Ransomware Unlocking LockBit - A Ransomware Story

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
The LockBit ransomware gang is one of the most notorious organized cybercrime syndicates that exists today. The gang is behind attacks targeting private-sector corporations and other high-profile industries worldwide. News and media outlets have documented many LockBit attacks, while security vendors offer technical assessments explaining how each occurred. Although these provide insight into the attacks, I wanted to know more about the human side of the operation to learn about the insights, motivations, and behaviors of the individuals on the other side of the keyboard. To prepare for this project, I spent months developing several online personas and established their credibility over time to gain access to the gang’s operation.
Over the months, I spent my time on criminal forums and private chat groups used by ransomware criminals and gained inside knowledge about the LockBit gang itself. I identified the accounts and infrastructure used by the gang and the criminals they interacted with. I could see the tools and resources used to manage and conduct attacks from the adversary’s perspective. More importantly, I learned about the opinions, personal habits, motivations, and insecurities of the human criminals behind the operation. Then, I took many of the public events and high-profile attacks to include theories previously made about the LockBit gang and tried to capture the side of this very interesting story.

Next, I will walk through the entire lifecycle of LockBit activity from September 2019 until January 2022. I will detail the gang’s criminal operation and add LockBit’s version of events to tell the story, as it has not been detailed before. In conducting this research and analysis, I found several mistakes made in attributing the early activities of the LockBit gang, which I will discuss. Finally, I will provide a complete intelligence assessment focused on my findings, open-source information, technical data, and human intelligence gained while profiling LockBit itself.

If you are not interested in the larger story, you may want to skip to the “Unmasking Lockbit” section near the end of this report for a summary of unique findings derived from the human intelligence I gained from my interactions with Lockbit. However, the screenshots and details surrounding each conversation are included throughout the body of the report itself in the order in which they took place.
 

wat0114

Level 11
Verified
Top Poster
Well-known
Apr 5, 2021
547
Let's think a while about this:

The article mentions:

LockBit also included a feature, first seen used by Wizard Spider (Conti & Ryuk ransomware), a few months earlier, that leveraged a Wake-on-Lan feature that allowed attackers to boot systems powered off at the time of the attack.

and a little further on:

For example, before this feature existed, if a victim had servers storing backup data and was powered down at the time of infection, the attacker could not deploy the ransom payload to the offline server. Then, after the attack, the victim could boot the server and use it to restore data without paying a ransom. Now, with this feature, the adversary can ensure it infects all available systems in the target environment.

Obviously seems best to keep backups offline with no means for malware to power up the backup system. Maybe just disable Wake on LAN? Or maybe this victim backed up to drives on the production systems, thus not a true backup :unsure:
 
Last edited:

vtqhtr413

Level 26
Verified
Top Poster
Well-known
Aug 17, 2017
1,448
Obviously seems best to keep backups offline
This, at a minimum is part of the answer to Andy's puzzle, he also mentioned that the business "used only four systems to run their business" four systems? And while Dropbox and the like are convenient, perhaps there is a better solution in this scenario, encrypted external drives possibly. There are also ransomware protection solutions that keep encrypted backups in case of an incident.
 
Last edited:

Andrezj

Level 6
Nov 21, 2022
248
Obviously seems best to keep backups offline with no means for malware to power up the backup system.
of course, users should buy a dependable backup solution before anything else, but how many random\non-security geek users even know that windows itself has multiple backup features?
then they know nothing about backup strategies, let alone backup methods and configurations that protect against ransomware
"disaster recovery? what's that? i have antivirus installed."

This, at a minimum is part of the answer to Andy's puzzle, he also mentioned that the business "used only four systems to run their business" four systems?
the small business owner posted it on forum stating their small business has 4 computers and 2 were encrypted, and they had come to the forum seeking assistance
that is the source the article author refers to and is just one of a number of examples

And while Dropbox and the like are convenient, perhaps there is a better solution in this scenario, encrypted external drives possibly. There are also ransomware protection solutions that keep encrypted backups in case of an incident. Good challenge Andy (y)
i do not think you meant encryption will protect against ransomware, but just mentioning it for anyone who does not know
"Ransomware uses the current user's file system permissions to read the file, encrypt it using its own methods, then write the file back to the hard drive."
file system, file and disk encryption are not protection against ransomware - if the ransomware has file system access permissions
furthermore encrypted files in the cloud are not immune to ransomware because of localhost-to-cloud synchronization

the linked article is part of a series to promote the analyst1 threat intelligence platform
written by https://www.linkedin.com/in/jondimaggio executive at analyst1
whatever their motiviations, the article is accurate
 
Last edited:

piquiteco

Level 14
Oct 16, 2022
626
The best answer to that is backup, backup and backup. Macrium Reflect or Acronis will protect you! ;)
1674369902674.png
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Backups are required as essential protection. But, in targeted attacks, the backups can be compromised. The malware can wait until the network is fully compromised and then encrypt anything/anywhere.
Fortunately, the chances of such a scenario at home are extremely low.
 

piquiteco

Level 14
Oct 16, 2022
626
The malware can wait until the network is fully compromised and then encrypt anything/anywhere.
Ransomware can encrypt anything/anywhere? what do you mean any format? to your knowledge backup formats are not common like .doc, .txt, .png, etc... Each backup software has its own unique extension unless it is the target. I tested in a VM the backup file together with the photos, all files were encrypted except the backup file. Did I misunderstand or did I miss something here?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Ransomware can encrypt anything/anywhere? what do you mean any format?

Yes. In targeted attacks, one may use ransomware that can encrypt/destroy files with any chosen format. It can even change the content of the backup. This can depend only on how motivated is the attacker.
The maximum protection (against encryption/modification) can only provide backups that are non-writable.
 
Last edited:

wat0114

Level 11
Verified
Top Poster
Well-known
Apr 5, 2021
547
The maximum protection (against encryption/modification) can only provide backups that are non-writable.
I keep mine on an external hdd and unplugged when I'm finished taking an image using Macrium Reflect free.

I wonder, how did the attacker encrypt the victim's backups in their Dropbox account? Could the victim have already been logged into it when the attack occurred?
 

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
Ransomware can encrypt anything/anywhere? what do you mean any format? to your knowledge backup formats are not common like .doc, .txt, .png, etc... Each backup software has its own unique extension unless it is the target. I tested in a VM the backup file together with the photos, all files were encrypted except the backup file. Did I misunderstand or did I miss something here?
One can add whatever extension to be attacked that amuses in the coding of ransomware and this can include the fruit of Backup/Imaging applications. In the case of Macrium, the file extension (.mrimg) can be included in the encryption routine (barely an inconvenience); although it would be successful in the Free version, the Home version will prevent such an attack on the backup (image) file.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I wonder, how did the attacker encrypt the victim's backups in their Dropbox account? Could the victim have already been logged into it when the attack occurred?

The victim does not have to be logged. It is only required that the attacker can log into this Dropbox account.
There is another danger. The ransomware does not have to use encryption at all (great chances to fool the AVs).
A few years ago I created a "Shakespeare ransomware" that easily bypassed several AVs (only for testing purposes). I simply used MS Office environment to replace the odd pages of documents with text taken from the Shakespeare drama. I wonder how big potential is hidden in the Library of Congress.
Of course, this would require uploading the documents or storing them in password-protected archives (encryption is more convenient).
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top