US government agencies have released a joint cybersecurity advisory document that details the indicators of compromises (IoCs) and tactics, techniques, and procedures (TTP) associated with the infamous LockBit 3.0 ransomware.
“The LockBit 3.0 ransomware operates as a Ransomware-as-a-service (RaaS) model and is a continuation of the previous ransomware versions, LockBit 2.0 and LockBit,” authorities said.
The alert was received by the US Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
Since its appearance in late 2019, LockBit actors have invested considerable technical effort into developing and refining its malware, releasing two major updates: LockBit 2.0, released in mid-2021, and LockBit 3.0, released in June 2022. The two options are: also known as LockBit Red and LockBit Black, respectively.
“LockBit 3.0 accepts additional arguments for side scrolling and safe mode restart specific operations,” the alert reads. “If the LockBit branch does not have access to the passwordless LockBit 3.0 ransomware, then the password argument is required during the ransomware run.”
The ransomware is also designed to infect only machines whose language settings do not match those on the exclusion list, which includes Romanian (Moldova), Arabic (Syria), and Tatar (Russia).
Initial access to victim networks is gained through remote desktop protocol (RDP) exploits, compromise, phishing campaigns, misuse of valid accounts, and weaponization of public-facing applications.
After finding a successful entry point, the malware takes steps to authenticate, escalate privileges, perform lateral movement, and clean log files, files in the Windows Recycle Bin folder, and shadow copies before starting encryption mode.
“LockBit affiliates were observed using various free software and open source tools during their intrusions,” the agencies said. “These tools are used for a variety of activities such as network reconnaissance, remote access and tunneling, credential stripping, and file extraction.”
One of the defining characteristics of the attacks is the use of a special extraction tool called StealBit, which the LockBit group provides to affiliates for the purpose of double extortion.
The ransomware gang, in particular, took a hit in late September 2022 when a disgruntled LockBit developer released the build code for LockBit 3.0, raising fears that other criminal actors could take advantage of the situation and create their own versions.
In November, the US Department of Justice reported that the LockBit ransomware strain was used against at least 1,000 victims worldwide, netting the operation $100 million in illegal profits.
Industrial cybersecurity firm Dragos revealed earlier this year that LockBit 3.0 was responsible for 21% of 189 ransomware attacks detected against critical infrastructure in Q4 2022, or 40 incidents. Most of these attacks affected the food and beverage and manufacturing industries.
In its latest Internet Crime Report, the FBI’s Internet Crime Complaint Center (IC3) listed LockBit (149), BlackCat (114), and Hive (87) as the top three ransomware victims in 2022. to critical infrastructure.
Discover the hidden dangers of third-party SaaS applications
Are you aware of the risks associated with third-party applications accessing your company’s SaaS applications? Join our webinar to learn about the types of permissions granted and how to minimize your risk.
SAVE YOUR SEATS!
The advisory comes as the BianLian ransomware group shifted its focus from encrypting its victims’ files to pure data theft attacks, months after cybersecurity firm Avast released a free decryptor in January 2023.
In a related development, Kaspersky released a free decryptor to help victims whose data was locked by a version of the ransomware based on Conti’s source code, which was leaked after Russia’s invasion of Ukraine last year, leading to internal friction between key members.
“Given the sophistication of the LockBit 3.0 and Conti ransomware variants, it’s easy to forget that people are running these criminal enterprises,” Intel 471 noted last year. “And, as with legitimate organizations, it only takes one flaw to expose or disrupt a complex operation.”