November 13, 2022
Each discipline has its own favorites, losers, and average representatives. Ransomware market has them, too - some of the groups appear only to shut down in half a year, others keep going for several years, but have minimal market share. And only the best of the best ransomware is able to keep being a nightmare for people even after 5 years of activity.
LockBit group cannot boast of a great activity term. It is just slightly above the average: the first case of this ransomware was detected in 2019. Nonetheless, this gang has all chances to be with us for a very long time - at least not less than Xorist or HiddenTear already do. LockBit developers repeat constantly about the fact that they value their reputation, and always give up the decryption keys when the ransom is paid. Moreover, the developers deny even to talk about the types of data they got from the infected corporations:
“We know the value of reputation, so I refuse to tell this information to you. All data has been deleted from our storages right after the ransom sum is paid.” ━ LockBit developer in the interview.
Uniqueness of LockBit family: what do you need to know
Loud claims about the possibility of the long life of this gang must be proved. LockBit ransomware is known not only by its reputation as a group of “ethical hackers” (later about this), but also for the unique design of their malware. Generally, this ransomware has its own alteration of AES+ECC algorithm. It makes use of multi-threading and ciphers only the first 4 KB of each file. That makes this virus extremely fast: if it was injected successfully, the chances for stopping it before it ciphers something valuable are minimal.
But is the encryption of the first 4KB enough to prevent the decryption? Yes, if you use a very tough ciphering algorithm. And the AES+ECC joint is just one which fits perfectly for this purpose. ECC-like algos are chosen by the U.S. government for encryption of top secret documents that must not be accessed in the case of data leak. And be sure, the U.S. The Department of Defence would not choose a thing with questionable efficiency.
Besides using the unique encryption mechanism, LockBit ransomware also offers a specific stealer for downloading the data of infected companies. Just like with the encryption, it is known for its speed: a lot of cybersecurity analysts say that it outpaces almost all other stealers that are packed inside of the other ransomware.
Any trivial stuff?
Sure, it is hard to be unique in everything. Searching for the unique injection methods becomes useless when you see the amount of companies that ignore the basic rules of data protection. They leave their vulnerable RDP ports open, use the unsecure VPN network, and their employees are opening each email they get. And RDP/VPN breaches together with email spamming hold almost 90% of all ransomware distribution. So why do you need to reinvent the bicycle?
Vulnerabilities of RDP is a real scourge for data security. Since a lot of companies now have the vast majority of their employees working from home, RDP turned into one of the most demanded things. In fact, this solution from Microsoft is pretty good for its purpose. People need access to their workstations in offices, and the remote desktop protocol gives them this access without any complex setups. The unsecure ports that are set by users because of their low skills turn into a huge breach, since those ports allow anyone to connect to the corporate network and start brute force attacks.
Ransomware injection through the unsecure VPN is a relatively new thing. Fraudsters started using it only in 2021, and this injection method is not very widespread. Fortunately, setting up the VPN (and choosing the VPN provider) is usually done by qualified staff - system administrators, for example. But in some cases even a well-designed VPN connection which, however, uses an outdated version of the basic utility can be fatal. CVE-2018-13379, which was used during the attack on multiple European companies, is just that case.
Ethical hacking: what hides behind this term?
Crooks are always crooks, regardless of the mottos they hold in their hands. LockBit group tries to create an image of a 100% honest ransomware group that always does what they promise. However, that is not a single element of the ethical hacking, which they try to follow.
Not so long ago, in June 2021, a lot of ransomware developers agreed about the list of sectors that must not be touched by ransomware. Previously, ransomware developers implemented such ideas as their own initiative, so the majority of groups were not restricted at all. Nonetheless, such a “meeting” gave a large boost to the spreading of ethical hacking.
Ransomware developers from all over the world agreed to avoid attacking governmental and healthcare institutions, schools, universities, and other educational establishments. A lot of groups also agreed to evade the infrastructure companies (likely because of the noise after the attack on Colonial Pipeline). Is it any good? Sure. Does it justify the ransomware developers and distributors? Doubtlessly, not.
Known LockBit variants and victims
One of the latest well-known attacks performed by LockBit is its breaking into Accenture, an Irish-based IT-consulting company. Ransomware group decided to repeat the success of previous loud hacking case - cyberattack on Acer Corporation, which ended up paying the $50 million ransom after the ransomware attack in March, 2021. Accenture was asked for the same $50 million, and it is much bigger than an average ransom asked by LockBit group ($85,000).
In total, LockBit has the achievement list of 61 companies (including Accenture). Among them you can also see Bangkok Airlines (one of the largest air transport companies in the Asian region), Royal Porcelain and Beardow Adams. The list of all extensions used by LockBit is quite short:
It seems that its developers want everyone to know the exact name of the group which attacked them. Nice practice, especially when we remember that they are very proud of the actions they do. They did not even implement any changes in their extensions after applying the 2.0 version, which has significant changes compared to the first version.
LockBit 2.0 has the same core features - AES+ECC cipher, only 4KB of each file are encrypted, and a spyware module - but has the operations speed significantly buffed. There is no clear reason for such improvements - LockBit 1.0 was far faster (twin- or even triplefold) than any of its counterparts. Another thing that was changed in 2.0 version is the list of possible locations for stolen data storage. In the first version, fraudsters were forced to specify the cloud storage, which is not the best solution: cloud hosting can easily ban the crooks’ account after the request of the attacked company. Now, they are free to choose between cloud storage and their own disks.
Comparison of LockBit 2.0 operations speed with counterparts
|Ransomware||Encryption speed||Time needed to encrypt 100GB of files||File downloading speed||Time needed to download 10GB of stolen data|
|LockBit 2.0||373 MB/s||4m28s||83.46 MB/s||1m59s|
|LockBit||266 MB/s||6m16s||83.46 MB/s||1m59s|
|Cuba||185 MB/s||9m||4.82 MB/s||5h45m46s|
|BlackMatter||185 MB/s||9m||4.82 MB/s||5h45m46s|
|Babuk||166 MB/s||10m||4.82 MB/s||5h45m46s|
|Sodinokibi||151 MB/s||11m||4.38 MB/s||6h20m31s|
|Ragnar||151 MB/s||11m||4.82 MB/s||5h45m46s|
As you can see, even the old variant of LockBit ransomware outpaces all other ransomware groups. Moreover, even though LockBit 1.0 was using cloud storages to keep the data stolen from corporations, the downloading speed was pretty high. Low downloading speed of counterparts is explained by the usage of free cloud storages, which does not provide a high-speed connection.