Lockbit 3.0 and the ransomware business model

Join executives from July 26-28 for Transform’s AI & Edge Week. Hear from top leaders discuss topics surrounding AL/ML technology, conversational AI, IVA, NLP, Edge, and more. Reserve your free pass now!

“Make Ransomware Great Again!”

With this proclamation, the notorious LockBit ransomware group released its latest ransomware-as-a-service offering, LockBit 3.0 (or Lockbit Black, as it has deemed it). 

Notably, the new offering focuses on data exfiltration, as opposed to the encryption of files on a victim’s machine. 

The group also published a set of “Affiliate Rules” and announced what cybercrime experts say is a first for the dark web: a bug bounty program. This purportedly offers a $1 million payout for those who reveal personally identifiable information (PII) on high-profile individuals, as well as any web security exploits. 

“We invite all security researchers, ethical and unethical hackers on the planet,” the group posted upon the release of LockBit 3.0. 

With the recent disbanding of cybercrime syndicate Conti, this new iteration puts LockBit at the forefront of the ransomware landscape. It also signifies the growing use and increased sophistication of the ransomware-as-a-service (RaaS) model.

“Ransomware-as-a-service has increased the speed at which gangs can develop effective new code bases and business models,” said Darren Williams, Ph.D., CEO and founder of cybersecurity company BlackFog. “This underground network of gangs works closely together and shares knowledge to maximize profits.”

Ransomware-as-a-service: A new economy

RaaS is a criminal take on the popular software-as-a-service (SaaS) enterprise model. Through subscription, affiliates can use ransomware tools developed by expert coders to carry out ransomware attacks. Affiliates then earn percentages of successful ransom payments. 

According to cybersecurity experts, its proliferation is a signal that cybercrime syndicates are becoming more and more like professionally run entities. It also marks a new era of commoditized cybercrime. 

Lockbit 3.0, specifically, is still early in its lifecycle, Williams pointed out, but he added that “there is no doubt” that other cybergangs will replicate its behaviors and business models. “It doesn’t take long for novel techniques to trickle down to other groups, especially when they have been successful,” he said. 

According to a report from NCC Group’s Strategic Threat Intelligence team, ransomware attacks decreased by 42% in June compared to the previous month. But, the firm cautions, this should not be taken as a sign that ransomware is on the decline – quite the opposite, actually. 

The reduced activity is due largely to the recent disbanding of Conti and the retirement of LockBit 2.0, according to NCC Group. LockBit remained the clear leader, with 55 victims – 244% more attacks than the second-top threat actor Black Basta. By contrast, attacks by Conti fell 94% as the group is disbanding and integrating itself into other, smaller syndicates. 

The most targeted sectors, according to NCC Group, were industrials (37%), consumer cyclicals (18%) and technology (11%). 

Ransomware incident response firm Coveware reports that the average ransom paid by victims reached $211,529 in the first quarter of 2022. Also, attackers typically demand ransom payments in Bitcoins only.

An ever-changing landscape

According to BlackFog, ransomware has been around for nearly as long as the World Wide Web itself, but it is dramatically increasing due to shifts in working patterns – notably, the rise of hybrid and remote environments – as well as higher reputational and regulatory penalties (public exposure of data can be much more damaging, and the legal consequences of failing to prevent data breaches is “higher than ever”), and easier access to ransomware tools. 

The company’s most recent “Ransomware Trend Report” has revealed a renewed focus on weaker targets, including education (a 33% increase), government (25% increase) and manufacturing (24% increase). 

This is evidenced by attacks in June on the University of Pisa (which paid a $4.5 million ransom), Brooks County in Texas (which paid its $37,000 ransom with taxpayer money), and the Cape Cod Regional Transit Authority. 

All told, BlackFog recorded 31 publicly disclosed ransomware attacks in June. 

Matt Hull, global lead for strategic threat intelligence at NCC Group, ultimately pointed to “huge changes” in the ransomware threat scene, adding that “it is clear we are in a transitory phase.”

“This is an ever-changing landscape that needs to be monitored continuously,” he said. 

LockBit: What it is and its latest iteration

LockBit emerged in 2019, but its ransomware didn’t gain significant traction until the launch of LockBit 2.0 in the second half of 2021. After critical bugs were discovered in Lockbit 2.0 in March, its authors set to work updating encryption routines and adding new features to thwart researchers. 

“Interestingly and surprisingly,” the group “very blatantly” claimed to be from the Netherlands, said Drew Schmitt, principal threat intelligence consultant with cybersecurity company GuidePoint Security. The group also stated that former USSR countries cannot be targeted because most of its members grew up there. According to Schmitt, this gives credibility to the common hypothesis that the majority of ransomware groups are operating out of Eastern Europe and Russia. 

Ultimately, LockBit “continues to be at the forefront of the threat landscape and the most prominent threat actor,” according to a monthly report from IT security company NCC Group. 

Most notably, LockBit 3.0 is pioneering a new ransomware concept of extorting victims directly and not – at least initially – publicly disclosing an attack, explained Williams. The group gives victims various choices requiring a fee: extending the time given to pay by 24 hours, wiping extracted data immediately, or downloading data. 

“This unique approach maximizes the potential ransom that can be extracted from each victim,” said Williams. It also adds “even more expediency” to LockBit’s extortion mechanism.

Meanwhile, according to LockBit’s “Affiliate Rules,” critical infrastructure cannot be encrypted, but data can still be stolen. This explicitly calls out that “it’s not the encryption of the files, just data theft,” said Schmitt. “You can’t encrypt it, but you can steal all the data you want.”

This is particularly interesting, he said because until now, there has been no delineation between encrypting information systems associated with critical infrastructure and stealing data associated with critical infrastructure. This explicit definition allows affiliates to still attack critical infrastructure, steal data, and pursue major payouts, but without experiencing the blowbacks seen by other groups attacking critical infrastructure. 

LockBit is also drawing “more explicit rules” when it comes to attacks on previously taboo industry verticals – including educational institutions, so long as they are private and for-profit schools. The group also allows for the no-restrictions targeting of medical-related institutions such as pharmaceutical companies, dental clinics and plastic surgery providers. 

Still, they “draw the line” anywhere that human beings may be harmed, while also preventing the conducting of attacks against healthcare and other institutions focused on lifesaving medical treatment. Even in those cases, though, affiliates are still allowed to steal data. 

As Schmitt noted, “It seems that LockBit is taking extortion in a somewhat new direction and giving affiliates more opportunities to monetize criminal activity outside of the traditional double-extortion methodology.” 

Vetting affiliates 

LockBit has also provided an “unprecedented public view” of its affiliate vetting and application process, said Schmitt. The group has announced that “every candidate to join our affiliate program should understand that we are constantly trying to be hacked and harmed in some way” as its rationale for having such a heavy vetting process. Its requirement of a Bitcoin deposit is ensurance that a potential affiliate is not a journalist, security researcher or a member of law enforcement, Schmitt explained. 

Additional criteria for vetting and maintaining affiliate status include:

  • Being active in working with the LockBit software package. 
  • Having the ability to earn more than 5 Bitcoins per month. 
  • Providing links to profiles on various hacker forums, proof of experience with other affiliate programs, and current balance of crypto accounts. 
  • Vetting technical capability and proof of previously conducted attacks. 

Similarly, the group’s announced bug bounty program is an effort to improve the quality of the malware and financially reward those that assist. There is a $1 million reward on offer to anyone who can uncover the identity of the program affiliate manager, said Schmitt. Similar to this, the group offers bounties to disgruntled employees to work from the inside of companies and discover vulnerabilities within their systems.

Preventing extortion 

As Williams noted, LockBit’s new options change how organizations must measure risk associated with exfiltrated data, “as anyone at any time can purchase their data.”

To protect themselves, organizations must focus on endpoint security, he said. This is the practice of securing endpoints or entry points to prevent the exploitation of end-user devices such as desktops, laptops, and mobile and IoT devices. It is particularly critical as more devices connect to an organization’s network, Williams said, and as traditional solutions such as firewalls become less effective in stopping the new generation of advanced attacks.

On-device anti-data exfiltration tools can help ensure that, even if cybercriminals do gain access to a network or device, they will not be able to steal data. These tools also have geo-blocking features that deny the transfer of data to certain countries – Russia or North Korea, for instance; areas that a given business would not otherwise be communicating with, Williams explained.

Organizations would also do well to monitor connections between IP addresses and networks and compare those to known malware command-and-control centers, Williams said. And it is crucial that businesses have the capability to identify anomalies in traffic – whether this be suspicious data transfer volumes, odd destinations or performed outside typical working hours. 

Rather than following traditional defensive strategies, Williams said, organizations should focus specifically on anti-data exfiltration. “If the gangs cannot steal your data,” he said, “they have nothing they can extort you with in the first place.”

Originally appeared on: TheSpuzz