Lockbit Ransomware

Lockbit is a ransomware-as-a-service (RaaS) tool offered through a number of Russian-speaking hacking forums and dark web sites. First seen in September 2019, it has recently undergone a number of rapid changes to incorporate functionality from more well-known RaaS tools such as Sodinokibi and Maze, likely in an attempt to more effectively compete commercially with these tools.

Threat ID:: CC-3439
Category:: Ransomware
Threat Severity:: Medium
Threat Vector:
Published:: 30 April 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions

Threat details

At the time of publication, it is unclear how Lockbit is delivered, although it is likely that distribution is decided by its affiliate users.

Once installed, Lockbit uses a Windows User Account Control bypass to elevate its privileges. It then enumerates all running processes and services in order to terminate any that match a hard-coded list, before extracting any sensitive files using parameters set in another list. Lockbit then uses an unknown algorithm with an incredibly fast multi-threaded implementation to encrypt all non-system files.

Threat updates

Date	Update
6 May 2020	A new Lockbit campaign has been observed using an SMB module to laterally propagate across affected networks. After initial access was achieved via a brute-force attack on an unsecured VPN service, Lockbit began sending ARP requests to identify active systems on the same network, before attempting to connect to them over SMB. If successful, it deployed a PowerShell script to download a new copy of itself.

Date

Update

6 May 2020

A new Lockbit campaign has been observed using an SMB module to laterally propagate across affected networks. After initial access was achieved via a brute-force attack on an unsecured VPN service, Lockbit began sending ARP requests to identify active systems on the same network, before attempting to connect to them over SMB. If successful, it deployed a PowerShell script to download a new copy of itself.

Remediation steps

Type	Step
	If a device on your network becomes infected with ransomware it will begin encrypting files the logged-in user has permission to modify, which may also include remote files on network locations. The only guaranteed way to recover from a ransomware infection is to restore all affected files from their most recent backup. Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages. To reduce the likelihood of infection by ransomware, NHS Digital advises that: Secure configurations are applied to all devices. Security updates are applied at the earliest opportunity. Tamper protection settings in security products are enabled where available. Obsolete platforms are segregated from the rest of the network. IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments. Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts. Administrative accounts are only used for necessary purposes. Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations. Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible. To limit the impact of a ransomware infection, NHS Digital advises that: Critical data is frequently saved in multiple backup locations. At least one backup is kept offline at any time (separated from live systems). Backups and incident recovery plans are tested to ensure that data can be restored when needed. User account permissions for modifying data are regularly reviewed and restricted to the minimum necessary. Infected systems are disconnected from the network and powered down as soon as practicable. Any user account credentials that may have been compromised should be reset on a clean device. Where infected systems cannot be quarantined with confidence, then an affected organisation should disconnect from national networks to limit propagation.

Type

Step

If a device on your network becomes infected with ransomware it will begin encrypting files the logged-in user has permission to modify, which may also include remote files on network locations. The only guaranteed way to recover from a ransomware infection is to restore all affected files from their most recent backup.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

To reduce the likelihood of infection by ransomware, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

To limit the impact of a ransomware infection, NHS Digital advises that:

Critical data is frequently saved in multiple backup locations.
At least one backup is kept offline at any time (separated from live systems).
Backups and incident recovery plans are tested to ensure that data can be restored when needed.
User account permissions for modifying data are regularly reviewed and restricted to the minimum necessary.
Infected systems are disconnected from the network and powered down as soon as practicable.
Any user account credentials that may have been compromised should be reset on a clean device.
Where infected systems cannot be quarantined with confidence, then an affected organisation should disconnect from national networks to limit propagation.

Indicators of compromise

Main indicators

URLs

lockbitkodidilol[.]onion
lockbitks2tvnmwk[.]onion

Email Addresses

ondrugs@firemail[.]cc

Filenames

Restore-My-Files.txt

SHA256 File Hashes

0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76
0e66029132a885143b87b1e49e32663a52737bbff4ab96186e9e5e829aa2915f
0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335
0f5d71496ab540c3395cfc024778a7ac5c6b5418f165cc753ea2b2befbd42d51
13849c0c923bfed5ab37224d59e2d12e3e72f97dc7f539136ae09484cbe8e5e0
15a7d528587ffc860f038bb5be5e90b79060fbba5948766d9f8aa46381ccde8a
1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18
1e3bf358c76f4030ffc4437d5fcd80c54bd91b361abb43a4fa6340e62d986770
256e2bf5f3c819e0add95147b606dc314bbcbac32a801a59584f43a4575e25dc
26b6a9fecfc9d4b4b2c2ff02885b257721687e6b820f72cf2e66c1cae2675739
2b8117925b4b5b39192aaaea130426bda39ebb5f363102641003f2c2cb33b785
3f29a368c48b0a851db473a70498e168d59c75b7106002ac533711ca5cfabf89
410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677
4acc0b5ed29adf00916dea7652bcab8012d83d924438a410bee32afbcdb995cc
5b9bae348788cd2a1ce0ba798f9ae9264c662097011adbd44ecfab63a8c4ae28
6292c2294ad1e84cd0925c31ee6deb7afd300f935004a9e8a7a43bf80034abae
69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997
83ab7a2bcac146db472f3b930c01af5b6d3d978ead7b14a9d0ac16e1a76e9f9d
9bc98d15f243257c1b5bca59464abe68c680cd5482ba9f5082201dde41a016cf
a03326ac8efa930e10091a374d40ddab9f7c2f12246d6ef7983bad93256f1f3a
a0085da4a920e92d8f59fefa6f25551655ca911382b5e34df76a9333ac8b7214
a08fbf01d02097094b725101309b2bf7fefc2e27724654b840b87e091aa5c9b9
a1360645cf3113715cc023d2e4cf9f6f3a6278abcf4499f0ba7cd76c82839eb0
c8205792fbc0a5efc6b8f0f2257514990bfaa987768c4839d413dd10721e8871
ce8559871b410e23057393eb2d9fb76ec902da2ff1f8006ad312c81852a41f6f
e3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877
ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d

Last edited: 29 June 2021 12:01 pm