LockBit probably doesn’t need much of an introduction. You’ve probably seen the abundant ReliaQuest reporting on one of the most effective—and undoubtedly most prolific—ransomware groups operating today. Our recent ransomware quarterly blog named LockBit as, overwhelmingly, the most active group in the first three months of 2023. This was a continuation of what we observed in 2022, with LockBit leading from the front in terms of ransomware activity.
Download the Q1 ransomware report here >
So, LockBit securing that position again doesn’t come as a surprise; check out the group’s activity over the past 12 months in Figure 1.
Figure 1: Number of company listings posted to LockBit’s data leak site: March 2022–March 2023
June 2022’s dip in activity coincided with the LockBit 3.0 ransomware-as-a-service operation. As with any major operational or process changes, there is inevitably turmoil and, possibly, reduced output. Other dips occurred in November 2022—likely linked to a law-enforcement operation targeting a Russian-Canadian LockBit member—and in December 2022 and January 2023 (coinciding with festive holidays). But even at a reduced capacity, LockBit can turn over dozens of victims per month, and shows no signs of slowing down.
The Attack: From SocGholish to Encryption
ReliaQuest investigated an incident involving the LockBit ransomware in 2022. Initial access was achieved through a SocGholish infection. Following this, Cobalt Strike was loaded onto the host and command-and-control (C2) established. The threat actor moved laterally in the network through a combination of Cobalt Strike and remote desktop protocol (RDP). After a few days of movement, LockBit obtained credentials for a service account with domain administrator permission.
Then began a two months-plus of inactivity, for no clear reason. One theory relates to the timing of the intrusion: within a day of the Russian invasion of Ukraine. Geopolitical tension in the region was high, including among cybercriminal groups and individuals. This tension may have played a factor in the long dormancy.
After the dormant period, LockBit returned and resumed its operation by continuing to cement a foothold in the environment. The group moved laterally to additional high-value servers via RDP, and compromised additional administrator-level accounts.
Next, LockBit began staging the encryptor file and a copy of PsExec on a network. A new Group Policy Object (GPO) was created to launch and execute a Batch (BAT) file via a scheduled task. The BAT file attempted to halt specific process and services, such as antivirus or endpoint detection and response (EDR), as well as stop the backup service and delete Shadow Volume Copies. It copied the encryptor and PsExec from the network share, then used PsExec to execute the encryptor. Finally, it was set to clear all tokens from error logs using wevutil.
One unique technique is LockBit’s compromise of an account with administrator-level privileges in the organization’s EDR console, and use of it to deregister EDR sensors on all hosts in the environment. With defenses fully disabled, a GPO update was pushed, setting off encryption throughout the environment.
ReliaQuest observed the following MITRE TTPs in this incident.
- Command and Scripting Interpreter, Technique T1059
- Compromise Accounts, Technique T1586
- Data Encrypted for Impact, Technique T1486
- Domain Policy Modification, Technique T1484
- Impair Defenses, Technique T1562
- Indicator Removal, Technique T1070
- Inhibit System Recovery, Technique T1490
- Network Share Discovery, Technique T1135
- Remote Desktop Protocol, Sub-technique T1021.001
- Valid Accounts, Technique T1078
Lessons Learned (and How ReliaQuest Can Help)
ReliaQuest responds to ransomware incidents and tracks activity across the various data-leak websites. This comprehensive coverage puts us in an ideal position to identify changes across the ransomware landscape, enhancing visibility and managing the risk associated with ransomware.
GreyMatter can assist with detecting and remediating ransomware. Because phishing is one of the most common means of entry to a ransomware attack, the most effective entry control is a block on phishing attempts via a robust email security gateway, configured to your business requirements. We can support the analysis of phishing attempts detected after the “click,” or “flagged” by a trained user and forwarded to a “phishing email” box. This can assist with phishing attempts that escape even the best email gateways.
If initial email entry controls fail, EDR controls are your next measure to stop the initial exploitation and subsequent spread within an environment. ReliaQuest ensures that your EDR tools and threat intelligence capabilities are in sync and up to date, because rapid detection reduces the potential impact—and overall risk. In addition, we can assess the “health” of your EDR tools and determine what steps are needed to tune your content most effectively.
Although EDR tools may be able to block ransomware and/or send an alert that ransomware has hit a system, you still need to investigate and identify the root cause of the infection, to ensure it doesn’t recur. ReliaQuest provides this crucial support through our investigation and incident support capabilities.
If all else fails, subsequent phishing attempts can be automatically mitigated via GreyMatter’s automation plays. Examples include blocking malicious email domains, banning hashes, deleting files, or quarantining hosts.
Because ransomware groups can adapt their TTPs to an organization’s controls or defenders’ actions, it is important to have a robust defense in depth (DiD) strategy to reduce the likelihood and impact of a ransomware attack at multiple stages.