Slow Fog: The Mystery of the World's Number One Ransomware Gang LockBit

Written by: 23pds@SlowMist

Team Background

In September 2019, the LockBit ransomware made its official debut, known as "ABCD" ransomware due to its use of the .abcd suffix to mark encrypted victim files. The early version, LockBit 1.0, was quite immature; during its operation, the encryption software not only used fixed mutexes but also left behind some debug functions that could easily be identified and intercepted by antivirus software and sandboxes.

As the organization grew, LockBit 1.0 began to operate under a RaaS (Ransomware-as-a-Service) model, developing and distributing ransomware tools for other malicious actors to use, and promoting its collaboration plans on a well-known Russian forum, XSS.

Eight months later, the LockBit 1.0 operators upgraded their ransom strategy by creating a site for publicly disclosing victim data, in conjunction with file encryption, attempting to further pressure victims to achieve the goal of "double extortion."

After several minor upgrades, LockBit 1.0's methods became more sophisticated compared to other ransomware. The encryption process targeting Windows systems used RSA + AES algorithms to encrypt files, employing IOCP for port completion and the AES-NI instruction set to enhance work efficiency, thus achieving a high-performance encryption process. Once files were successfully encrypted, all victim files would have the unbreakable .abcd extension added.

During the LockBit ransomware 1.0 period, ransom information was primarily displayed by modifying the victim's system desktop wallpaper, leaving a ransom note named Restore-My-Files.txt, demanding that victims log into the dark web to pay the ransom in Bitcoin or Monero.

The group later gained notoriety due to several high-profile attacks. For example, in June 2022, they launched LockBit 3.0, which included a bug bounty program inviting security researchers to test and improve their software. Offering rewards for discovering system vulnerabilities was a unique practice in the ransomware space.

Since its inception, LockBit has had a significant impact on cybersecurity, with its attacks often resulting in the theft of sensitive data and financial losses for victims.

"Glorious" History

Before May 2022, LockBit was virtually unchallenged, penetrating the defenses of over 850 enterprises worldwide, accounting for 46% of all ransomware-related attack incidents during that period.

RaaS Agent Model:

Attack Methods:

According to data from cybersecurity company Dragos, about one-third of ransomware attacks targeting industrial systems in the second quarter of 2022 were initiated by LockBit, causing significant damage to many large enterprises in the industrial control sector. A report released by Deep Instinct indicated that in the first half of 2022, LockBit's ransomware attacks accounted for approximately 44% of the total number of attacks.

In just three years, the number of victims of the LockBit ransomware group has exceeded 1,000, double that of the veteran ransomware organization Conti, and more than five times that of Revil.

It is worth mentioning that the ransom recovery rate of the LockBit ransomware organization is also higher than that of many established ransomware groups. According to data from 2022, over half of the ransom demands, which reached $100 million, were successful, instilling fear in countless enterprises.

Current Situation

In light of this, the group has attracted the attention of global law enforcement agencies. In November 2022, the U.S. Department of Justice (DoJ) charged Mikhail Vasiliev, a dual citizen of Russia and Canada, with participating in LockBit ransomware operations. He is currently detained in Canada, awaiting extradition to the U.S.

In May, Russian national Mikhail Pavlovich Matveev, also known as Wazawaka, m1x, Boriselcin, and Uhodiransomwar, was charged by the U.S. Department of Justice for involvement in multiple ransomware attacks.

The U.S. Department of Justice released two indictments accusing Matveev of attacking numerous victims across the U.S. using three different ransomware strains, including law enforcement agencies in Washington D.C. and New Jersey, as well as organizations in the national healthcare and other sectors:

• Around June 25, 2020, Matveev and his LockBit accomplices attacked a law enforcement agency in Passaic County, New Jersey;
• On April 26, 2021, Matveev and his Babuk accomplices attacked the Metropolitan Police Department in Washington D.C.;
• Around May 27, 2022, Matveev and his Hive accomplices attacked a non-profit behavioral health organization in New Jersey.

On February 19, 2024, the notorious ransomware group LockBit's website was seized in a joint law enforcement operation by the UK's National Crime Agency, the FBI, Europol, and Interpol:

The treasury.gov released relevant sanction information involving personnel details, BTC, and ETH addresses:

We used MistTrack to check the funding situation of the sanctioned ETH address (0xf3701f445b6bdafedbca97d1e477357839e4120d):

Analysis revealed that the funds in this ETH address have been completely laundered.

Next, we analyzed the situation of the sanctioned BTC addresses and found that the earliest transaction for these addresses could be traced back to October 2019, with the most recent transaction dating back to March 2023, and the relevant funds in each address have been transferred.

Among them, the address receiving the largest amount was 18gaXypKj9M23S2zT9qZfL9iPbLFM372Q5, which belongs to Artur Sungatov, an associate of LockBit, and has been marked by MistTrack as a Binance Deposit address, with the funds already transferred.

Secondly, the address 32pTjxTNi7snk8sodrgfmdKao3DEn1nVJM received 52.7892 BTC, which belongs to Ivan Kondratyev, an associate of LockBit, and has been marked by MistTrack as a Kucoin Deposit address. This address received 0.4323 BTC transferred from another sanctioned address, bc1qx9upga7f09tsetqf78wa3qrmcjar58mkwz6ng6.

The U.S. government, in conjunction with the UK and Europol, released more information about the LockBit ransomware organization, revealing that LockBit has 193 branches:

The Mystery of Arrests

According to a spokesperson for the UK's National Crime Agency, LockBit's services have been disrupted, marking a continuous and evolving operation. This action is the latest initiative in the years-long struggle between law enforcement and ransomware groups, delivering a significant blow to LockBit's recent transnational extortion operations and effectively deterring the increasingly rampant ransomware attacks.

We checked LockBit's nodes, and each known LockBit ransomware organization website is either offline or displaying a page seized by EUROPOL. Law enforcement has seized or dismantled at least 22 Tor sites, referred to as "Operation Kronos."

After this, LockBit ransomware group managers confirmed to the media that their website had been seized:

However, it seems this seizure did not affect LockBit's core personnel, as the LockBit ransomware organization subsequently sent a message to individuals on Tox: "The FBI messed up the server using PHP; the backup server without PHP was not affected."

Today, the plot took a turn as LockBit's leadership stated: they had spoken with the management of the LockBit ransomware organization regarding the law enforcement announcement that they would disclose the LockBit leadership on Friday, February 23, 2024.

LockBit responded: "Let them reveal it; I am sure they do not know my identity." Subsequently, the LockBit ransomware group changed its name to "FBI Supp" to mock law enforcement:

According to @vxunderground, it now seems that the ultimate mastermind has not been captured, and LockBit is even publicly offering a larger bounty for the public to find them.

The story is becoming more intriguing, as law enforcement claims they will release more information about the LockBit organization in the coming days.

What will happen next? We shall see.

Conclusion

This crackdown is the latest in a series of law enforcement measures against ransomware groups. At the end of last year, the FBI and other agencies successfully dismantled the networks and infrastructure of several ransomware groups, including Qakbot and Ragnar Locker.

At the recent Munich Cyber Security Conference, the Deputy Attorney General of the United States emphasized the U.S. commitment to combating ransomware and cybercrime, proposing to adopt faster and more proactive strategies focused on preventing and disrupting these criminal activities.

With the development of digital technology, cybercrime relying on cryptocurrencies has become a significant global challenge. Cybercrimes like ransomware not only cause losses to individuals and businesses but also pose serious risks to society as a whole. Statistics show that last year, cybercriminals extorted over $1.1 billion from victims worldwide.

Moreover, ransomware governance is a contest between cyber attackers and security personnel, requiring patience, strategy, and timing.

Taking LockBit ransomware as an example, its continuous iteration and updating of attack methods, strategies, and intrusion points make it difficult for security personnel to form a complete remediation system. Therefore, in the process of ransomware governance, prevention is far more important than remediation. A systematic, comprehensive approach, systematic governance, and multi-party collaboration should be adopted to create a wall against ransomware. It is strongly recommended that everyone take the following protective measures:

Use complex passwords whenever possible: When setting up server or internal system passwords within the enterprise, complex login credentials should be used, such as including numbers, uppercase and lowercase letters, special symbols, and a minimum length of 8 characters, and passwords should be changed regularly.

Two-factor authentication: For sensitive information within the enterprise, additional layers of defense should be added on top of password-based logins to prevent hacker attacks, such as installing biometric verification like fingerprint or iris recognition on sensitive systems or using physical USB key authenticators.

Four don'ts: Do not click on emails from unknown sources; do not browse pornographic, gambling, or other harmful information websites; do not install software from unknown sources, and be cautious when installing software sent by strangers; do not randomly insert unknown USB drives, external hard drives, flash drives, or other removable storage devices into devices.

Data backup protection: The real guarantee against data loss is always offline backups, so it is essential to back up critical data and business systems. Note that backups should be clear, labeling each stage of the backup to ensure that if a backup is infected by malware, it can be recovered in a timely manner.

Regular antivirus scans and port closures: Install antivirus software and regularly update the virus database, conducting full system scans periodically; close unnecessary services and ports (including unnecessary remote access services like port 3389, port 22, and unnecessary local network sharing ports like 135, 139, 445, etc.).

Enhance employee security awareness: The biggest hidden danger in safety production lies with personnel. Phishing, social engineering, poisoning, weak passwords, and other key factors are closely related to personnel's security awareness. Therefore, to enhance overall security fortification and defense capabilities, it is essential to improve personnel's security awareness.

Timely patching of office terminals and servers: Timely patching of operating systems and third-party applications is necessary to prevent attackers from exploiting vulnerabilities to infiltrate systems.

Acknowledgments : WuBlockchain, @vxunderground, Xitan Laboratory, Yunding Laboratory