LockBit 3.0 Evolves its Ransomware and Processes

The group behind LockBit 3.0, a type of ransomware, continues to evolve their business practices and the malware itself.

The ransomware mainly targets endpoint detection solutions (EDR) and sandbox based behavioral detection.

Samples of LockBit 3.0 Ransomware were tested against BluVector’s patented Machine Learning Engine (MLE) and were detected. Regression testing shows that BluVector’s detection efficacy was not impacted by LockBit 3.0’s updates and would have detected the samples on average 102 months prior to their release.

What Is It?

Discovered in September 2019, LockBit ransomware continues to be one of the prominent  ransomware threats, reportedly responsible for 40% of all ransomware attacks in May 2022. In order to maintain this position, the group behind LockBit are still evolving both the malware itself and their business practices. Recently, there has been considerable coverage by various security researchers relating to the release of LockBit 3.0 into the wild. This follows LockBit’s authors announcing its release, after what they claim was a two-month period of beta testing. This is not the only concept LockBit has co-opted from the legitimate software development lifecycle. They have also announced a bug bounty program, offering payouts ranging from $1,000 to $1 million, for bugs in the ransomware and their infrastructure. The maximum bounty of $1 million is allegedly payable  to the first individual who can provide the full name of the manager of their affiliate program. It also appears LockBit now accepts payments using the Zcash cryptocurrency, alongside Bitcoin and Monero.

As seen in the following image, LockBit has added some new functionality aimed at increasing profit potential and pressure on victims to pay the ransom quickly. The pages for some victims include three new options: allowing the timer until exfiltrated data is published to be extended by 24 hours, to destroy all exfiltrated data, and to download exfiltrated data immediately. There is a wide variation in the costs associated with these options from victim to victim, e.g. as pictured, where extending the timer by 24 hours is $1,000 for one victim, and for another victim it is $10,000. For some victims, the destruction and download data options are a fixed cost, but for others those values decrease by $1 each second.

Screenshot from LockBit 3.0’s dark web ransom page of a countdown timer until files are leaked with payment options.

Figure 1: Screenshot from LockBit 3.0’s dark web site of a victim’s page.

The LockBit 3.0 ransomware also brings an evolution of the anti-analysis and detection evasion techniques. These techniques are aimed at evading detection on endpoints and by automated sandboxes, as well as malware analysis and reverse engineering performed by human analysts and researchers. LockBit 3.0 requires a passphrase to be passed as an execution parameter to decrypt the sample and allow it to execute successfully. For automated sandboxes, attempting to execute only the ransomware sample itself renders the sample undetectable. Similarly, it limits the effectiveness of reverse engineering efforts based on the sample itself and no other context. LockBit 3.0 also employs a variety of anti-analysis techniques, aimed at making the sample more difficult and more time consuming to analyze. Some of these techniques, such as those used to obfuscate calls to Windows APIs, are also for detection evasion.

When executed, LockBit 3.0 first jumps to the routine which decrypts itself using the supplied passphrase. This routine begins by looping 200 million times; however, this only results in a very brief delay. After decrypting itself, the encryption process is efficient and takes a relatively short period of time. Encrypted files are given a file extension defined in the sample’s configuration, “HLJkNskOq” in the case of the sample analyzed. Unlike most other ransomware, the file name is also changed, to a random 7-character alphanumeric string. A ransom note is placed in each directory containing encrypted files, and the Windows wallpaper is also changed to a black background with a short message directing the victim the ransom note for further instructions. In order to further pressure the victim, the ransom note refers to the European GDPR (General Data Protection Regulation) legislation, stating that if the ransom is not paid and exfiltrated data is publicly released, this will result in fines “due to GDPR and other similar laws”.

Evolution in successful malware variants is inevitable, particularly for ransomware, due to the potential profits for operators and affiliates. LockBit are one of several groups who are evolving their processes and internal structures to more closely mimic those of legitimate organizations, while at the same time attempting to make their ransomware harder to detect and analyze.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. LockBit 3.0 attacks have been observed exploiting the CVE-2019-0708 (BlueKeep) vulnerability as an attack vector against internet facing Remote Desktop Protocol (RDP) servers.

When/How Did BluVector Detect It?

The changes made in LockBit 3.0 which attempt to evade detection are mainly aimed at endpoint detection solutions and sandbox  based behavioral detection, they have proven to be ineffectual against BluVector’s patented Advanced Threat Detection NDR Machine Learning Engine (MLE). A total of 6 samples of LockBit 3.0 ransomware were tested against BluVector’s MLE and all were detected. Regression testing of these samples shows that BluVector would have detected the ransomware on average 102 months prior to their release.

Team member
Threat Team
BluVector’s Threat Report is written by BluVector’s expert security team, tasked with identifying the latest cybersecurity threats in the wild and when our solutions would protect customers from those threats.

All Threat Reports