By Suleyman Ozarslan, PhD August 22, 2022 Ransomware

LockBit is an infamous ransomware group known for its technically complex and impactful ransomware variants. Formerly known as the ABCD group, LockBit uses the Ransomware-as-a-Service model and bug bounty programs to distribute and improve ransomware. LockBit claims to be the fastest encrypting ransomware in the RaaS market and is used by many affiliated threat actors. LockBit uses the double extortion method to pressure its victims to pay the ransom. Accenture, the French Ministry of Justice, and Bangkok Airways were notable victims of LockBit ransomware attacks.

Metadata

Associated Groups	Aliases - ABCD, Bitwise Spider, Water Selkie Affiliates - UNC2165
Associated Country	Russia
First Seen	September 2019
Target Sectors	Education, Energy, Financial Services, Government, Healthcare, Legal, Manufacturing, Retail, Technology,Telecommunication, Transportation
Target Countries	United States, Italy, Australia, Brazil, France, India, Mexico, Morocco, Taiwan, United Arab Emirates, United Kingdom

Modus Operandi

Business Models	Ransomware-as-a-service (RaaS) Double Extortion Initial Access Brokers (IABs) Cooperation with other groups (e.g., Maze) Company Insiders Criminal Bug Bounty
Extortion Tactics	File Encryption Data Leakage
Initial Access Methods	Exploit Public-Facing Application Phishing
Impact Methods	Data Encryption Data Exfiltration

Exploited Applications and Vulnerabilities by LockBit

Application	Vulnerability	CVV	CVSS
Microsoft Exchange	ProxyShell RCE	CVE-2021-34473	9.8 Critical
Microsoft Exchange	ProxyShell Privilege Escalation	CVE-2021-34523	9.8 Critical
Microsoft Exchange	ProxyShell Security Feature Bypass	CVE-2021-31207	7.2 High
F5 BIG-IP	iControl REST API RCE	CVE-2022-22986	8.8 High
Fortinet FortiGate SSL VPN	Path Traversal	CVE-2018-13379	9.8 Critical
SonicWall SSLVPN	SQL Injection	CVE-2021-20028	9.8 Critical

Utilized Tools and Malware by LockBit

MITRE ATT&CK Tactic	Tools
Execution	PowerShell PowerShell Empire PSExec Windows Task Scheduler Windows Command Shell
Persistence	Reg.exe
Privilege Execution	UACme
Defence Evasion	GMER GPEdit.msc Invoke-GPUpdate mshta Process Hacker wewtutil
Credential Access	Comsvcs.dll Minidump Hakops Keylogger Mimikatz
Discovery	ADfind.exe Advanced Port Scanner PsGetSi
Lateral Movement	PSExec
Command and Control	AnyDesk Metasploit Meterpreter
Exflitration	Mega StealBit infostealer malware
Impact	LockBit ransomware Vssadmin BCDEdit

[1] S. Özarslan, “MITRE ATT&CK T1086 PowerShell.” https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1086-powershell (accessed Jul. 06, 2022).
[2] “GitHub - EmpireProject/Empire: Empire is a PowerShell and Python post-exploitation agent,” GitHub. https://github.com/EmpireProject/Empire (accessed Jul. 06, 2022).
[3] “PsExec - Windows Sysinternals.” https://docs.microsoft.com/en-us/sysinternals/downloads/psexec (accessed Jul. 06, 2022).
[4] S. Özarslan, “MITRE ATT&CK T1053 Scheduled Task.” https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-1053-scheduled-task (accessed Jul. 06, 2022).
[5] H. C. Yüceel, “T1059 Command and Scripting Interpreter of the MITRE ATT&CK Framework.” https://www.picussecurity.com/resource/t1059-command-and-scripting-interpreter-of-the-mitre-attck-framework (accessed Jul. 06, 2022).
[6] S. Özarslan, “MITRE ATT&CK T1060 Registry Run Keys / Startup Folder.” https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1060-registry-run-keys-startup-folder (accessed Jul. 06, 2022).
[7] “GitHub - hfiref0x/UACME: Defeating Windows User Account Control,” GitHub. https://github.com/hfiref0x/UACME (accessed Jul. 06, 2022).
[8] “GMER - Rootkit Detector and Remover.” http://www.gmer.net (accessed Jul. 06, 2022).
[9] “Website.” [Online]. Available: https://raw.githubusercontent.com/DISREL/Conti-Leaked-Playbook-TTPs/main/Conti-Leaked-Playbook-TTPs.pdf
[10] JasonGerend, “Invoke-GPUpdate.” https://docs.microsoft.com/en-us/powershell/module/grouppolicy/invoke-gpupdate (accessed Jul. 06, 2022).
[11] H. C. Yüceel, “T1218 Signed Binary Proxy Execution of the MITRE ATT&CK Framework.” https://www.picussecurity.com/resource/t1218-signed-binary-proxy-execution-of-the-mitre-attck-framework (accessed Jul. 06, 2022).
[12] P. Hacker, “Process Hacker.” https://processhacker.sourceforge.io (accessed Jul. 06, 2022).
[13] H. C. Yüceel, “Lockbit 2.0 Ransomware: TTPs Used in Emerging Ransomware Campaigns.” https://www.picussecurity.com/resource/lockbit-2.0-ransomware-ttps-used-in-emerging-ransomware-campaigns (accessed Jul. 06, 2022).
[14] S. Özarslan, “MITRE ATT&CK T1003 Credential Dumping.” https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1003-credential-dumping (accessed Jul. 05, 2022).
[15] “HAKOPS Keylogger 16 - 12.04.2018,” TurkHackTeam, Apr. 12, 2018. https://www.turkhackteam.org/konular/hakops-keylogger-16-12-04-2018.1699779/ (accessed Jul. 06, 2022).
[16] “GitHub - gentilkiwi/mimikatz: A little tool to play with Windows security,” GitHub. https://github.com/gentilkiwi/mimikatz (accessed Jul. 06, 2022).
[17] “AdFind.” http://www.joeware.net/freetools/tools/adfind/index.htm (accessed Jul. 06, 2022).
[18] “Advanced Port Scanner – free and fast port scanner.” https://www.advanced-port-scanner.com (accessed Jul. 06, 2022).
[19] “PsGetSid - Windows Sysinternals.” https://docs.microsoft.com/en-us/sysinternals/downloads/psgetsid (accessed Jul. 06, 2022).
[20] “The Fast Remote Desktop Application –,” AnyDesk. https://anydesk.com/en (accessed Jul. 06, 2022).
[21] “Metasploit,” Metasploit. https://www.metasploit.com/ (accessed Jul. 06, 2022).
[22] “MEGA.” https://mega.io/ (accessed Jul. 06, 2022).
[23] F. Fkie, “StealBit (Malware Family).” https://malpedia.caad.fkie.fraunhofer.de/details/win.stealbit (accessed Jul. 06, 2022).
[24] H. C. Yüceel, “MITRE ATT&CK T1490 Inhibit System Recovery - The Ransomware’s Favorite.” https://www.picussecurity.com/resource/mitre-attck-t1490-inhibit-system-recovery-the-ransomwares-favorite (accessed Jul. 06, 2022).

LockBit Ransomware Gang

Emerging Threat

Palo Alto CVE-2024-0012 and CVE-2024-9474 Vulnerabilities Explained

Emerging Threat

Understanding and Mitigating Midnight Blizzard's RDP-Based Spear Phishing Campaign

Emerging Threat

CVE-2024-47575: FortiManager Missing Authentication Zero-Day Vulnerability Explained

Emerging Threat

Iranian Cyber Actors’ Brute Force and Credential Access Attacks: CISA Alert AA24-290A

Emerging Threat

CISA Alert AA24-249A: Russian GRU Unit 29155 Targeting U.S. and Global Critical Infrastructure

Emerging Threat

CVE-2024-38063: Remote Kernel Exploitation via IPv6 in Windows

Emerging Threat

RansomHub Ransomware Analysis, Simulation, and Mitigation - CISA Alert AA24-242A

Emerging Threat

Pioneer Kitten: Iranian Threat Actors Facilitate Ransomware Attacks Against U.S. Organizations

Emerging Threat

Andariel: North Korean APT Group Targets Military and Nuclear Programs

Platform

I want to

Use Cases

Frameworks

RESEARCH

LEARNING

RESOURCES

LEARNING

COMPANY

PARTNERS

LockBit Ransomware Gang

Share this article:

Share this article:

Emerging Threat

Palo Alto CVE-2024-0012 and CVE-2024-9474 Vulnerabilities Explained

Emerging Threat

Understanding and Mitigating Midnight Blizzard's RDP-Based Spear Phishing Campaign

Emerging Threat

CVE-2024-47575: FortiManager Missing Authentication Zero-Day Vulnerability Explained

Emerging Threat

Iranian Cyber Actors’ Brute Force and Credential Access Attacks: CISA Alert AA24-290A

Emerging Threat

CISA Alert AA24-249A: Russian GRU Unit 29155 Targeting U.S. and Global Critical Infrastructure

Emerging Threat

CVE-2024-38063: Remote Kernel Exploitation via IPv6 in Windows

Emerging Threat

RansomHub Ransomware Analysis, Simulation, and Mitigation - CISA Alert AA24-242A

Emerging Threat

Pioneer Kitten: Iranian Threat Actors Facilitate Ransomware Attacks Against U.S. Organizations

Emerging Threat

Andariel: North Korean APT Group Targets Military and Nuclear Programs

Get the Latest InsightsDelivered Straight to Your Inbox

Get the Latest Insights
Delivered Straight to Your Inbox