Introduction: –
Have you ever heard about RaaS! Perhaps no! instead, you might have heard about SaaS (software as a service) or PaaS (Product as a Service) or else IaaS (Infrastructure as a service). But today you will be understanding about RaaS which unlike other services does not really provide services, instead gives headache and puts in Trouble. RaaS stands for “Ransomware as a Service”.
In case, if you don’t know, Ransomware is malicious software or code which is injected or installed by an attacker who takes control of your system. In this Article we will be knowing about LockBit group of notorious hackers who have used RaaS as their main source of income and have compromised with the security of large Organizations.
Understanding LockBit!!!
LockBit is a cybercriminal group proposing ransomware as a service (RaaS). Software developed by the group (also called ransomware) enables malicious actors who are willing to pay for using it to carry out attacks in two tactics where they not only encrypt the victim’s data and demand payment of a ransom, but also threaten to leak it publicly if their demands are not met. LockBit was the world’s most prolific ransomware in 2022. It was estimated in early 2023 to be responsible for 44% of all ransomware incidents globally.
Government agencies did not formally attribute the group to any nation-state. Software with the name “LockBit” appeared on a Russian-language based cybercrime forum in January 2020. The group is financially motivated. In February 2024 law enforcement agencies seized control of LockBit dark web sites used for attacks. However, further attacks with LockBit ransomware were later reported, with the group attempting to perform a comeback. LockBit 3.0 was much in demand in Ransomware as a Service(RaaS) market. Which explains the sudden and steep rise in LockBit 3.0-linked attacks.
About LockBit 3.0 RaaS Software: –
LockBit software, written in the C and C++ programming languages until .NET was used for the LockBit-NG-Dev under development at takedown in 2024, gains initial access to computer systems using purchased access, unpatched vulnerabilities, insider access, and zero-day exploits, in the same way as other malware. LockBit then takes control of the infected system, collects network information, and steals and encrypts data.
Demands are then made for the victim to pay a ransom for their data to be decrypted so that it is again available, and for the perpetrators to delete their copy, with the threat of otherwise making the data public. (While the data are not published if the ransom is paid, it was found when LockBit was taken down by law enforcement that it had not been deleted.)
LockBit gained attention for its creation and use of the malware called “StealBit”, which automates transferring data to the intruder. This tool was introduced with the release of LockBit 2.0, which has fast and efficient encryption capabilities. To expand their reach, LockBit also released Linux-ESXI Locker version 1.0, targeting Linux hosts, particularly VMware ESXi servers.
trouble they made: –
As we have understood the purpose, motivation and existence of this group, know let’s see what impact they have made in these recent years. LockBit has targeted various industries globally, however, healthcare and education sectors are the biggest victims. According to Trend Micro, in terms of attack attempts, United States, India and Brazil are the top targeted countries.
- ICBC finance Services <- read here.
- Infosys McCamish Systems (IMS)
- Corbiel Essannos Hospital – ransom: US$10 million
- Pentadron PLC automotives – ransom: US$60 million and, many more…..
For Infosys McCamish System, Data Encrypted consisted of: –
- Social Security Number (SSN)
- Date of birth
- Medical treatment/record information
- Biometric data
- Email address and password
- Username and password
- Driver’s License number or state ID number
- Financial account information
- Payment card information
- Passport number
- Tribal ID number
- U.S. military ID number
Techniques used to trap users: –
LockBit RaaS operators frequently gain initial access by exploiting vulnerable Remote Desktop Protocol (RDP) servers or compromised credentials purchased from affiliates. Initial access vectors also include phishing emails with malicious attachments or links, brute-forcing weak RDP or VPN passwords, and exploiting vulnerabilities such as CVE-2018-13379 in Fortinet VPNs.
Once installed, LockBit RaaS is often executed in Microsoft Windows via command-line arguments, scheduled tasks, or PowerShell scripts such as PowerShell Empire. LockBit uses tools such as Mimikatz, GMER, Process Hacker, and registry edits to gather credentials, disable security products, and evade defenses. It enumerates network connections to identify high-value targets such as domain controllers using scanners such as Advanced Port Scanner.
LockBit malware was previously known as “.abcd”, after the file extension that was added to encrypted files as they were made inaccessible.
LockBit was first observed in September 2019.
LockBit 3.0 code leak: Bug Bounty Irony: –
In late June 2022, the group launched “LockBit 3.0”, the latest variant of their ransomware, after two months of beta testing. Notably, the group introduced a bug bounty program, the first of its kind in the realm of ransomware operations. They invited security researchers to test their software to improve their security, offering substantial monetary rewards ranging from US$1,000 to $1 million.
LockBit operators were keen on preventing non-group members from obtaining the decryption tool. Since it was first detected in the wild in mid-June, LockBit 3.0 has been reported consistently from over 33 honeypot locations of Sectrio indicating its prevalence and global presence. It even outcompeted rivals such Hiveleaks and Blackbasta in infecting maximum victims since launch as documented by Sectrio’s threat researchers.
In November 2022, the United States Department of Justice announced the arrest of Mikhail Vasiliev, a dual Russian and Canadian national, in connection with the LockBit RaaS campaign. According to the charges, Vasiliev allegedly conspired with others involved in LockBit, a ransomware variant that had been used in over 1,000 attacks globally as of November 2022.
According to reports, the operators of LockBit had made at least $100 million in ransom demands, of which tens of millions had been paid by victims. The arrest followed a 2.5-year investigation into the LockBit ransomware group by the Department of Justice.
Conclusion: –
the leaked source code of LockBit 3.0 marks a significant turning point in the cyber threat landscape, highlighting the escalating risks posed by Ransomware-as-a-Service (RaaS) operations. This breach not only exposes the inner workings of one of the most notorious ransomware groups but also potentially empowers other malicious actors to create more sophisticated and widespread attacks. As cybercriminals grow bolder, the need for robust cybersecurity measures and global cooperation has never been more critical. The leak serves as a stark reminder of the evolving threats in the digital age and the importance of staying vigilant against such dangers.
Thank you for reading till last😊, hope you got to learn something from this, for getting more article similar to this topic you can stay tuned. If you’re interested in knowing more about Ransomware attacks (RaaS) you can read about Toyota Hacked!!!
Thank you for your sharing. I am worried that I lack creative ideas. It is your article that makes me full of hope. Thank you. But, I have a question, can you help me?