What is Lockbit Ransomware?
LockBit is a type of ransomware that encrypts a victim’s files and demands payment in exchange for the decryption key. It first appeared in 2019 and has since become one of the most popular and dangerous ransomware variants.
The LockBit ransomware was initially known as “.abcd virus” because of the file extension it added to encrypted files. When the ransomware first emerged in 2019, it used the “.abcd” extension to indicate that a file had been encrypted by the malware.
The name “abcd” does not have any particular significance in relation to the ransomware’s behavior or origins. It was simply a way for the attackers to indicate that a file had been encrypted by the ransomware.
Over time, as the ransomware evolved and became more sophisticated, it was renamed to LockBit, which is a more descriptive name that reflects the ransomware’s ability to lock a victim’s files and demand payment in exchange for the decryption key.
It’s worth noting that the naming conventions of malware can sometimes be confusing, as different antivirus vendors or security researchers may use different names for the same piece of malware based on their own analysis and classification methods. In the case of LockBit, the name “.abcd virus” was an early identifier of the ransomware, but it is no longer in use.
Is LockBit Russian?
The LockBit ransomware gang is believed to have originated in Russia or Eastern Europe. However, it’s worth noting that the location of the ransomware gang’s origin is not necessarily an indication of the nationality or ethnicity of the individuals involved in the group.
How does lockbit ransomware work?
The LockBit ransomware group operates using a ransomware-as-a-service (RaaS) model, which means that they provide the ransomware software to other criminal groups who then carry out the attacks. These other criminal groups are referred to as “affiliates” or “customers” of the LockBit ransomware group.
The RaaS (Ransomware As A Service) model used by the LockBit ransomware group allows them to spread their ransomware far and wide without actually carrying out the attacks themselves. This makes it harder for law enforcement to track down the group responsible for the attacks and increases their profits through the sale of the ransomware software.
Lockbit ‘Double Extortion’ Working Method
LockBit Double Extortion is a highly effective tactic for ransomware groups like LockBit because it increases the pressure on victims to pay the ransom. By stealing sensitive data and threatening to release it, the attackers can make the cost of not paying the ransom much higher than the cost of paying it.
LockBit Double Extortion is a tactic used by the LockBit ransomware group to increase their chances of getting paid by victims. It involves not only encrypting a victim’s files, but also stealing sensitive data from the victim’s computer before encrypting it, and then threatening to release the stolen data if the victim does not pay the ransom.
Here’s how LockBit Double Extortion typically works:
- Infection: The ransomware is spread via phishing emails, malvertising, or other means of social engineering.
- Encryption: LockBit encrypts the victim’s files using advanced encryption algorithms.
- Data Theft: Before encrypting the victim’s files, LockBit steals sensitive data from the victim’s computer. This data can include things like financial records, intellectual property, and customer data.
- Ransom Note: After encrypting the victim’s files and stealing their data, LockBit displays a ransom note on the victim’s computer or desktop. The note typically demands payment in exchange for the decryption key and threatens to release the stolen data if the victim does not pay the ransom.
- Payment and Data Release: If the victim pays the ransom, LockBit provides them with a decryption key to unlock their files and promises to delete the stolen data. However, there is no guarantee that the attackers will actually delete the data or that it won’t be sold on the dark web.
Here’s how the affiliates to LockBit ransomware gang work:
- Access to the RaaS platform: To become an affiliate of the LockBit ransomware group, a criminal group must first gain access to the RaaS platform. This is typically done by contacting the group through a dark web forum or marketplace and requesting access. The LockBit group may then vet the prospective affiliate and provide them with access if they meet certain criteria.
- Customization of the ransomware: Once an affiliate has access to the RaaS platform, they can customize the ransomware to suit their needs. They can choose which files to encrypt, set the ransom amount, and decide on the payment method.
- Distribution of the ransomware: After customizing the ransomware, the affiliate can then distribute it to their intended targets. This is typically done via phishing emails, malvertising, or other means of social engineering.
- Payment collection: If the ransomware is successful and the victim pays the ransom, the affiliate will receive a percentage of the payment as their share. The rest of the payment goes to the LockBit ransomware group.
- Reporting: The affiliate is required to report back to the LockBit group on the success of the attack and the amount of the ransom payment collected. This helps the LockBit group track the performance of their affiliates and improve their ransomware software.
What are lockbit versions 1, 2 and 3?
The various versions of LockBit ransomware demonstrate the evolving tactics and capabilities of the LockBit group, as they continue to refine their techniques and stay ahead of security measures.
LockBit 1.0
The initial version of LockBit was first observed in 2019. It used an RSA-2048 encryption algorithm to encrypt victim’s files and demanded payment in Bitcoin. LockBit 1.0 also included features such as the ability to delete shadow copies and terminate various processes, making recovery more difficult.
LockBit 2.0 – Emergence of .ABCD ransomware
LockBit 2.0 was first observed in 2020 and featured several improvements over the original version. It used a more advanced encryption algorithm (ChaCha20) and added the ability to encrypt network shares. LockBit 2.0 also introduced a “friendlier” ransom note that attempted to create a sense of urgency and encourage victims to pay the ransom quickly.
Here are some technical details about LockBit 2.0 ransomware:
LockBit 2.0 demonstrates the continued evolution of ransomware tactics and capabilities, as attackers seek to evade detection and maximize their profits through the use of advanced encryption and anti-analysis techniques.
- Encryption: LockBit 2.0 uses the ChaCha20 encryption algorithm to encrypt the victim’s files. Each file is encrypted using a unique key, which is then encrypted with a master key and stored on the victim’s machine. The ransomware also modifies the file extensions by adding “.lockbit” to the end of the original extension, indicating that the file has been encrypted.
- Anti-analysis techniques: LockBit 2.0 uses several anti-analysis techniques to evade detection and analysis by security researchers. It checks for the presence of virtual machines and debugging tools and terminates them if found. It also uses code obfuscation techniques to hide its true functionality.
- Network encryption: LockBit 2.0 is capable of encrypting files on network shares, including those that are not mapped to a drive letter. This allows the ransomware to spread laterally across an organization’s network and encrypt a large number of files.
- Ransom note: LockBit 2.0 generates a ransom note named “DECRYPT-FILES.html” and places it in every folder containing encrypted files. The note contains instructions on how to pay the ransom and provides a unique Bitcoin address for each victim.
- Command and control (C2) infrastructure: LockBit 2.0 uses a distributed command and control (C2) infrastructure that is difficult to take down. The ransomware communicates with the C2 server using the Tor network, which anonymizes the communication and makes it difficult to trace the attackers.
LockBit 3.0
LockBit 3.0 is the latest version of the ransomware, which was first observed in late 2021. It includes even more advanced features, such as the ability to bypass Windows Defender antivirus software and exploit zero-day vulnerabilities. With inclusion of bug bounty program and Zcash payments, LockBit 3.0 also uses an even stronger encryption algorithm (XChaCha20) and has further improved its ability to encrypt network shares.
LockBit 3.0 is a variant of the LockBit ransomware family that appends the extension “HLJkNskOq” to the encrypted files. This extension is added to the end of the original filename, separated by a dot. For example, a file named “example.docx” would be encrypted and renamed to “example.docx.HLJkNskOq”.