LockBit 3 Ransomware

First detected in September 2021, LockBit 3 is a highly sophisticated ransomware. It is the third iteration of the LockBit malware family, which has been active since 2019. Like other ransomware, LockBit 3 is designed to encrypt victims' files and demand a ransom in exchange for the decryption key. However, what sets LockBit 3 apart is its complex encryption mechanisms and its use by highly skilled threat actors as well as its rise to be the number one choice from threat actors as seen in last week’s Red Piranha's Threat Intelligence Report.

1. LockBit 3 Propagation Methods

LockBit 3 is typically propagated through social engineering tactics, such as phishing emails or malicious downloads. Once the ransomware is downloaded onto a victim's computer, it begins to spread throughout the network, searching for vulnerable systems to infect. LockBit 3 is designed to exploit vulnerabilities in Remote Desktop Protocol (RDP) services and unsecured network shares, allowing it to spread quickly and easily across a network. 

2. Encryption Mechanisms of Lockbit 3

Like other ransomware, LockBit 3 uses encryption to render the victim's files unreadable. LockBit 3 uses a combination of RSA-2048 and AES-256 encryption algorithms to encrypt the victim's files. The ransomware first generates a unique RSA-2048 public key for each victim, which is then used to encrypt a randomly generated AES-256 session key for each file. This unique key pair ensures that the victim's files can only be decrypted with the corresponding private key held by the attacker.

LockBit 3 also uses a technique called "double extortion" to increase the likelihood that victims will pay the ransom. In addition to encrypting the victim's files, LockBit 3 exfiltrates sensitive data from the victim's computer and threatens to release it publicly if the ransom is not paid. This creates a strong incentive for victims to pay the ransom, as they may face legal or reputational consequences if their data is released. 

Analysis of multiple incidents involving the latest version of LockBit ransomware, also known as LockBit 3.0 or ‘LockBit Black.’ 

Researchers discovered that at least one affiliate of the ransomware was using a specific collection of tools that have also been used by legitimate penetration testers in the past three months.

Interestingly, leaked data about LockBit 3.0 also revealed that its creators have begun experimenting with scripting that could allow the malware to “self-spread” using Windows Group Policy Objects (GPO) or the tool PSExec. This new feature could make it easier for the malware to move laterally and infect computers without the need for affiliates to know how to take advantage of these capabilities themselves, which could potentially speed up the time it takes to deploy the ransomware and encrypt targets. 

A reverse-engineering analysis of LockBit 3.0 reveals that it carries over most of its functionality from LockBit 2.0 while adopting new behaviours that make it more difficult to analyze by researchers. In some cases, the affiliate needs to use a 32-character ‘password’ in the command line of the ransomware binary for it to run. Furthermore, the ransomware runs with LocalServiceNetworkRestricted permissions, so it does not need full Administrator-level access to cause damage. 

A specific anti-debugging trick is employed by both BlackMatter and LockBit 3.0. Both ransomware families use ROT13-based hash tables to load/resolve Windows DLLs and conceal their internal function calls from researchers. They also look for a binary data marker (0xABABABAB) in the code at the end of the heap to detect if someone is debugging the code. If it finds this marker, it quits and doesn't save the pointer. 

In addition, LockBit 3.0 creates a special stub for each API it needs, with five different types of stubs that can be created randomly. Each stub is a small piece of shellcode that performs API hash resolution on the fly and jumps to the API address in memory. This makes it more challenging to reverse using a debugger. 

3. How Threat Actors are using LockBit 3 

LockBit 3 has been used by several highly skilled threat actors, including the FIN11 and APT29 groups. 

FIN11 is a financially motivated group that has been active since at least 2016. They are known for using a range of tactics, including ransomware attacks, to extort money from their victims. 

APT29, on the other hand, is a state-sponsored group believed to be operating out of Russia. APT29 is known for conducting espionage operations against a range of targets, including government agencies, military organisations, and research institutions.

4. Lockbit3 Ransom Demands and Payment Instructions 

When LockBit 3 has finished encrypting the victim's files and exfiltrating sensitive data, it displays a ransom note on the victim's screen. The ransom note contains instructions on how to pay the ransom and receive the decryption key. The victim is typically instructed to download the Tor browser and visit a specific website, where they can enter a unique identifier and receive further instructions on how to pay the ransom. 

LockBit 3 demands payment in Bitcoin, typically ranging from several thousand to several hundred thousand dollars. The exact amount of the ransom depends on the size and importance of the victim's network, as well as the amount of sensitive data that was exfiltrated. The attackers often use a time-limited discount to encourage victims to pay quickly, further increasing the likelihood that they will pay the ransom.

5. How to protect your business from Lockbit 3

Protecting yourself from LockBit 3 ransomware requires a combination of technical and behavioural security measures. Reduce attack surface with good segmentation, keep software up to date and implement a robust Network Detection and Response program alongside your Endpoint Detection and Response can help reduce the risk of loss from an attack. Always follow best practices and have strong vigilance with staff to aid in minimising the risk of a LockBit 3 infection and protect your personal and business data.

Sign up for our Weekly Threat Intelligence Report to stay updated.

Date Published
February 22, 2023