It’s no secret that it’s high season for ransomware, as organizations across industry face high-profile and ongoing attacks by three particularly virulent strains of ransomware: Janela RAT, BlackCat, and Lockbit 3.0. This blog takes a closer look at the intricacies and unique attributes of Lockbit 3.0 as researched by ECI’s threat hunters and breaks down their advice for clients on how to identify and guard against this particular threat.
Lockbit’s Evolving Threat
Since its emergence in September 2019, Lockbit has been one of the most virulent strains in the Ransomware-as-a-Service (RaaS) model, where affiliates are recruited to conduct attacks using LockBit ransomware tools and infrastructure. The initial release was followed by Lockbit 2.0 in 2021 and Lockbit 3.0 in 2022 – each version exhibiting increased modularity and evasiveness compared to the previous version.
As a recent CISA advisory makes clear, Lockbit 3.0 continues to wreak havoc after more than a year in circulation, and it remains a top focus of study by ECI’s threat hunting team. Through our analysis, we have discovered various indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs) associated with this ransomware strain. The vast range of methods Lockbit 3.0 uses to gain initial access to victim networks includes remote desktop protocol (RDP) exploitation, drive-by compromise, phishing campaigns, abuse of valid accounts and exploitation of public-facing applications.
Once inside the network, Lockbit 3.0 attempts to escalate privileges, enumerates system information, terminates processes, launches commands, enables automatic logon for persistence and privilege escalation and deletes log files and shadow copies. Furthermore, LockBit 3.0 encrypts and communicates compromised data to a command and control (C2) server – and the ransomware is also good at covering its tracks, deleting itself from disks and removing any Group Policy updates made during the attack.
Lockbit 3.0 Attack Methods and How to Guard Against Them
ECI has identified several telltale behaviors that highlight the severity and impact of the Lockbit 3.0 threat; and we’re taking proactive steps to help our clients guard against these attack behaviors. To begin with, Lockbit 3.0 appends a unique extension to encrypted files, making them inaccessible without a decryption key. Therefore, recovery efforts should focus on identifying encrypted data, assessing the impact and establishing appropriate backup restoration procedures.
In addition, Lockbit 3.0 gives attackers an advanced level of sophistication by leveraging Remote Desktop Protocol (RDP) to gain unauthorized access to critical systems, including Domain Controllers (DCs). This ability to move laterally within the network highlights the need for firms to ensure robust access controls, network segmentation and continuous monitoring of privileged accounts.
Finally, like all ransomware, the success of the Lockbit 3.0 relies on social engineering techniques, such as phishing emails or malicious attachments. This underscores the importance of reinforcing user awareness through regular security training, simulated phishing exercises and related workforce education efforts that can significantly mitigate the risk of attack.
Throughout, it’s imperative that firms conduct a thorough analysis of network logs, system events and user activities to identify the entry point and potential vulnerabilities exploited by the attackers. These are just some of the specific IOCs and TTPs that ECI has identified as being associated with LockBit 3.0. The more clients understand these signs of attack, the more they can work with a qualified MSP like ECI to develop effective mitigation measures to protect the organization and its critical assets.
