Analysis
Attacks and Vulnerabilities
CISA
Critical infrastructure
Malware, Phishing & Ransomware
News
Threat Landscape
Vulnerabilities

Known LockBit 3.0 ransomware IOCs and TTPs found in recent assaults, US security agencies reveal

March 17, 2023
Known LockBit 3.0 ransomware IOCs and TTPs found in recent assaults, US security agencies reveal

The Federal Bureau of Investigation (FBI), the Multi-State Information Sharing & Analysis Center (MS-ISAC), and the Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory with known LockBit 3.0 ransomware IOCs (indicators of compromise) and TTPs (tactics, techniques, and procedures) identified through FBI investigations as recently as March 2023. These ransomware cybercriminals function as Ransomware-as-a-Service (RaaS) and are a continuation of previous versions of the ransomware referred to as LockBit 2.0 and LockBit.

“Since January 2020, LockBit has functioned as an affiliate-based ransomware variant; affiliates deploying the LockBit RaaS use many varying TTPs and attack a wide range of businesses and critical infrastructure organizations, which can make effective computer network defense and mitigation challenging,” the joint advisory released Thursday said.

The latest advisory comes as the FBI’s Internet Crime Complaint Center (IC3) data reveals an increase in an additional extortion tactic used to facilitate ransomware in 2022, as the number of reported ransomware incidents has decreased. The hackers pressure victims to pay by threatening to publish the stolen data if they do not pay the ransom. The IC3 report comes in the wake of the cyber landscape providing ample opportunities for criminals and adversaries to target U.S. networks, attack critical infrastructure, hold money and data for ransom, facilitate large-scale fraud schemes, and threaten national security.

LockBit 3.0, also known as ‘LockBitBlack,’ is more modular and evasive than its previous versions and shares similarities with Blackmatter and Blackcat ransomware, the agencies said. “LockBit 3.0 is configured upon compilation with many different options that determine the behavior of the ransomware. Upon the actual execution of the ransomware within a victim environment, various arguments can be supplied to further modify the behavior of the ransomware.” 

The agencies said that, for instance, LockBit 3.0 accepts additional arguments for specific operations in lateral movement and rebooting into Safe Mode. If a LockBit affiliate does not have access to passwordless LockBit 3.0 ransomware, then a password argument is mandatory during the execution of the ransomware. LockBit3.0 affiliates failing to enter the correct password will be unable to execute the ransomware. The password is a cryptographic key that decodes the LockBit 3.0 executable, it added. 

The advisory assessed that by protecting the code in such a manner, LockBit 3.0 hinders malware detection and analysis with the code being ‘unexecutable’ and unreadable in its encrypted form. “Signature-based detections may fail to detect the LockBit 3.0 executable as the executable’s encrypted potion will vary based on the cryptographic key used for encryption while generating a unique hash.” 

When provided with the correct password, LockBit 3.0 will decrypt the main component, continue to decrypt or decompress its code, and execute the ransomware, the agencies said. LockBit 3.0 will only infect machines that do not have language settings matching a defined exclusion list. However, whether a system language is checked at runtime is determined by a configuration flag originally set at compilation time. Languages on the exclusion list include, but are not limited to, Romanian (Moldova), Arabic (Syria), and Tatar (Russia). If a language from the exclusion list is detected, LockBit 3.0 will stop execution without infecting the system, they added.

It added that affiliates deploying LockBit 3.0 ransomware gain initial access to victim networks via remote desktop protocol (RDP) exploitation, drive-by compromise, phishing campaigns, abuse of valid accounts, and exploitation of public-facing applications.

During the malware routine, if privileges are not sufficient, LockBit 3.0 attempts to escalate to the required privileges, the advisory said. LockBit 3.0 enumerates system information such as hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices. It also terminates processes and services, launches commands, enables automatic log-on for persistence and privilege escalation and deletes log files, files in the recycle bin folder, and shadow copies residing on disk.

The agencies determined that LockBit 3.0 attempts to spread across a victim network by using a preconfigured list of credentials hardcoded at compilation time or a compromised local account with elevated privileges. “When compiled, LockBit 3.0 may also enable options for spreading via Group Policy Objects and PsExec using the Server Message Block (SMB) protocol. LockBit 3.0 attempts to encrypt data saved to any local or remote device but skips files associated with core system functions. After files are encrypted, LockBit 3.0 drops a ransom note with the new filename and changes the host’s wallpaper and icons to LockBit 3.0 branding,” they added. 

If needed, LockBit 3.0 will send encrypted host and bot information to a command and control (C2) server. Once completed, LockBit 3.0 may delete itself from the disk, as well as any Group Policy updates that were made, depending on which options were set at compilation time.

The advisory revealed that LockBit 3.0 affiliates use Stealbit, a custom exfiltration tool used previously with LockBit 2.0; rclone, an open-source command line cloud storage manager; and publicly available file sharing services, such as MEGA, to exfiltrate sensitive company data files before encryption. “While rclone and many publicly available file sharing services are primarily used for legitimate purposes, they can also be used by threat actors to aid in system compromise, network exploration, or data exfiltration. LockBit 3.0 affiliates often use other publicly available file sharing services to exfiltrate data as well,” it added.

LockBit affiliates have been observed using various freeware and open-source tools during their intrusions, the agencies disclosed. These tools are used for a range of activities such as network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration. The use of PowerShell and Batch scripts are observed across most intrusions, which focus on system discovery, reconnaissance, password/credential hunting, and privilege escalation. Artifacts of professional penetration-testing tools such as Metasploit and Cobalt Strike have also been observed, they added.

The FBI, CISA, and MS-ISAC called upon organizations to implement the recommendations, such as prioritizing remediating known exploited vulnerabilities, training users to recognize and report phishing attempts, and enabling and enforcing phishing-resistant multi-factor authentication to reduce the likelihood and impact of ransomware incidents.

The mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful TTPs.

Cybersecurity firm Trellix identified the LockBit 3.0 ransomware group as ‘most impactful’ in its ​​Q4 2022 Threat Overview. It also added that the LockBit 3.0 leak site reported the most victims among ransomware groups in the quarter, making LockBit the most eager to pressure their victims through naming and shaming.

The group ranked second, alongside Cuba ransomware, among the most reported ransomware groups by the security industry, as analyzed by the various campaigns collected by the Threat Intelligence Group. Lastly, LockBit 3.0 ranked third among the most prevalent ransomware groups in the quarter according to the ransomware telemetry analysis gleaned from Trellix’s global sensors.

Earlier this week, these agencies warned organizations that multiple cyber threat actors, including an Advanced Persistent Threat (APT) actor, exploited a [dot]NET deserialization vulnerability in the Progress Telerik user interface for ASP[dot]NET AJAX. Exploitation of the vulnerability allowed malicious hackers to execute remote code on a federal civilian executive branch (FCEB) agency’s Microsoft Internet Information Services (IIS) web server.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience