U.S. government agencies have released a joint cybersecurity advisory detailing the indicators of compromise (IoCs) and tactics, techniques, and procedures (TTPs) associated with the notorious LockBit 3.0 ransomware.
“The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model and is a continuation of previous versions of the ransomware, LockBit 2.0, and LockBit,” the authorities said.
The alert comes courtesy of the U.S. Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC).
Since emerging in late 2019, the LockBit actors have invested significant technical efforts to develop and fine-tune its malware, issuing two major updates — LockBit 2.0, released in mid-2021, and LockBit 3.0, released in June 2022. The two versions are also known as LockBit Red and LockBit Black, respectively.
“LockBit 3.0 accepts additional arguments for specific operations in lateral movement and rebooting into Safe Mode,” according to the alert. “If a LockBit affiliate does not have access to passwordless LockBit 3.0 ransomware, then a password argument is mandatory during the execution of the ransomware.”
The ransomware is also designed to infect only those machines whose language settings do not overlap with those specified in an exclusion list, which includes Romanian (Moldova), Arabic (Syria), and Tatar (Russia).
Initial access to victim networks is obtained via remote desktop protocol (RDP) exploitation, drive-by compromise, phishing campaigns, abuse of valid accounts, and weaponization of public-facing applications.
Upon finding a successful ingress point, the malware takes steps to establish persistence, escalate privileges, carry out lateral movement, and purge log files, files in the Windows Recycle Bin folder, and shadow copies, before initiating the encryption routine.
“LockBit affiliates have been observed using various freeware and open source tools during their intrusions,” the agencies said. “These tools are used for a range of activities such as network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration.”
One defining characteristic of the attacks is the use of a custom exfiltration tool referred to as StealBit, which the LockBit group provides to affiliates for double extortion purposes.
In November, the U.S. Department of Justice reported that the LockBit ransomware strain has been used against at least 1,000 victims worldwide, netting the operation over $100 million in illicit profits.
Industrial cybersecurity firm Dragos, earlier this year, revealed that LockBit 3.0 was responsible for 21% of 189 ransomware attacks detected against critical infrastructure in Q4 2022, accounting for 40 incidents. A majority of those attacks impacted food and beverage and manufacturing sectors.
The FBI’s Internet Crime Complaint Center (IC3), in its latest Internet Crime Report, listed LockBit (149), BlackCat (114), and Hive (87) as the top three ransomware variants victimizing critical infrastructure in 2022.
Despite LockBit’s prolific attack spree, the ransomware gang suffered a huge blow in late September 2022 when a disgruntled LockBit developer released the builder code for LockBit 3.0, raising concerns that other criminal actors could take advantage of the situation and spawn their own variants.
The advisory comes as the BianLian ransomware group has shifted its focus from encrypting its victims’ files to pure data-theft extortion attacks, months after cybersecurity company Avast released a free decryptor in January 2023.
In a related development, Kaspersky has published a free decryptor to help victims who have had their data locked down by a version of ransomware based on the Conti source code that leaked after Russia’s invasion of Ukraine last year led to internal friction among the core members.
“Given the sophistication of the LockBit 3.0 and Conti ransomware variants, it is easy to forget that people are running these criminal enterprises,” Intel 471 noted last year. “And, as with legitimate organizations, it only takes one malcontent to unravel or disrupt a complex operation.”