Advanced Persistent Threat Group Profile: LockBit

As part of ClearDATA’s 24/7×365 efforts to protect healthcare organizations throughout the United States, we proactively cooperate with government agencies to stay apprised of the latest cyber criminal efforts to attack American healthcare networks. In addition to our close partnerships with government agencies to defend against cyber threats, our Managed Defense teams source data from our fleet of hundreds of healthcare clients to aggregate actionable intelligence that can protect the community as a whole.

In the interest of protecting and promoting American healthcare cybersecurity, below is our recent Healthcare Threat Advisory on LockBit, shared with the ClearDATA network of customers.

Intelligence Disclaimer: This intelligence report has been prepared by ClearDATA for intelligence purposes. Intelligence analysis contained within the report is based on information derived from open-source reporting, ClearDATA internal data, and client data. Reference to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement or recommendation by ClearDATA.

Summary:

As of November 2022, numerous reports indicated a shift in the threat makeup of the ransomware space, with the Conti ransomware group seemingly lowered in activity level (due to a combination of public exposure and pressure from law enforcement), creating an effective power vacuum.

This power balance shift has been observed by security researchers, with the biggest beneficiary observed being the ransomware group LockBit. Cybercrime intelligence company Intel 471 released a quarterly security report detailing findings that laid out LockBit as the most prominent ransomware variant of the quarter.[1] This report detailed the vacuum left in the wake of Conti’s exodus from the ransomware ecosystem, and the way in which LockBit supplanted that position.

Group Breakdown:

LockBit is the evolution of the group known as ABCD Ransomware (or the .abcd virus) that has been active as of 2019. The group has displayed ties to many prominent Russian and Eastern European ransomware and cybercriminal gangs. Early TTP’s linked the group to similar groups active in the cybercrime ecosystem, such as Sodinikibi, Conti, Ryuk, and other groups.

The emergence of LockBit occurred in or around September 2019, with the group receiving the moniker the “.abcd virus” due to the name of the file that was used in encrypting victim files. The ransomware is known commonly for formulating ransom demands in exchange for decryption of impacted files, with a focus on organizations and entities rather than individuals, a philosophy and practice held by many Ransomware-as-a-Service (RaaS) groups.[2] Law enforcement has drawn connections between LockBit and malware families “LockerGoga” and “MegaCortex,” due to shared behavior and TTPs by the ransomware families.[3]

Unlike other groups within the ransomware ecosystem, both security researchers and law enforcement have encountered difficulties with identifying the makeup and major actors within LockBit. Historically within Russian and Eastern European ransomware groups, there are many overlaps in personnel among various related groups. This can manifest in overlap from lower-level actors, to include developers, financial administrators, and leadership, as well as the use of TTPs, exploitation techniques, and malware variations across those malware groups.

While little insight has been gained into the group and group dynamics, dark web forum VX Underground (a self-described haven or library for “hackers”) uploaded the transcript of an interview conducted between VX Underground and the alleged administrator and founding member of LockBit. While the veracity of this interview and its claims are unconfirmed at this time, the claims (if true) provide a level of insight into the group that to this point, has not been attained within the non-governmental intelligence space.

The alleged LockBit administrator (LBA) claimed that the group had been established in early September 2019, with a small team that the unknown actor had already established, as he has been active in the ransomware scene prior to LockBit. The LBA claimed that his team currently consists of 10 members and around 100 affiliates, consisting of pentesters, developers, money launderers, testers, and negotiators, and that there has been minimal turnover in that team between the initial LockBit launch and LockBit’s most recent iteration, LockBit 3.0.

LBA further discussed practices in onboarding affiliates, TTPs practiced regarding the usage of money mules and money laundering, at which point LBA claimed to own five separate restaurants (three in China and two in New York) and to use them for some of his money laundering operations. While this interview is unverified, there is a degree of familiarity with operations of ransomware groups, and with LockBit specifically that lends credence to his authenticity.[4]

As of June 2022, it is likely that the Conti ransomware group withdrew from the active ransomware threat space due to a variety of factors. The primary factor began with the commencement of the Ukrainian/Russian conflict earlier in the year, when on 25 February 2022, Conti issued a public release on its public facing site (ContiNews) stating the group firmly supported the actions of the Russian government, and President Vladimir Putin.  Due to the variety of nationalities in the group (common within many Eastern European/Russian based or aligned cybercriminal groups), there was an effective schism between the Ukrainian-aligned and Russian-aligned members within the group, with the group quickly rescinding its endorsement.[5]

This came too late however, as Ukrainian security researchers leaked thousands of documents, detailing a variety of details, dynamics, TTPs, and methodologies utilized within the group.[6] This, combined with external pressure on the group from law enforcement, led to a major shift in power dynamics within the ransomware landscape.

According to a report published by Intel 471 in late 2022, the most prominent variant within the third quarter was LockBit 3.0, with over 190 documented attacks conducted by the organization (three times more than the second ranked variant, Black Basta). Most heavily impacted countries were the United States, France, Italy, Taiwan, and Canada.[7] Additionally, according to a quarterly report release by Digital Shadows, LockBit 3.0 accounted for 40% of all ransomware victims in September 2022 alone, displaying a steady increase of growth over the course of 2022. [8], [9], [10]

Tactics, Threats & Procedures (TTP’s):

Some of the defining characteristics of LockBit have been the target selection of the group and improvements made to both code and the way the group has operated. This manifests itself in the way that LockBit utilizes common penetration testing tools, victim negotiation, or exploits utilized. Additionally, LockBit 3.0 has been noted by security researchers as sharing similarities with ransomware families such as BlackMatter, DarkSide, and BlackCat.

Builder code for LockBit 3.0 that was leaked in September 2022 also has the potential to impact future RaaS activity. Due to the reverse engineering efforts witnessed on various malware forums, there is significant possibility of code reuse and the development of new ransomware variants based on LockBit 3.0. Both of these factors may potentially contribute to increased activity or further adaptation from LockBit, as well as rival threat actors leveraging such new variants.[11]

LockBit 3.0 has been a challenge for security researchers since its release, primarily because each instance of the malware requires a unique password to run, without which analysis is extremely difficult or impossible. The malware is heavily protected against analysis and makes use of a substantial number of undocumented kernel level Windows functions.

As of November 2022, there are no decryption tools for LockBit 3.0, increasing its threat value. Security researchers from the NCC Group Cyber Incident Response Team conducted analysis on the TTPs utilized by Lockbit 3.0 actors during a ransomware attack. Attackers were observed gaining initial entry via a malware-laced file containing SocGholish malware to download and execute Cobalt Strike.[12]

After initial entry and installation, a batch script was installed that was responsible for both the uninstallation of Sophos and disablement of Windows Defender, actions congruent with previous iterations of LockBit’s TTPs. Steps observed by researchers after these were also consistent with the TTP’s utilized by other Ransomware-as-a-Service (RaaS) groups. This includes lateral movement with Remote Desktop Protocol (RDP) and Cobalt Strike for Command and Control (C2), data exfiltration, and ransomware deployment.[13]

One of the primary differences between LockBit 3.0 and other ransomware variations has been noted in their ransom negotiations. While LockBit conducts their operations similarly to other ransomware groups within the ransomware ecosystem (reconnaissance, deployment, lockdown, negotiation, payment), one of the defining differences lies within the ransom demand and negotiations itself. The actual note left for victims is lengthier than most notes left by other groups and threatens to release victim data if the ransom is not paid, also known as double extortion.

With European/European-adjacent victims, the victims are often threatened that if a ransom is not paid and data is released into the public space, that LockBit’s release of the data would violate the European Union’s General Data Protection Regulation (GDPR) and subject the victims to further financial consequences from law enforcement.

LockBit 3.0 ransom notes also contain a variety of Onion servers and Tor2Web proxies as insurance against the takedown of LockBit TOR infrastructure by law enforcement. Additionally, LockBit 3.0 heavily utilizes Cobalt Strike payloads, delivered to targeted systems via Windows Defender command line tool: MpCmdRun.exe.[14], [15], [16], [17]

Analysis and Summary:

ClearDATA assessments with medium to high confidence (see Confidence Statement Disclaimer) that LockBit will attempt to target healthcare and healthcare-aligned organizations due to the propensity to acquire significant amounts of PHI (Protected Health Information) and PII (Personally Identifiable Information) from successful cybercriminal operations.

While LockBit is an Eastern European cybercriminal group, there are no indications on whether there is a level of cooperation with Russian state intelligence services as observed with many other Russia-based cybercriminal organizations. Due to the intrinsic financial motivation of the group, this leads to the heavy utilization of ransomware variants with heavy overlap in TTP’s and technical framework and coding.

Additionally, data exfiltration is an extremely profitable method of attack for nation states, which can provide another factor of motivation for such attacks against the healthcare sector. LockBit has been known to use a range of TTP’s from across the cybercriminal community in their attacks, particularly BlackMatter, DarkSide, and BlackCat.

Confidence Statement Disclaimer: The confidence statement issued in the “analysis and summary” statement is based on three predetermined standards of analytic judgement that drive ClearDATA analysis listed as follows:

High confidence: Certainly, most likely, etc. Based off multiple intelligence sources, tools, trustworthy source(s), previous pattern of behavior/activity, or minimal assumptions and strong logical reasoning.

Medium confidence: Likely, probably, etc. Based off partial collaboration/confirmation from one or more sources, previously positive results from sources or tools, or low amounts of assumptions.

Low confidence: Possibly, may or may not, etc. Based off unverified or new sources or tools, multiple assumptions exist, or multiple sources contain contradictory information.

Proactively Defending Against Malicious Cyber Actors

Threat intelligence is invaluable for healthcare organizations to preemptively secure their IT infrastructure and networks. For more information on threat vectors that may be jeopardizing the integrity of your healthcare organization’s cyber defenses, or for professional assistance to secure against potential threats, contact our team of healthcare cybersecurity experts.

[1] Open Source | Intel 471 | Leading Ransomware Variants Q3 2022 | (Link) | 24 October 2022 | October 2022.

[2] Open Source | Kaspersky | The Biggest Ransomware Threats | (Link) | 28 October 2022 | 20 October 2021.

[3] Open Source | Kaspersky | LockBit ransomware — What You Need to Know | (Link) | 31 October 2022 | 09 February 2022.

[4] Dark Web Forum | VX Underground | LockBit Administrator Interview | (Link) | 07 November 2022.

[5] Open Source | Reuters | Russia-based ransomware group Conti issues warning to Kremlin foes | (Link) | 07 November 2022 | 25 February 2022.

[6] Open Source | Bleeping Computer | Conti ransomware’s internal chats leaked after siding with Russia | (Link) | 07 November 2022 | 27 February 2022.

[7] Open Source | Intel 471 | Leading Ransomware Variants Q3 2022 | (Link) | 24 October 2022 | October 2022.

[8] Open Source | Digital Shadows | Ransomware In Q3 2022 | (Link) | 07 November 2022 | 19 October 2022.

[9] Open Source | CSO | With Conti gone, LockBit takes lead of the ransomware threat landscape | (Link) | 07 November 2022 | 20 October 2022.

[10] Open Source | Reseller News | With Conti gone, LockBit takes lead of the ransomware threat landscape | (Link) | 16 November 2022 | 23 October 2022.

[11] Open Source | VM Ware| LockBit 3.0 Ransomware Unlocked | (Link) | 15 November 2022 | 15 October 2022.

[12] SocGholish (aka FakeUpdates) is an initial access threat delivered via social engineering attacks. SocGholish has been active since April 2018, and is extensively linked to the Russia-based APT, Evil Corp.

[13] Open Source | NCC Group | Back in Black: Unlocking a LockBit 3.0 Ransomware Attack | (Link) | 15 November 2022 | 19 August 2022.

[14] Open Source | Trend Micro | LOCKBIT, CONTI, AND BLACKCAT LEAD PACK AMID RISE IN ACTIVE RAAS AND EXTORTION GROUPS | (Link) | 15 November 2022 | 23 May 2022.

[15] Open Source | VM Ware| LockBit 3.0 Ransomware Unlocked | (Link) | 15 November 2022 | 15 October 2022.

[16] Open Source | BlackBerry | LockBit 3.0 Ransomware Abuses Windows Defender to Load Cobalt Strike | (Link) | 16 November 2022 | 03 August 2022.

[17] Open Source | ars Technica | LockBit, the new ransomware for hire: A sad and cautionary tale | (Link) | 16 November 2022 | 01 May 2020.

Thank you for subscribing!