Malware Extortion Ring LockBit Riddle

The LockBit ransomware-as-a-service (RaaS) operation is the "leading" ransomware threat globally in 2022, with the highest number of targets.

background

The LockBit ransomware virus made its official debut in September 2019, and was dubbed the "ABCD" ransomware for its use of the .abcd suffix to mark encrypted victim files. Early versions of LockBit 1.0 were very immature, and not only did the encryption software use fixed mutual exclusion locks in the process, but it even left some debug functions that could be easily recognized and intercepted by antivirus software, sandboxes, and other security software.

As the organization grew in size, LockBit 1.0 began operating on a RaaS (Ransomware-as-a-service ransomware and services) model, whereby it developed and distributed ransomware tools for use by other malicious actors, and promoted it on a prominent Russian-language forum, XSS, for its partnership program.

Eight months later, the LockBit 1.0 ransomware operators upgraded their ransomware tactics by creating a site for publicizing victims' data in conjunction with file encryption, in an attempt to further pressure the victims and achieve "double ransom".

After several minor upgrades, LockBit 1.0 is more sophisticated than other ransomware. The encryption process for Windows systems uses the RSA + AES algorithm to encrypt files, using the IOCP completion port + AES-NI instruction set to improve efficiency, thus realizing a high-performance encryption process, and once the files are successfully encrypted, an unbreakable .abcd extension is added to all victims' files.

LockBit ransomware 1.0 mainly displays ransom messages by modifying the desktop wallpaper of the victim's system and leaves a ransom note called Restore-My-Files.txt, asking the victim to log into the dark web and pay the ransom in Bitcoin or Monroe Coin.

The group later became famous for several high-profile attacks. For example, in June 2022, they launched LockBit version 3.0 and included a vulnerability bounty program that invited security researchers to test and improve their software. Offering rewards for discovering system vulnerabilities is a unique approach in ransomware.

Since the beginning of its operations, LockBit has made a significant contribution in thecyber securityThe attacks typically result in the theft of sensitive data and financial losses for the victimized party.

"Brilliant" history

Image

Until May 2022, LockBit is virtually riding high, penetrating the defenses of more than 850 enterprise organizations globally, accounting for 46% of all ransomware-related attacks in the same timeframe.

RaaS proxy model:

Image

Attack style:

 

Image

According to cybersecurity firm Dragos, about one-third of ransomware attacks targeting industrial systems in the second quarter of 2022 were launched by LockBit, hitting a number of large organizations in the industrial control sector. And Deep Instinct reported that LockBit launched about 44% of the total ransom attacks in the first half of 2022.

In just three years, the LockBit ransomware group has had more than 1,000 victims, twice as many as the veteran ransomware group Conti and more than five times as many as Revil.

It's also worth noting that the LockBit ransom organization's ransom obtainment rate is above that of many older ransom organizations. In terms of 2022 data, it has a ransom success rate of more than half of its $100 million ransom demands, scandalizing countless businesses.

Image

status quo

In light of this, the group has attracted the attention of law enforcement agencies around the world.2022 In November, the U.S. Department of Justice (DoJ) charged Mikhail Vasiliev, who holds dual Russian and Canadian citizenship, with suspected involvement in the LockBit ransomware operation. The man is currently detained in Canada and is awaiting extradition to the United States.

In May, Russian national Mikhail Pavlovich Matveev (30), also known as Wazawaka, m1x, Boriselcin, and Uhodiransomwar, was charged by the U.S. Department of Justice with participating in multiple ransomware attacks.

The U.S. Department of Justice unsealed two indictments charging the man with using three different types of ransomware to target numerous victims across the U.S., including law enforcement agencies in Washington, D.C., and New Jersey, as well as organizations across the country in the healthcare and other sectors:

  • On or about June 25, 2020, Matveev and his LockBit co-conspirators attacked a law enforcement agency in Passaic County, New Jersey;
  • On April 26, 2021, Matveev and his Babuk were complicit in an attack on the Metropolitan Police Department in Washington, DC;
  • On or about May 27, 2022, Matveev and his Hive co-conspirators attacked a nonprofit behavioral healthcare organization in New Jersey.
  • On February 19, 2024, the infamous ransom gang LockBit's website was seized in a joint law enforcement operation by the UK's National Crime Agency (NCA), the US Federal Bureau of Investigation (FBI), Europol, and the International Consortium of Police Agencies (ICAPA).

Image

treasury.gov publishes relevant sanction information regarding personnel information, BTC and ETH addresses, and more:

Image

We used MistTrack to look at the funding for the sanctioned ETH address (0xf3701f445b6bdafedbca97d1e477357839e4120d):

Image

Image

Image

 

Analysis revealed that the funds on that ETH address had been laundered.

We then analyzed the status of the sanctioned BTC addresses and found that the earliest transactions among these addresses date back to October 2019, the most recent transactions date back to March 2023, and that the funds associated with each address have been transferred.

The address that received the largest amount was 18gaXypKj9M23S2zT9qZfL9iPbLFM372Q5, which is the address of LockBit affiliate Artur Sungatov, which was flagged by MistTrack as a Binance Deposit address and the funds were transferred.

Image

Secondly, the amount of 52.7892 BTC was received at address 32pTjxTNi7snk8sodrgfmdKao3DEn1nVJM, which is the address of LockBit affiliate Ivan Kondratyev, flagged by MistTrack as the address of the Kucoin Deposit, and which received another sanctioned transfer of 0.4323 BTC at address bc1qx9upga7f09tsetqf78wa3qrmcjar58mkwz6ng6. address bc1qx9upga7f09tsetqf78wa3qrmcjar58mkwz6ng6 transferred 0.4323 BTC.

Image

The U.S. government, in conjunction with the U.K. and Europol, released more information about the LockBit ransomware organization, and they also revealed that LockBit has 193 affiliates:

Image

The Mystery of the Capture

According to a spokesperson for the UK's National Crime Agency, LockBit's services have been disrupted as part of an ongoing and developing operation. The operation is the latest in a multi-year battle between law enforcement agencies and ransom gangs, dealing a powerful blow to LockBit's recent transnational ransom operations and serving as an effective deterrent to the growing number of ransom attacks.

When we look at LockBit's nodes, every known LockBit ransomware organization site is either offline or displays pages that have been seized by EUROPOL. Law enforcement has seized or dismantled at least 22 Tor sites in what is known as Operation Kronos.

Image

Image

Following this, LockBit Ransomware Group executives confirmed to the media that their website had been seized:

Image

However, it seems that the seizure didn't affect the core LockBit staff, and the LockBit ransomware organization then posted a message to individuals on Tox: "FBI screwed over servers using PHP, alternate servers without PHP were not affected."

Image

In a reversal of the plot today, LockBit leadership stated: We spoke with executives of the LockBit ransomware organization regarding law enforcement's announcement that they will be announcing the leadership of LockBit on Friday, February 23, 2024.

LockBit replied, "Let them reveal it, I'm sure they don't know my identity." Further, the LockBit ransomware group changed its name to "FBI Supp" to mock law enforcement agencies:

Image

According to @vxunderground, it now appears as if the ultimate mastermind has not been captured, even as LockBit is publicly offering a larger reward to get the public to find themselves.

Image

By this point the story is getting better and better, with law enforcement agencies claiming to release more information on the LockBit organization in the coming days.

What's the aftermath? We'll see.

summarize

The crackdown is the latest in a series of law enforcement initiatives against ransomware gangs. At the end of last year, the FBI and other agencies had successfully dismantled the networks and infrastructure of several ransomware gangs, including Qakbot and Ragnar Locker.

At the recent Munich Cybersecurity Conference, the U.S. Deputy Attorney General emphasized the U.S. commitment to fighting ransomware and cybercrime, suggesting that a more rapid and proactive strategy will be employed to focus on preventing and disrupting these criminal activities.

With the development of digital technologies, cybercrime that relies on cryptocurrencies has become a major global challenge. Cybercrime, such as ransomware, not only brings losses to individuals and businesses, but also poses a serious risk to society as a whole. According to statistics, last year, cybercriminals extorted more than $1.1 billion from victims around the world.

In addition, ransomware governance is a battle between both cyber attackers and security personnel that requires patience, strategy, and timing.

Taking LockBit ransomware as an example, it continues to iteratively update each version of its attack methods, strategies, intrusion points, etc., which makes it difficult for security personnel to form a complete repair system. Therefore, in the process of ransomware governance, prevention is far more important than repair, to take a systematic, comprehensive policy, systematic governance, multi-party joint approach to form a fence to prevent ransomware, it is strongly recommended that we do the following protective measures:

Use complex passwords whenever possible:When setting passwords for servers or internal systems within an organization, complex login credentials should be used, such as passwords that must include numbers, upper- and lower-case letters, special symbols, and be at least 8 digits in length, and passwords should be changed regularly.

Double validation:For sensitive information within the organization, password-based logins need to be augmented with other layers of defense to preventhackerattacks, such as measures like installing biometric authentication such as fingerprints, irises, etc. on some sensitive systems or using physical USB key authenticators.

Four Don'ts:Do not click on emails from unknown sources; do not browse pornography, gambling and other undesirable information websites; do not install software from unknown sources, and be cautious of installing software sent by strangers; do not arbitrarily insert mobile storage devices such as USB flash disks, mobile hard disks, and flash memory cards from unknown sources into your device.

Data backup protection:The real safeguard against data loss is always offline backups, so it is essential to make backups of critical data and business systems. Note that backups should be clear and labeled for each phase to ensure that they can be retrieved in a timely manner if one is infected by malware.

Always kill the virus and close the ports:Install antivirus software and update the virus database regularly, and regularly perform full disk antivirus; close unnecessary services and ports (including unnecessary remote access services such as port 3389, port 22, and unnecessary LAN sharing ports such as 135, 139, 445, etc.).

Enhance employee safety awareness:The biggest hidden danger of security production lies in the personnel, fishing, social work, poisoning, weak passwords, etc., these key factors are closely related to the security awareness of the personnel, so to do a good job of the overall security reinforcement and defense capability enhancement, we must effectively enhance the security awareness of the personnel.

Timely patching of office terminals and servers:Timely patching of the operating system as well as third-party applications prevents attackers from breaking into the system through vulnerabilities.

a thank-you note:WuBlockchain, @vxunderground, Xitan Labs, Yunding Labs

 

refer to

[1] https://www.justice.gov/opa/pr/us-and-uk-disrupt-lockbit-ransomware-variant

[2] https://www.nationalcrimeagency.gov.uk/news/nca-leads-international-investigation-targeting-worlds-most-harmful-ransomware- group

[3] https://www.justice.gov/opa/pr/us-and-uk-disrupt-lockbit-ransomware-variant

[4] https://ofac.treasury.gov/recent-actions/20240220

Original article by xbear, if reproduced, please credit https://cncso.com/en/malicious-software-ransom-team-lockbit-revealed-html

Like (1)
Previous February 20, 2024 at 11:04 pm
Next February 26, 2024 at 7:54 pm

related suggestion