Ransomware continues to be one of the biggest and most damaging types of cyberattacks today, as gangs are always evaluating and updating their tactics to circumvent defenses. These types of attacks can be especially alarming when they target government agencies. Recently, the infamous LockBit ransomware gang launched an attack on the Italian tax agency (Agenzia delle Entrate), where it claims to have stolen 75GB of data – including company documents, financial reports, contracts, etc. The group plans to release screenshots of the files soon unless it receives an undisclosed amount from the agency.
So, who is LockBit and how do government agencies and other organizations defend against its attacks? Shawn Pope, one of Nuspire’s Threat Intelligence Analysts, gives us the scoop.
The LockBit ransomware gang (also referred to as Bitwise Spider) is the criminal adversary responsible for the development of LockBit, LockBit 2.0 and newly released LockBit 3.0 (also called LockBit Black) ransomware, as well as the StealBit information stealer. The adversary claims to have been in operation since September 2019, and has largely gained popularity due to the launch of their LockBit 2.0 Ransomware-as-a-Service (RaaS) in June 2021. Bitwise Spider maintains a dedicated leak site (DLS) where affiliates correspond with victims, conduct negotiations, and access builders for LockBit’s RaaS tools and the StealBit information stealer.
It’s a great question, but unfortunately, we don’t know. Like most ransomware families, LockBit avoids Commonwealth of Independent State (CIS) countries. Does this mean they reside in those areas? It’s hard to say for certain. During an interview with a LockBit operator Aug. 24, 2021, anonymity is mentioned many times and how important it is to their team.
Let’s first look at LockBit’s encryption routine. It includes both local and network encryption, where it encrypts files using AES (Advanced Encryption Standard) and encrypts the AES key with RSA (Rivest-Shamir-Adleman) encryption. The AES key is generated using BCrytGenRandom. Operators have mentioned their speed to encrypt and exfiltrate data. For faster encryption, it only encrypts the first 4KB of a file and appends the file extension based on LockBit version.
With that being said, there are no public or private options known at this point to decrypt and return files to working order.
Referencing the same interview from August 2021, the operator mentioned how they target organizations, what plays an important role, as well as what industries they prefer to avoid. They choose their targets based on the company capitalization – the more the better. They have no time or desire to prepare for an attack on a specific target since there is always enough work to do without it.
An article from April 2022 mentions LockBit Gang resided inside a regional U.S. government agency for almost five months before being detected. Although this doesn’t directly relate to a shift in targeted operations for LockBit, it suggests any industry vertical is a target, and that the gang will strike whenever a viable opportunity presents itself.
It has been stated that they prefer to avoid medical, educational, charitable and social services institutions.
There are a number of things organizations can do to shore up their defenses to protect against a ransomware attack: