Evolution of the LockBit Ransomware operation relies on new techniques

Pierluigi Paganini July 09, 2022

Experts documented the evolution of the LockBit ransomware that leverages multiple techniques to infect targets and evade detection.

The Cybereason Global Security Operations Center (GSOC) Team published the Cybereason Threat Analysis Reports that investigates the threat landscape and provides recommendations to mitigate their attacks.

The researchers focused on the evolution of the Lockbit ransomware, they detailed two infections occurring at two very different time periods highlighting the evolution of the operations.

Cybereason researchers documented the evolution of the Lockbit ransomware that uses multiple techniques to infect target systems. The ransomware operators are improving their techniques to disable Endpoint detection and response (EDR) tools and other security solutions.

“LockBit operates on a RaaS (Ransomware as a Service) model. The affiliates that use LockBit’s services conduct their attacks according to their preference and use different tools and techniques to achieve their goal. As the attack progresses further along the kill chain, the activities from different cases tend to converge to similar activities.” reads the analysis published by the experts.

Lockbit RaaS enables affiliates to use existing ransomware tools and infrastructure to carry out their own attacks sharing a percentage of the payment.

In the first attack documented by the researchers, which took place in Q4 2021, the affiliates working with LockBit gang used their own malware and tools to compromise the targets. In most of the infections analyzed by the researchers, threat actors compromised the target networks by exploiting a misconfigured service, particularly a publicly opened RDP port. 

Lockbit 2.0 attack chain 1

“In other cases, affiliates would use a more traditional phishing email that will allow them to remotely connect to a network via an employee’s computer, or utilize malicious attachments, downloads, application patch exploits or vulnerabilities to gain access to a network.” continues the report.

Once the threat actors established an initial foothold on the compromised network, they start the reconnaissance activity and credentials extraction using tools such as Mimikatz and Netscan.

The second infection detailed by the researchers took place in Q2 2022. The researchers detailed the various stages of the attack, from the initial compromise, lateral movements, establishing persistence, escalation of privileges, and the final ransomware development.

The attackers leveraged net.exe to create a domain account and elevate their privileges to “domain administrator,” then they used the accounts to achieve persistence and spread on the victim’s network.

The researchers also noticed the use of Ngrok, a legitimate reverse proxy tool that allows the attackers to create a tunnel to servers located behind firewalls.

The threat actors also infected additional machines in the target network with the malware “Neshta,” which is a file infector that injects its malicious code to targeted executable files.

“At this point, the LockBit affiliate had completed all the necessary steps to execute the LockBit payload and commence encryption:

  • Persistence on the network through multiple infected machines
  • Access to top-privilege accounts
  • Collected and exfiltrated victim data 
  • List of most assets through network discovery and scans” concludes the report.
Lockbit 2.0 attack chain 2

The experts also shared Indicators of Compromise, along with Mitre mapping.

Recently, the Lockbit ransomware operation has released LockBit 3.0, which has important noveòties such as a bug bounty program, Zcash payment, and new extortion tactics. The gang has been active since at least 2019 and today it is one of the most active ransomware gangs.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Lockbit)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment