A Look Inside the LockBit Ransomware Gang

Ransomware continues to be one of the biggest and most damaging types of cyberattacks today, as gangs are always evaluating and updating their tactics to circumvent defenses. These types of attacks can be especially alarming when they target government agencies. Recently, the infamous LockBit ransomware gang launched an attack on the Italian tax agency (Agenzia delle Entrate), where it claims to have stolen 75GB of data – including company documents, financial reports, contracts, etc. The group plans to release screenshots of the files soon unless it receives an undisclosed amount from the agency.

So, who is LockBit and how do government agencies and other organizations defend against its attacks? Shawn Pope, one of Nuspire’s Threat Intelligence Analysts, gives us the scoop.

Tell me about the LockBit ransomware gang

The LockBit ransomware gang (also referred to as Bitwise Spider) is the criminal adversary responsible for the development of LockBit, LockBit 2.0 and newly released LockBit 3.0 (also called LockBit Black) ransomware, as well as the StealBit information stealer. The adversary claims to have been in operation since September 2019, and has largely gained popularity due to the launch of their LockBit 2.0 Ransomware-as-a-Service (RaaS) in June 2021. Bitwise Spider maintains a dedicated leak site (DLS) where affiliates correspond with victims, conduct negotiations, and access builders for LockBit’s RaaS tools and the StealBit information stealer.

Where is LockBit from?

It’s a great question, but unfortunately, we don’t know. Like most ransomware families, LockBit avoids Commonwealth of Independent State (CIS) countries. Does this mean they reside in those areas? It’s hard to say for certain. During an interview with a LockBit operator Aug. 24, 2021, anonymity is mentioned many times and how important it is to their team.

Is there a way to recover files after being encrypted?

Let’s first look at LockBit’s encryption routine. It includes both local and network encryption, where it encrypts files using AES (Advanced Encryption Standard) and encrypts the AES key with RSA (Rivest-Shamir-Adleman) encryption. The AES key is generated using BCrytGenRandom. Operators have mentioned their speed to encrypt and exfiltrate data. For faster encryption, it only encrypts the first 4KB of a file and appends the file extension based on LockBit version.

With that being said, there are no public or private options known at this point to decrypt and return files to working order.

Should U.S. organizations, particularly government agencies, be worried about LockBit?

Referencing the same interview from August 2021, the operator mentioned how they target organizations, what plays an important role, as well as what industries they prefer to avoid. They choose their targets based on the company capitalization – the more the better. They have no time or desire to prepare for an attack on a specific target since there is always enough work to do without it.

An article from April 2022 mentions LockBit Gang resided inside a regional U.S. government agency for almost five months before being detected. Although this doesn’t directly relate to a shift in targeted operations for LockBit, it suggests any industry vertical is a target, and that the gang will strike whenever a viable opportunity presents itself.

It has been stated that they prefer to avoid medical, educational, charitable and social services institutions.

What is the best defense against LockBit and other ransomware attackers?

There are a number of things organizations can do to shore up their defenses to protect against a ransomware attack:

  • Strong password implementation: Although LockBit typically buys access to previously compromised accounts before breach and encryption, that access is typically gained via brute force of remote desktop protocols (RDP) and remote access protocols. Strong password policies along with multi-factor authentication can help mitigate this threat.
  • System-wide backups and machine images: The only guarantee to return this data after encryption is to have an offline copy ready for restoration. Consider having multiple rotating backup points as well as periodic testing to ensure successful execution.
  • Endpoint visibility: Whether this comes from EDR, or a SIEM solution ingesting Windows Events Logs/Sysmon, visibility into the environment it critical not only when monitoring for proactive attacks, but also reacting to a breach.
  • Patch management: Most adversaries will take the opportunistic approach, meaning looking for low-hanging fruit vulnerabilities to gain access to an environment. Patch management is critical and should be done regularly not only for the operating systems within your environment, but also any applications that are exposed to the internet.

Have you registered for our next event?