LockBit

50
Global rank
27
Month rank
24
Week rank
389
IOCs

LockBit, a ransomware variant, encrypts data on infected machines, demanding a ransom payment for decryption. Used in targeted attacks, It's a significant risk to organizations.

Ransomware
Type
Ex-USSR
Origin
15 September, 2019
First seen
3 June, 2023
Last seen
Also known as
ABCD

How to analyze LockBit with ANY.RUN

Ransomware
Type
Ex-USSR
Origin
15 September, 2019
First seen
3 June, 2023
Last seen

IOCs

IP addresses
185.81.68.180
82.202.247.81
52.237.96.13
51.15.18.180
185.202.2.121
51.89.134.150
54.38.212.197
62.76.112.121
167.172.239.68
104.237.255.254
72.167.106.35
52.60.114.31
50.63.197.201
208.109.181.175
Hashes
8022060ef633e157518037122a6003813cc0a3066d456a1164275a211efc8f5c
19f7e6eee538f50e096c7f25b0ef73d9dc19c836ad4224d2039941041b3b56f8
0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335
69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997
0e66029132a885143b87b1e49e32663a52737bbff4ab96186e9e5e829aa2915f
2b8117925b4b5b39192aaaea130426bda39ebb5f363102641003f2c2cb33b785
0f5d71496ab540c3395cfc024778a7ac5c6b5418f165cc753ea2b2befbd42d51
54664bedb8b1e8e5a05a60490739080c757a234a71cbee0917f1bdfde3c95b97
01046712a7b54e17c52a96c2fb097f8cf67fdb655996b4ba2c72cc00578afe3e
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76
2c09f3bf3054f0c9d03f01c330a97c0edf61f81625d8a74d69e212cab69f88db
dcbc6a5f2f02209075bf3c2249d740cb16a1ca4c9706d8e0ad8c22f19e9aed2a
6d15cf3f757f4df04b425252041b1d679b084d82bf62bf12bebc82a9d7db621f
867be64b79056e8a24a594f2d4291d91e96c649916d5f08020b653ccef9c9571
c20e93dc94704836f5ba28c4d28135bea8c36e2ff5df3554f53e11a1c79014b4
119ae3cf5245d0be2c602862747f0f60a36d9b243093b43ed504ad56e2e04e23
91d1ab6c305552685996f4d80c44cc1c694355ae7d09243df027827d1df61631
f173904cf7d15c9c52f22813cb846814f9292227f4321d497cbf14adc05151f4
56bd343a74fc170163b82b394209f60e4dbb71781d30482b74dc588461c4c9ee
1ef9b4f6b4eb3db7eedf738a78ad15db798d397648b5064990c0a01c0da8a125
Domains
lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onion
lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion
lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onion
lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onion
lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onion
zqaflhty5hyziovsxgqvj2mrz5e5rs6oqxzb54zolccfnvtn5w2johad.onion
saludparatodos.ssm.gob.mx
currentteach.com
newschools.info
traffichi.com
teka.com.mx
host.integrativehealthpartners.com
platform.windsorbongvape.ca
xen.hill-family.us
apps.weightlossihp.com
sikescomposite.com
panificiospinelli.it
wi.playergamer.net
icookeat.it
aipandpartners.it
Last Seen at

Recent blog posts

recentPost
How to Create a Task in ANY.RUN:a Step-by-Ste...
watchers 308
comments 0
recentPost
ChatGPT for SOC and Malware Analysis professi...
watchers 5384
comments 0
recentPost
Deobfuscating the Latest GuLoader: Automating...
watchers 3237
comments 3

What is LockBit ransomware?

LockBit is a ransomware strain and also the name of the hacker group behind it. It mostly targets Windows computers, but it can also encrypt files on Linux and, more recently, MacOS machines. It's one of the biggest ransomware threats out there, making up about a third of all Ransomware-as-a-Service (RaaS) attacks.

Similar to threats such as Revil/Sodinokibi, LockBit works on a Ransomware-as-a-Service model. The main group sells access to the ransomware on underground forums, where they advertise it as the "fastest encryption software in the world." This business model, much like a franchise, has let LockBit grow its operations. Some estimates even suggest that this threat is behind 40% of all ransomware attacks.

Both large and small organizations are potential targets of a LockBit attack. For instance, in February 2023, LockBit was implicated in an incident involving Royal Mail, where the adversaries demanded a staggering $80 million ransom. However, the average demand from this group is considerably lower, around $85,000. This implies that while LockBit can be involved in high-profile attacks on large enterprises, it primarily targets small to medium-sized businesses.

LockBit, like many threats thought to originate from former USSR territories, avoids attacking victims near its likely home base. It verifies the language setting of the infected machine and aborts the attack if the setting is Russian, Romanian, Tatar, or, intriguingly, Arabic.

LockBit promotes itself as an "ethical ransomware gang." Its code of conduct restricts both the core group and its affiliates from targeting healthcare organizations, charities, or social services. Ransom demands are flexibly adjusted based on the victim, with the group typically asking for what they believe is a “fair” amount given the damage caused and the victim's ability to pay.

However, if a victim fails to meet their demands, LockBit doesn't hesitate to release the stolen sensitive data on their portal, which they host on the Tor network.

Interestingly, LockBit maintains its own website, which is rather professional-looking. This is indicative of a highly organized ransomware operation. They even run a bug bounty program — the only ransomware crew to do so.

LockBit's bug bounty program LockBit ransomware website offers a bug bounty program

However, the reliability of LockBit's crew promises leaves much to be desired, unsurprisingly. A notable instance of this occurred when the crew issued a challenge on a popular cybersecurity forum, Xss [.] is, offering to pay $1,000 to anyone bold enough to permanently tattoo the ransomware's logo.

Some individuals ill-advisedly participated and were subsequently tricked. The LockBit crew publicly revealed all of their Bitcoin wallets shortly after this audacious marketing stunt concluded.

LockBit ransomware version history

Since its initial detection in 2019, LockBit has undergone several iterations to enhance its malicious capabilities.

The first significant update, known as LockBit 2.0 or LockBit Red, was released in mid-2021. The next substantial upgrade occurred in June 2023. This version, referred to as LockBit 3.0 or LockBit Black, introduced the ability to accept additional parameters for specific operations in lateral movement, as well as the capability to reboot into Safe Mode.

Additionally, if an affiliate doesn't have access to a passwordless LockBit 3.0 ransomware, then providing a password parameter becomes essential during the ransomware's execution.

As of this writing, researchers suspect that LockBit is on the verge of its most significant shift in target selection since its initial detection. Researchers have discovered what they believe to be test versions of encryptors for macOS, ARM, FreeBSD, MIPS, and SPARC CPUs. These encryptors contain references to VMware ESXi and a list of Windows file extensions and folders, all of which are out of place on a macOS device. Furthermore, the code crashes due to a buffer overflow bug, suggesting it is still a work in progress.

LockBit's public representative later confirmed that a macOS encryptor is indeed under active development. Given these findings, it appears probable that a new major version of LockBit will be released soon, capable of targeting a significantly broader range of devices.

LockBit ransomware technical details

Once LockBit secures its initial foothold in a system, it typically launches its operations via the command line. It accepts file paths or directory parameters to selectively encrypt targets. In certain scenarios, this ransomware can also carry out its attack via scheduled tasks or using the post-exploitation tool, PowerShell Empire.

LockBit also uses tools like Mimikatz to gather additional credentials, widening its potential impact. To evade detection, it employs GMER, PC Hunter, or Process Hacker to disable security products. Additionally, it's been observed disabling Windows Defender by altering Group Policy settings.

In addition, LockBit employs tools like Network Scanner, Advanced Port Scanner, and AdFind for discovery purposes. It uses these to enumerate connected machines, aiming to find Domain Controllers or Active Directory servers — high-value targets for ransomware deployment.

The ransomware facilitates lateral movement within the network by self-propagating via SMB connections using acquired credentials. Tools like PsExec or Cobalt Strike are occasionally used for this task.

Data is often exfiltrated using cloud storage tools like MEGA or FreeFileSync, or through the StealBit malware. Following exfiltration, the ransomware payload initiates an encryption routine, affecting both local and network data. LockBit employs AES for file encryption, with the AES key subsequently encrypted using RSA. A classic indicator of a LockBit attack is the replacement of the desktop wallpaper with a ransom note and an insider or affiliate recruitment statement.

LockBit ransomware execution

In the initial phase of its operation, LockBit implements privilege escalation. Following this, the now-elevated process executes a sequence of data recovery exceptions with the assistance of built-in Windows tools. Subsequently, it clears the logs, and then the software commences the file encryption process.

LockBit's process tree LockBit 1.0 process tree looks wild

It's important to note that LockBit ransomware exists in multiple active versions, and the sample we've analyzed is LockBit 1.0. Differences might be encountered when dealing with LockBit 3.0 or LockBit Black, as it is otherwise known.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

LockBit ransomware distribution

LockBit ransomware employs an array of tactics and tools to infiltrate systems, typically leveraging affiliates who purchase access to targets from other cybercriminals. This access is often gained through phishing attacks, exploiting vulnerable applications, or brute-forcing Remote Desktop Protocol (RDP) accounts.

Initial access is commonly accomplished via compromised servers or RDP accounts, with insecure RDP or VPN credentials typically procured from affiliates or obtained through brute-force attacks. In some instances, LockBit takes advantage of vulnerabilities such as Fortinet VPN’s CVE-2018-13379.

LockBit ransomware: conclusions

Given its prevalence, LockBit ranks as a high-priority ransomware threat for cybersecurity professionals. It indiscriminately targets both small businesses and large corporations, provided the attackers deem the potential victim to be fair game.

Most concerning is LockBit's recent development of a MacOS encryptor. This evolution could position LockBit as the first major ransomware operation to heavily target Apple devices. This shift could be particularly lucrative, as some Apple users mistakenly believe they are inherently protected from malware on MacOS and may not maintain the same level of vigilance as those operating on Windows or Linux systems.

Considering LockBit's attack history and our analysis of this threat, it's highly probable that it will remain a significant player in the ransomware landscape. Analyze LockBit in ANY.RUN to establish a robust defensive framework and counter this threat.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy