A new advisory from a consortium of international organizations, including the Cybersecurity and Infrastructure Security Agency, the FBI and the Multi-State Information Sharing and Analysis Center, details incidents involving LockBit, the most prevalent ransomware since 2022, and recommends mitigations. The growing numbers of hybrid workers are creating even more vulnerabilities, with smaller companies particularly vulnerable.
- What is LockBit?
- How does LockBit’s kill chain differ from other RaaS players?
- Saul Goodman of the dark web: LockBit’s act is faux legit
- Pay-to-play model lowers the barrier to entry
- LockBit’s global reach
- Information dumped on data leak sites is not the whole picture
- How to defend against LockBit
- Mitigations for other events in the LockBit kill chain
What is LockBit?
LockBit — a ransomware-as-a-service operation that has extorted $91 million from some 1,700 attacks against U.S. organizations since 2020, striking at least 576 organizations in 2022 — gives customers a low-code interface for launching attacks.
The cybersecurity advisory noted that LockBit attacks have impacted the financial services, food, education, energy, government and emergency services, healthcare, manufacturing and transportation sectors.
How does LockBit’s kill chain differ from other RaaS players?
The advisory, which uses the MITRE ATT&CK Matrix for Enterprise framework as a basis for understanding LockBit’s kill chain, reports the operation differs from other RaaS players because it:
- Allows affiliates to receive ransom payments first before sending a cut to the core group, while other RaaS groups pay themselves first.
- Disparages other RaaS groups in online forums.
- Engages in publicity-generating stunts.
- Features a low-skill, point-and-click interface for its ransomware.
Saul Goodman of the dark web: LockBit’s act is faux legit
In a May 2023 study on the professionalization of ransomware, cybersecurity firm WithSecure noted the RaaS model LockBit uses is a service-oriented system; just like legitimate software: it creates tools, infrastructure and operating procedures — “playbooks” — and sells access to these tools and services to other groups or individuals.
SEE: Tools are improving, but so are cyberattacks, per a Cisco study (TechRepublic)
Sean McNee, the vice president of research and data at internet intel firm DomainTools, said the LockBit group continuously updates the software, as a legitimate operation would, even releasing a bug bounty program for the software.
“As the ransomware-as-a-service model continues to evolve, we see groups competing for top affiliates to their services,” he said, adding that LockBit has worked to increase the scope and breadth of attacks through professionalization around their affiliate network, including actively advertising in online forums.
Operators like LockBit are quickly adapting and pivoting to new business opportunities to leverage the disruption in the ransomware space to their advantage. This is a trend we fear will continue in 2023.”
Pay-to-play model lowers the barrier to entry
“The RaaS system lowers the barrier to entry, allowing new entrants to the scene to benefit from the expertise of established actors while also allowing established actors to take a cut of the profits of all of the customers who are using their service,” said the authors of the WithSecure paper, including the firm’s threat intelligence analyst Stephen Robinson.
“As is the case with legitimate service providers, the possible profits are much higher — individuals’ time can only be sold once, whereas expertise is packaged as a service, it can be sold repeatedly without particularly increasing costs,” wrote the WithSecure paper authors.
While WithSecure’s report noted, as did the advisory, that LockBit affiliates pay a fee for access to the source group and the source group takes a percentage of any ransom paid, the operators’ attacks, modus operandi and targets vary greatly.
LockBit’s global reach
In the U.S. last year, LockBit constituted 16% of state and local government ransomware incidents reported to the MS-ISAC, including ransomware attacks on local governments, public higher education and K-12 schools and emergency services.
SEE: Ransomware attacks skyrocket (TechRepublic)
The cybersecurity advisory noted that, starting last April through the first quarter of this year, LockBit made up 18% of total reported Australian ransomware incidents, and that it was 22% of attributed ransomware incidents in Canada last year.
WithSecure’s May 2023 ransomware study noted that LockBit’s major victims in Europe included the German auto-parts manufacturer Continental, the U.S. security software company Entrust and the French technology company Thales.
Information dumped on data leak sites is not the whole picture
Since LockBit engages in double extortion-style attacks, in which attackers using the ransomware both lock databases and exfiltrate personally identifiable information with threats to publish unless paid, data leak sites are a prominent element in the threat group’s RaaS exploits. The advisory reported 1,653 alleged victims on LockBit leak sites through the first quarter of 2023.
In addition, the advisory noted that, because leak sites only show the portion of LockBit victims subjected to extortion who refuse to pay the primary ransom to decrypt their data, the sites reveal only a slice of the total number of LockBit victims.
“For these reasons, the leak sites are not a reliable indicator of when LockBit ransomware attacks occurred,” said the advisory’s authors, noting the data dump onto leak sites may happen months after the ransomware attacks that generated the information.
WithSecure noted that LockBit, in June 2020, began the “Ransom Cartel Collaboration” with fellow groups Maze and Egregor, which included the sharing of leak sites.
How to defend against LockBit
The advisory’s authors suggested organizations take actions that align with a set of goals developed by CISA and the National Institute of Standards and Technology, constituting minimum practices and protections. In the advisory, the suggestions are listed by kill chain tactic as delineated by MITRE ATT&CK, with the earliest point in the kill chain appearing first.
The advisory pointed to three main kill chain events:
- Initial access, where the cyber actor is looking for a way into a network.
- Consolidation and preparation, when the actor is attempting to gain access to all devices.
- Impact on target, where the actor is able to steal and encrypt data and then demand ransom.
To address mitigating initial access, the advisory suggested organizations use sandboxed browsers to protect systems from malware originating from web browsing, noting that sandboxed browsers isolate the host machine from malicious code.
The authors also recommended requiring all accounts with password logins to comply with NIST standards for developing and managing password policies. Among the other initial access mitigations recommended by the authors:
- Apply filters at email gateways to filter out malicious emails and block suspicious IPs.
- Install a web app firewall.
- Segment networks to prevent the spread of ransomware.
Mitigations for other events in the LockBit kill chain
- Develop and regularly update comprehensive network diagrams.
- Control and restrict network connections.
- Enable enhanced PowerShell logging.
- Ensure PowerShell instances are configured to the latest version and have module, script block and transcription logging enabled.
- Turn on the PowerShell Windows Event Log and the PowerShell Operational Log with a retention period of at least 180 days.
- Configure the Windows Registry to require User Account Control approval for any PsExec operations requiring administrator privileges.
- Disable command-line and scripting activities and permissions.
- Enable Credential Guard to protect your Windows system credentials.
- Implement Local Administrator Password Solution where possible if your OS is older than Windows Server 2019 and Windows 10.
- Apply local security policies to control application execution with a strict allowlist.
- Establish an application allowlist of approved software applications and binaries.
- Restrict NTLM use with security policies and firewalling.
- Disable ports that are not being used for business purposes.
- Identify Active Directory control paths and eliminate the most critical among them.
- Identify, detect and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool.
Command and control
- Implement a tiering model by creating trust zones dedicated to an organization’s most sensitive assets.
- Organizations should consider moving to zero-trust architectures. VPN access should not be considered a trusted network zone.
- Block connections to known malicious systems by using a Transport Layer Security proxy.
- Use web filtering or a Cloud Access Security Broker to restrict or monitor access to public file-sharing services.
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented and secure location.
- Maintain offline backups of data and regularly maintain backup and restoration daily or weekly at the minimum.
- Ensure all backup data is encrypted, immutable and covers the entire organization’s data infrastructure.