 that it would launch a “bug bounty” program. Users who discover errors or vulnerabilities in the LockBit ransomware or the group’s website on the Dark Web can be rewarded with bounties between $1,000 and $1 million.
LockBit ransomware attacks have tended to focus on private enterprises across the U.S., Europe, and Asia. According to a report by cyber threat intelligence company Prodaft, the average ransom demanded during a LockBit attack is just $85,000—significantly smaller than with other ransomware groups.
This suggests that LockBit prefers to target small and medium-sized businesses rather than large enterprises. Nevertheless, LockBit has executed a number of high-profile attacks, such as:
August 2021: Hackers using LockBit infected the consulting firm Accenture. Although the attackers attempted to extort a ransom by threatening to leak the company’s data, Accenture was able to quickly restore access to the affected servers.
June 2022: LockBit ransomware infected a Mexican production plant of the manufacturing company Foxconn, causing a temporary disruption. Like Accenture, Foxconn claimed that the attack would have “little impact” on its operations.
In a 2021 interview, the LockBit ransomware gang claimed that the group preferred to target companies in North America and Europe since these businesses tend to have cyber insurance policies and higher revenues. The gang also claimed that it had a policy against attacking healthcare, educational, and nonprofit organizations.
How Does LockBit Ransomware Work?
Like many ransomware infections, LockBit attacks generally have three stages: exploitation, infiltration, and encryption. The first stage, exploitation, consists of entering a target’s network through any means possible.
For example, LockBit attackers sometimes purchase stolen credentials on the Dark Web that can be used to access Remote Desktop Protocol (RDP) instances. The LockBit group also identifies software exploits and vulnerabilities that potential victims may not yet have patched.
Once inside the network, the LockBit software installs itself in the Windows Registry so that it automatically boots up when the system starts. (Newer versions of LockBit are capable of attacking both Windows and Linux machines.) It also scans for connections to other hosts from its point of origin, so that it can extend its reach throughout the network. During this stage, LockBit is also reported to download penetration testing tools such as Cobalt Strike Beacon and MetaSploit to help with reconnaissance and lateral movement.
Finally, LockBit begins the encryption process using elliptic-curve Curve25519 cryptography. According to researchers at the software company Splunk, LockBit 2.0 has one of the fastest ransomware encryption speeds, taking 2 minutes and 30 seconds to encrypt nearly 100,000 files. This is because LockBit 2.0 only encrypts the first 4 kilobytes of each file, which is enough to render it unusable without the decryption key.
How To Protect Yourself from LockBit Ransomware
With LockBit ransomware rampant, it’s never been more important for businesses to bolster their cybersecurity defenses. Following the best practices below will help defend against LockBit and other ransomware strains:
Deleting unused accounts and reviewing user permissions on a regular basis.
Preparing system-wide backups and storing them in an offsite location.
Installing antivirus and antimalware tools and applying software updates.
Requiring strong passwords and multifactor authentication to prevent brute-force attacks.
Launching IT security campaigns to train employees to recognize phishing emails and suspicious behavior.
Here’s what you need to know about the LockBit ransomware group:
LockBit first appeared as the “ABCD” ransomware variant in 2019, with the current version being LockBit 3.0.
Hackers using LockBit ransomware have attacked high-profile targets such as Foxconn and Accenture.
The LockBit ransomware is technically sophisticated and extremely fast at encrypting files, making early detection essential.
LockBit and other ransomware gangs are a constant menace for businesses, threatening to leak their sensitive data on the Dark Web. That’s exactly why Dark Web threat monitoring is such a crucial practice.
FYEO's threat intelligence software can scan through more than 23 billion leaked credentials. If hackers have posted your confidential information on the Dark Web, you’ll receive an alert immediately so that you can defend your privacy and security. Want to learn more about how we can help? Get in touch with us today to request a demo of FYEO Domain Intelligence.