In response to an unrelenting wave of ransomware attacks by the LockBit threat actors, a cyber security advisory (CSA) has been published by the Cybersecurity & Infrastructure Security Agency (CISA). This followed a joint effort between CISA, Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and international partners:
- Australian Cyber Security Centre (ACSC)
- Canadian Centre for Cyber Security (CCCS)
- United Kingdom’s National Cyber Security Centre (NCSC-UK)
- National Cybersecurity Agency of France (ANSSI)
- Germany’s Federal Office for Information Security (BSI)
- New Zealand’s Computer Emergency Response Team (CERT NZ) and National Cyber Security Centre (NCSC NZ).
The reason for this truly international advisory is the continued success of LockBit and their affiliates in impacting organizations large and small across the globe. Notable victims of LockBit in the past 12 months include The Royal Mail (UK), Hospital for Sick Children (Canada), Managed Care of North America (US), and Center Hospital Sud Francilien (France). It has been claimed that, in the US alone, LockBit victims have paid out over $90m in ransoms since 2020.
Who is LockBit?
LockBit has quickly become one of the most successful cybercrime operations in the world, allegedly accounting for 44% of all ransomware campaigns in 2022. Considering the first versions of LockBit were only discovered in late 2019, this has been a meteoric rise to infamy—and it shouldn’t surprise anyone that they have drawn the attention of international security agencies. LockBit’s success as a ransomware-as-a-service (RaaS) operator has been driven by their innovative techniques. The group often leverages a “double extortion” technique, where data is stolen as well as encrypted on the victim’s systems. This allows Lockbit to threaten to publish the data on their own data leak site if the ransom is not paid.
On the technical front, LockBit have successfully launched a bug bounty program to further harden their operation, offering payments between $1000 and $1M to “ethical and unethical hackers” who can find flaws in their ransomware and infrastructure or help them be more effective in their operations.
Why are LockBit attacks so formidable?
Ransomware as a Service operators like LockBit use networks of criminal affiliates who pay a deposit to use the ransomware tools they provide and agree to share any ransom payments. LockBit reportedly allows some operators to keep as much as 75% of the ransom payments, which provides a huge incentive to work with them. One of the challenges of this model, made clear in the advisory issued by CISA, is that each affiliate will have their own preferred tactics, techniques, and procedures (TTPs). This means that, while they are all using LockBit ransomware in the final stages of the attack the techniques they used to get to that point will vary wildly depending on the affiliate. This makes it hard to issue clear guidance on how exactly to prevent LockBit attacks.
LockBit Tactics and Techniques
Controlling privileges and access remain two of the core components of a robust anti-ransomware defence-in-depth strategy. Put simply, the less privilege and access an attack has in your organisation, the less damage they can do and the more likely they are to move on to an easier target. When reading the tactics and techniques listed in the advisory, we can see why these core defensive components are so effective.
Let’s take a look at how the LockBit affiliates gain their initial foothold in a victims’ network by focussing on Initial Access, Execution, and Persistence techniques, and how we might mitigate those. Remember, the earlier in the attack chain you can stop an attacker, the lower the risk to your organization so these areas are important to focus on.
|Technique||MITRE ID||LockBit usage||Key Mitigations|
|Drive-by Compromise||T1189||LockBit affiliates gain access to a system through a user visiting a website over the normal course of browsing.||Privilege Management to prevent the attacker from gaining privileges. Application Control to block payload execution.|
|Exploit Public-Facing Application||T1190||LockBit affiliates may exploit vulnerabilities (e.g., Log4Shell) in internet-facing systems to gain access to victims’ systems.||Privilege Management to limit what permissions the exploited process gets on the rest of the system|
|External Remote Services||T1133||LockBit affiliates exploit RDP to gain access to victims’ networks.||Secure remote access to remove RDP and VPN access that can be exploited.|
|Phishing||T1566||LockBit affiliates use phishing and spearphishing to gain access to victims' networks.||Privilege Management to prevent the attacker from gaining privileges. Application Control to block payload execution.|
|Valid Accounts||T1078||LockBit affiliates obtain and abuse credentials of existing accounts as a means of gaining initial access.||Privilege Management to prevent the attacker from gaining privileges. Secure remote access to ensure compromised credentials cannot be used to access the entire network.|
|Technique||MITRE ID||LockBit usage||Key Mitigations|
|Execution||TA0002||LockBit 3.0 launches commands during its execution.||Privilege Management to prevent the attacker from executing commands using privileges. Application Control to block command execution.|
|Command and Scripting Interpreter: Windows Command Shell||T1059.003||LockBit affiliates use batch scripts to execute malicious commands.||Privilege Management to prevent the attacker from executing scripts using privileges. Application Control to control access to scripting interpreters.|
|Software Deployment Tools||T1072||LockBit affiliates may use Chocolatey, a command-line package manager for Windows.||Privilege Management to prevent the attacker from executing commands using privileges. Application Control to control execution of software packages.|
|System Services: Service Execution||T1569.002||LockBit 3.0 uses PsExec to execute commands or payloads.||Privilege Management to prevent the attacker from manipulating system services or using PsExec on remote systems.|
|Technique||MITRE ID||LockBit usage||Key Mitigations|
|Boot or Logon Autostart Execution||T1547||LockBit affiliates enables automatic logon for persistence.||Privilege Management to prevent the attacker from being able to execute as System. Application control to block unwanted application execution.|
|Valid Accounts||T1078||LockBit affiliates may use a compromised user account to maintain persistence on the target network.||Privilege Management to limit the privileges available to the attacker from a compromised account. Secure remote access to remove broad RDP and VPN access that can be exploited using a valid account.|
As we can see from the tables above, being able to control privileges and application execution using endpoint privilege management tools, such as Privilege Management for Windows/Mac, combined with a secure remote access tool, such as Privileged Remote Access or Remote Support, are highly effective mitigations against the techniques used by LockBit and other threat actors to gain that initial foothold in your environment.
In addition to this, most of the later stages of the attack also exploit environments with excessive privilege, broad access, and lack of application control because these are the environments where they can inflict the most damage.
Privilege Escalation – Often uses local administrator privileges to abuse elevation control mechanisms. LockBit has been observed performing UAC bypass techniques using system level autostart execution and modifying group policy—all of which can be mitigated with Privilege Management
Defensive Evasion – In order to evade detection LockBit will disable security tools and clear Windows Event logs. These actions require the attacker to have at least local administrators privileges on the endpoint and the ability to execute code. Privilege Management and Application Control are effective mitigations to protect the security tools on the endpoint from being disabled.
Credential Access – LockBit affiliates will use OS Credential Dumping tools such as ProcDump, ExtPassword and LostMyPassword to access the credentials of other users accessing an endpoint. This allows them to capture the credentials of potentially privileged domain users and escalate their access. OS Credential Dumping requires local administrator privileges, specifically SeDebugPrivilege and SeDriverLoadPrivilege. Privilege Management is a highly effective mitigation to prevent attackers from accessing these privileges combined with application control to prevent unauthorized tools from being used.
Lateral Movement – LockBit affiliates have been observed using administrator accounts and SMB (Server Message Block) for lateral movement in combination with tools like Splashtop. Using the following combined approach will severely limit the attackers ability to move laterally:
- Privilege Management to mitigate the attacker’s ability to access administrator accounts
- Application control to prevent unwanted tools from being used
- Secure remote access to remove the need for RDP and VPN access.
How to mitigate a LockBit attack
While the CISA advisory offers a broad range of mitigations, it is worth distilling these down into some key areas to help prioritise the mitigations as part of a defence-in-depth approach.
- Patching – Keeping the OS and software patched is essential, especially on public facing systems. Known vulnerabilities often provide attackers with a way to execute code on your systems. It might not be fun to do but it is effective.
- Least Privilege:
- Ensure least privilege at all times using Endpoint Privilege Management technology that can remove local admin rights without impacting the user experience, and which can ensure only the processes (or at worst, the application) gets elevated—never the user.
- Use a Privilege Access Management tool to discover and bring administrator accounts under management, automatically rotating passwords and controlling access based on policy.
- Control Access:
- Move towards zero trust architectures and away from VPN and RDP solutions that provide attackers with broad access to the network. Focus on giving users just the access they need in a way that is controlled and auditable.
- MFA is also highly recommended, but should not be used in isolation, many organisations have fallen victim to MFA fatigue or token hijack attacks where attackers were able to leverage this to gain broad access to networks and systems.
- Control Execution – Application control is a well-established defence against the majority of threats. While it seems like a daunting task when combined with privilege management, it can become very achievable. The user cannot tamper with the native tools or deployed software, so you can apply broad trust rules and just focus on applications the user (or attacker) introduces. For high-risk native applications, such as PowerShell, a combination of privilege management to limit the impact and application control to block or gate with MFA can prevent attackers from “living off the land” and exploiting built in tools.
LockBit clearly represent a large threat to most organizations. Their innovative approach to ransomware combined with a small army of technically skilled affiliates make them a clear and present danger. With an ever-growing list of high-profile victims, and warnings from international security agencies, it is easy to feel that it is not a case of if but when you will be hit. However, it is important not to lose sight of the fact that, with an understanding of tactics and a robust defence-in-depth approach, these threats are almost entirely preventable.
“Ransomware is not magic—it can only run with the privileges of the user or the application that launches it. Therein lies its weakness, and our chance to leverage tools to contain it before it starts.”
- G Mark Hardy, President of National Security Corporation
To defend against any cyberthreat, it is important to have a solid foundation of least privilege to build upon. Not only does this directly mitigate many of the tactics and techniques that are utilized by threat actors—including LockBit—but it also helps protect the rest of your security stack from being undermined.
James Maude, Lead Cyber Security Researcher
James Maude is the Lead Cyber Security Researcher at BeyondTrust’s Manchester, U.K., office. James has broad experience in security research, conducting in-depth analysis of malware and cyber threats to identify attack vectors and trends in the evolving security landscape. His background in forensic computing and active involvement in the security research community makes him an expert voice on cybersecurity. He regularly presents at international events and hosts webinars to discuss threats and defense strategies.