By Wesley Heltzel

Malware has been a persistent threat for over five decades, consistently adapting to technological advancements to inflict extensive damage. Initially manifesting as simple worms and viruses, malware has evolved into sophisticated tactics of destruction and disruption. In the present era, ransomware stands as a particularly formidable challenge to both businesses and governments.

Ransomware is a type of malicious software designed to encrypt files and systems, rendering them inaccessible to their original owners. The sole objective of ransomware is to extort money from victims by threatening to release sensitive information or destroy the encrypted data if payment is not made. Ransomware groups employ various extortion techniques to achieve their financial goals. The most common forms of extortion include single extortion, double extortion, and triple extortion. Single extortion involves encrypting all files from the victim’s system and issuing an ultimatum to pay the ransom or risk the complete destruction of the encrypted data, rendering it permanently inaccessible. This can result in significant financial losses for companies, as years of valuable data may be irrecoverably lost. Double extortion entails threatening to release sensitive and confidential information obtained from the victim’s system if payment is not made. This can lead to a loss of customer trust and a decline in business as customers fear the potential loss of their personal data. Triple extortion involves threatening to pursue third parties, such as customers or business partners, connected to the victim if payment is not made. This can result in further legal and reputational damage for the victim, as well as potential financial losses from lawsuits or legal settlements. The combination of these extortion techniques can result in a devastating attack on victims, causing significant financial losses, reputational damage, and potential legal consequences.

The Russia-affiliated ransomware group LockBit has become the most prolific ransomware of the modern day in part due to their Ransomware-as-a-Service (RaaS) model. Ransomware groups that use RaaS offer ransomware on dark web marketplaces to be used by attackers in exchange for some of the attackers' profits. This type of service model has become more prevalent as threat actors have discovered its usefulness when dispersing many attacks on small to medium-sized businesses. RaaS models typically succeed in attacking these businesses by giving their ransomware online in exchange for a part of the profits. Normally, this encourages less skilled individuals who cannot write their own ransomware to utilize that ransomware group’s ransomware in their own attacks. By doing this, the ransomware group gets a cut of the profits from low-skilled hackers called “script kiddies” as they attack small-scale businesses with poor cybersecurity practices while increasing the group's notoriety.

Ransomware organizations that use RaaS have a much deeper organizational structure than most might suspect. Ransomware groups such as LockBit typically consist of a back office, financial personnel, and public relations.[1] The back office consists of those responsible for the development of ransomware. This includes individuals who find the exploits (key vulnerabilities in a system that attackers can use to gain administrative access to the system), as well as developers who develop the ransomware and the platform the ransomware group publishes leaked data. Financial personnel are a key part of ransomware organizations as well. They are responsible for determining which victims are capable of the best payout for the effort it takes to perform the ransomware. Lastly, the most vital component of ransomware groups that use ransomware as a service is their public relations. Public relations’ primary job is to build trust, recruit individuals, and serve as a voice for the ransom group. Typically, they can scout for individuals who are prevalent on key hacking forums who have a long history of attacks or scout by offering payouts for hackers who find bugs in their ransomware so they can patch them. Each component of these organizations is essential for maintaining a successful operation for threat actors.

LockBit quickly made a name for itself, accounting for 11% of all ransomware activities from July 2020 – 2023.[1] LockBit’s RaaS model made it easy for less skilled individuals to launch ransomware attacks while gaining part of the profit as well as notoriety. LockBit’s approach to paying affiliates using their ransomware has also led to their significant growth. Rather than having all money go through the LockBit organization first and then dispersing it back to the affiliate like most other ransom groups, LockBit allows for the affiliate to first gain the money directly from the victim before transferring LockBit’s cut back to the organization.[2] This level of trust has helped lead to the surge of popularity for LockBit as a ransomware organization.

Technical Evolution

LockBit, initially detected as ABCD ransomware in September 2019, evolved into a more sophisticated ransomware variant. Its naming convention arose from its file extension “.abcd virus.” LockBit’s efficient encryption process set it apart. In September 2020, LockBit’s first iteration emerged and showcased its speed by encrypting victims’ files in under 5 minutes.[3] This efficiency rendered mitigation and quarantining of the malware difficult. LockBit 2.0 increased its encryption speed and obfuscation capabilities. LockBit 2.0 also gained the ability to disable Windows Defender. LockBit 3.0 continued to improve its encryption capabilities and further reduced its detectability. The most significant improvement in LockBit 3.0 was the development of a bug bounty program encouraging ransomware users to find and report vulnerabilities or bugs in the software in exchange for money.[4] The Bug Bounty program served as a recruitment tool for potential new members of LockBit’s team and helped improve the effectiveness of the ransomware. Lockbit 3.0 also became increaingly modular and more easily configurable. LockBit 3.0 can now smoothly change its behavior to achieve more tailored effects. This makes detection of the ransomware even more challenging as no two versions of LockBit are likely to be identical. LockBit 3.0 also introduced the use of passphrases to initiate program execution. Building in security into the malware hinders analysis and reverse engineering.[5]

Methods of attack

LockBit’s attack strategies for small to medium-sized companies differ from those of attackers who go after larger companies. LockBit users frequently use phishing to exploit companies with poor staff training with their use of the Phorpiex botnet to send mass phishing emails to employees.[6] By using the Phorpiex botnet, LockBit affiliates social engineer victims to disclose sensitive information while also ensuring that the ransomware is downloaded onto target systems.

LockBit affiliates continue to exploit unpatched vulnerabilities to successfully extort a range of organizations. Notably, LockBit 3.0 exploited the Citrix Bleed vulnerability, enabling the hacking group to gain initial access to Boeing. Citrix Bleed bypassed both passwords and two-factor authentication, allowing LockBit’s affiliates to gain access to a victim’s system without the necessary information. From there, threat actors gradually escalated their privileges through a process called lateral movement, gaining access to systems and facilitating the ransom payment. This exploit impacted the NetScaler Web App, a security tool that prevents security breaches.[7] This vulnerability underscored the inadequacy of relying some security tools to protect against ransomware organizations like LockBit. Organizations require continuous security interventions/mitigations to ensure that applications are regularly updated/patched and monitored.

LockBit has taken ransoms to another level and has been observed encouraging current employees of victim firms to install malware into the systems in exchange for a share of the profits from subsequent ransomware infection activities. In August 2020, a Russian national was apprehended when they attempted to recruit a Tesla employee to install LockBit 2.0 into Tesla’s systems.[8]

Operation Cronos

LockBit’s prevalence has been declining recently due to Operation Cronos, a dedicated campaign to dismantle the ransomware group. Law enforcement successfully identified 193 LockBit affiliates and began the process of targeting them for prosecution. This has undermined LockBit’s overall trustworthiness within criminal communities and led to a decline in the use of the malware.[9] International law enforcement collaboration thorugh Operation Cronos aided in the apprehension of many of the individuals behind and affiliated with the ransomware group. Although Operation Cronos has not entirely halted LockBit’s operations, it significantly reduced the organization’s trust among affiliates and led to a temporary substantial decline in the number of LockBit infections. Although Operation Cronos is considered a success its effect has not been total. LockBit ransomware use continues, albeit in a diminished state.

Final Thoughts:

As the ransomware landscape continues to evolve, it is likely ransomware organizations employing the Ransomware-as-a-Service model will continue to proliferate. The success of LockBit demonstrates the monetizable and dangerous nature of the ransomware-for-service model. By providing an avenue for inexperienced hackers to inflict substantial financial damage, LockBit has played a substantial role in shaping the ransomware landscape.

References:

[2] Flashpoint Intel Team, “LockBit Ransomware Inside the World’s Most Active Ransomware Group Updated.Pdf,” n.d., https://flashpoint.io/blog/lockbit/.

[3] Jim Walter & Aleksandar Milenkoski, “LockBit 3.0 Update | Unpicking the Ransomware’s Latest Anti-Analysis and Evasion Techniques,” July 21, 2022, https://www.sentinelone.com/labs/lockbit-3-0-update-unpicking-the-ransomwares-latest-anti-analysis-and-evasion-techniques/.

[4] Team, “LockBit Ransomware Inside the World’s Most Active Ransomware Group Updated.Pdf.”

[5] Milenkoski, “LockBit 3.0 Update | Unpicking the Ransomware’s Latest Anti-Analysis and Evasion Techniques.”

[6] D. Howard Kass, “LockBit Black Ransomware Bot Sprays ‘Millions of Messages,’” May 28, 2024, https://www.msspalert.com/news/lockbit-black-ransomware-campaign-spraying-millions-of-messages.

[7] CISA, “#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability,” November 27, 2024, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a.

[8] Lawrence Abrams, “LockBit Ransomware Recruiting Insiders to Breach Corporate Networks,” August 4, 2021, https://www.bleepingcomputer.com/news/security/lockbit-ransomware-recruiting-insiders-to-breach-corporate-networks/.

[9] Christopher Boyton, “Unveiling the Fallout: Operation Cronos’ Impact on LockBit Following Landmark Disruption,” April 3, 2024, https://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html.