LockBit ransomware is malicious software designed to block user access to computer systems in exchange for a ransom payment. It operates as a ransomware-as-a-service (RaaS), where affiliates conduct attacks using LockBit tools and infrastructure. The ransom payments are divided between the LockBit developer team and the attacking affiliates.
Attacks have targeted organizations globally, including the United States, China, India, Indonesia, Ukraine, France, the UK, and Germany. The ransomware attacks have targeted critical infrastructure, including hospitals like Lurie Children’s Hospital in Chicago and Saint Anthony Hospital.
LockBit ransomware overview
LockBit ransomware first emerged in September 2019 as a disruptive force in cyber extortion. Thanks to its RaaS model, it quickly evolved into a formidable threat within the ransomware landscape. This model allows malicious actors to license LockBit’s code to affiliates, who then execute attacks on behalf of the core development team.
LockBit’s demands typically involve substantial ransom payments, often reaching hundreds of thousands or even millions of dollars, payable in cryptocurrency. Motivated by financial gain, the group employs sophisticated encryption techniques and coercive tactics to compel victims into compliance. These tactics include threats of data theft and publication, operational disruptions, and the imposition of tight deadlines for ransom payments.
Despite law enforcement efforts to disrupt LockBit operations, the group continues to evolve its tactics, posing an ongoing threat to organizations worldwide.
Operation Cronos
Operation Cronos aimed to dismantle LockBit criminal infrastructure at every level, severely damaging its operational capacity and credibility. Led by the UK’s National Crime Agency and coordinated at the European level by Europol and Eurojust, Operation Cronos compromised LockBit’s primary platform and critical infrastructure. The international cooperation resulted in the takedown of 34 servers across multiple countries, including the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States, and the United Kingdom.
The operation led to the arrest of LockBit actors in Poland and Ukraine. Law enforcement authorities also froze over 200 cryptocurrency accounts linked to LockBit’s criminal organization, disrupting the economic incentives driving the attacks.
In February 2024, it successfully infiltrated and seized control of LockBit’s infrastructure, including its dark web sites and cryptocurrency accounts. This major disruption significantly hindered LockBit’s capabilities, resulting in a 73% reduction in monthly attacks in the UK. The operation also recovered over 1,000 decryption keys, aiding numerous victims to regain access to their data.
LockBit leader identified
Dmitry Khoroshev, a Russian national and the main suspect behind the LockBit ransomware group has been identified and sanctioned by authorities in the US, UK, and Australia. Known by his alias LockBitSupp, Khoroshev faces significant repercussions, including asset freezes, travel bans, and a $10 million reward offered by the US for information leading to his arrest. Khoroshev’s indictment by the US Department of Justice encompasses 26 charges, highlighting the extensive criminal activities he orchestrated.
Many affiliates did not profit from their criminal activities, with numerous instances of failed ransom payments and ineffective decryptors. The NCA and its international partners’ ongoing efforts aim to further degrade LockBit’s operations and support its attacks’ victims. In June 2024, the FBI released over 7,000 decryption keys to aid LockBit victims.
LockBit variants
- .abcd Extension Variant
This variant was one of the earliest versions of LockBit ransomware. It is named after the “.abcd” extension, which is appended to encrypted files. It typically includes a ransom note named “Restore-My-Files.txt” in each encrypted folder, providing ransom payment and decryption instructions.
- .LockBit Extension Variant
The second known version adopted the “.LockBit” file extension, hence the name.
- LockBit Version 2
This variant eliminated the requirement for victims to download the Tor browser for ransom payment instructions. Instead, it directed victims to an alternative website accessible via regular internet browsing.
LockBit 3.0
The LockBit 3.0 is a continuation of the LockBit ransomware. It is also known as LockBit Black and shares similarities with BlackMatter and Alphv (BlackCat) ransomware. It is also a RaaS model, more modular and evasive than its previous versions and shares.
Since April 2024, a large-scale ransomware campaign using LockBit Black has been underway. Millions of phishing emails have been sent through the Phorpiex botnet, targeting recipients worldwide. The emails use generic subject lines like “your document” or “photo of you???” and contain malicious ZIP archive attachments containing an executable file. If a recipient opens the attachment and runs the executable, it downloads and installs LockBit Black ransomware, encrypting the victim’s system and making their files inaccessible.
The attackers are leveraging a leaked LockBit 3.0 builder, but this campaign seems unaffiliated with the original LockBit ransomware group.
How to identify LockBit ransomware: Main IOCs
IOCs (Indicators of Compromise) are digital traces left by attackers during a cyberattack. These clues, like file extensions, file hashes, and IP addresses, help identify malware or malicious activity. Technical knowledge might be needed to locate some IOCs. If you need help, contact your IT team or a digital forensics service provider.
Pro tip: Proven Data offers a free ransomware ID tool if you struggle to identify the ransomware strain using IOCs.
LockBit ransomware-specific IOCs include:
Here are some of the main Indicators of Compromise (IOCs) associated with LockBit ransomware:
- File Extensions: Look for files encrypted with the “.abcd” extension or the “.LockBit” extension.
- Ransom Note: Search for a ransom note named “Restore-My-Files.txt” left in each encrypted folder.
- File Hashes (SHA256)
File hashes are unique digital fingerprints created for each file. When ransomware encrypts a file, the hash completely changes. By comparing the hash of an encrypted file to a database of known ransomware variants, you can identify the specific strain responsible for the attack.
Here are some example file hashes associated with LockBit ransomware:
- 74d9a91c4e6d2c15f3b6f8e7679e624f
- a3f2e7cb7315c1e48801cb8c6a86d2d2
- b8eac9e84b458976f3944bb56b18031d
How LockBit ransomware works
LockBit ransomware operates through a series of steps designed to infiltrate, encrypt, and extort victims. Here’s a detailed explanation of its process:
1. Initial Access
LockBit typically gains access to a victim’s network through phishing emails, exploiting unpatched software vulnerabilities, or brute force attacks on remote desktop protocol (RDP) connections.
Once inside the network, the attackers proceed to escalate their privileges to gain broader access.
2. Network Reconnaissance
LockBit conducts reconnaissance within the network to identify valuable targets and critical systems. This may involve mapping the network architecture, identifying sensitive data repositories, and locating backup systems.
3. Payload Deployment
Ransomware payload is the malicious code that encrypts your files, locks you out of your system, or threatens to leak your data.
Once the reconnaissance phase is complete, LockBit deploys its payload across the network. This payload consists of malicious executables that are designed to evade detection by security software. The ransomware may also disguise its executable files as legitimate system files to execute malicious code directly in memory.
4. Encryption of Files
LockBit employs robust encryption algorithms to encrypt files on all accessible systems within the network. It targets a wide range of file types, including documents, images, videos, and databases. Encrypted files become inaccessible to the victim without the decryption key held by the attackers.
Although there’s no free decryption tool at the time of this publication, you can seek ransomware removal experts to assist you in retrieving your encrypted files and securing your system and network
5. Ransom Note Delivery and Data Exfiltration
After encrypting the files, LockBit generates and displays a ransom note on the victim’s system. In some cases, LockBit operators may exfiltrate sensitive data from the victim’s network before encrypting it.
The note typically contains instructions on how to pay the ransom, the amount of the ransom, and a deadline for payment. It also threatens to leak exfiltrated data. This pressures victims into paying the ransom.
Warning: Paying the ransom does not guarantee that you will get your data back, and it may encourage the attackers to continue their criminal activities. Check our in-depth article on what happens if you pay the ransom.
How to handle a LockBit ransomware attack
To increase the chances of a successful recovery and minimize disruption, consider seeking assistance from a data recovery service with a proven track record.
Proven Data’s technicians are your one-stop solution for data recovery and ransomware removal. Our team can generate forensic reports and streamline the incident response process, minimizing downtime and financial losses. We can also assist you in reporting the attack to the FBI and cybersecurity organizations to help with investigations.
LockBit's main targets and notable attacks
LockBit ransomware primarily targets larger organizations, especially those with valuable data and resources, such as healthcare organizations.
Notable attacks attributed to LockBit ransomware include:
Capital Health hospital network
The Capital Health hospital network, based in the United States, was a victim of a cyber-attack attributed to LockBit. It occurred as part of a broader campaign by the ransomware group to target healthcare facilities and exploit vulnerabilities in their IT systems.
Lurie Children's Hospital in Chicago
Lurie Children’s Hospital is a renowned pediatric acute care hospital located in Chicago, known for its exceptional medical services and commitment to children’s health. In February 2024, the hospital fell victim to a cyberattack allegedly orchestrated by the LockBit ransomware gang.
As a result of the attack, Lurie Children’s was forced to take its IT systems offline to prevent the spread of the ransomware, disrupting normal operations and delaying patient care.
Scheduled procedures were delayed, ultrasound and CT scan results became unavailable, and prescriptions were issued in paper form.
Saint Anthony Hospital
Saint Anthony Hospital, located on the west side of Chicago, faced a similar cyberattack attributed to the LockBit ransomware gang. The attack was discovered in December 2023, and the hospital took prompt action to mitigate its impact and ensure patient care was not disrupted. However, the LockBit gang posted the hospital’s information on its leak site, demanding a ransom of nearly $900,000.
Despite the ransom demand, hospital leaders expressed their commitment to using resources to care for the community’s most vulnerable population rather than rewarding cybercriminals for their illegal actions.
How to prevent LockBit ransomware attacks
By implementing these preventative measures and fostering a culture of cybersecurity awareness within your organization, you can significantly reduce your risk of falling victim to LockBit and similar threats.
Important: Human error is a significant factor in successful cyberattacks, so it is essential to educate users to avoid unintentionally introducing malware.
Consult cybersecurity professionals
Proven Data offers a comprehensive suite of cybersecurity services to safeguard your data against evolving threats. Our services range from vulnerability assessments, which identify weaknesses in your systems and servers, to incident response (IR) services that provide immediate assistance in case of an attack.
We also have the option of managed detection and response (MDR) services that help organizations improve their security posture, minimize risk, and protect sensitive data and assets.
Software updated
It is crucial to regularly update operating systems, software applications, and firmware to ensure system patching. Outdated software contains vulnerabilities that ransomware like LockBit can exploit to gain access.
Implement strong access controls
Segmenting your network into separate zones with firewalls and access controls can further limit the spread of ransomware infections if they occur.
Implement the principle of least privilege, granting users only the minimum permissions and access levels necessary to perform their jobs. Additionally, administrative privileges should be restricted to prevent unauthorized software installations and modifications.
Backup regularly and securely
Backups can’t prevent ransomware from infecting your machines, but they can prevent data loss due to encryption.
Your backup solutions should be automated, encrypted, and tested regularly to ensure data integrity and availability in the event of a ransomware attack.
Educate employees
Cybersecurity awareness training empowers your employees to identify phishing attempts, suspicious websites, and social engineering tactics used by ransomware operators. Encourage them to report any unusual activity or potential security threats promptly.
Develop an Incident Response Plan
Develop a comprehensive incident response plan outlining clear steps for containing, eradicating, recovering from, and communicating about a ransomware attack. Regularly test the plan through simulations to ensure everyone is prepared.
