How Does LockBit Ransomware Work? Decryption And Data Recovery

Find out how LockBit ransomware works and spreads. How do we proceed with the deletion, decryption and recovery of data?

What is LockBit ransomware?

LockBit is ransomware that falls into the category of RaaS, or ransomware as a service.

Specifically, it is a cryptovirus of the Cryptolocker family designed to steal sensitive data from victims that are returned only after the ransom payment.

Also known as the ABCD virus, it started spreading in September 2019.

It is ransomware that targets businesses rather than individuals.

One of the most recent and disastrous attacks by the LockBit ransomware was launched last year against Accenture, the Irish giant of strategic and management consulting.

As reported by the investigation conducted by Palo Alto Networks’ Unit 42, the variant of LockBit 2.0 has the most significant number of known victims: 850.

This figure, however, does not consider a large number of companies and individuals who do not make ransomware attacks public in order not to compromise the image.

Much greater numbers are circulating on the sites of the hacker group, for a total of 12,125 victims.

Definition of LockBit

Being ransomware, LockBit falls into the category of malware and is responsible for cyber attacks that aim

After logging on to your computer, this malicious software encrypts files making them unusable.

LockBit 2.0 ransomware

After the name change in July 2021, the hacker group responsible for LockBit released a new extension shortly after.

The new malware enhances some of the features of its predecessor to deliver more effective attacks.

Given the danger of LockBit 2.0, the FBI released, at the beginning of 2022, a document that warns about the potential of this ransomware:

“LockBit 2.0 is best described as a heavily obfuscated ransomware application that takes advantage of bitwise operations to decode lines and load modules needed to evade detection. Upon startup, LockBit 2.0 translates the strings and necessary code to import the required modules […]. At the start of the infection, Lockbit 2.0 deletes the log files and shadow copies residing on the disk.”

Once installed on the device, the LockBit 2.0 version encrypts all files saved on a local and remote disk, but avoids those associated with the system’s primary functions.

When it has completed its actions, it is deleted from the device and activates the persistence module when the PC is started.

LockBit ransomware group

LockBit belongs to the group of crypto-ransomware.

Another example of this category of a virus is Sodinokibi ransomware.

Crypto ransomware is the most common type: at the beginning of its spread, it attacked devices via instant messaging applications.

Attack methods to date include many more strategies, but the aim is always to encrypt the victim’s files.

The most famous ransomware of this family is CryptoLocker which has revolutionized the world of cybercrime ever since it appeared on the scene.

As reported by PurpleSec, in 2021, the CryptoLocker variant, Poenix, was confirmed as the third in terms of turnover, with 55 million dollars.

It precedes Conti ($ 175 million) and DarkSide ($ 80 million).

How does LockBit ransomware work?

LockBit is ransomware that acts in a targeted manner.

Unlike much other ransomware that acts through spam campaigns, this one studies and chooses its victims to target.

Its operating logic focuses on specific steps in rapid succession:

• Blocking of routine operations carried out by the PC;
• Stealing of relevant sensitive data;
• Attempt to extort a sum of money.

The last point is typical of all ransomware: hackers ask for a ransom in exchange for the decryption key that allows the operating system of infected PCs to be restored.

If the company decides not to pay, criminals threaten to publish all files online, susceptible ones.

The evolution of this virus, LockBit 2.0, is ransomware infecting the PC through phishing campaigns.

How does LockBit ransomware propagate?

How LockBit ransomware propagates is roughly always the same.

Its objectives tend to be medium and large companies.

According to data collected by Trend Micro, the sectors most attacked are those of health, education and technology.

The numbers refer to the period between 1 July 2021 and 20 January 2022, and the threats detected by the organization’s software.

In this way, targeted attacks are converted into chain attacks: once it enters the network, LockBit infects all connected devices.

Once the infection spreads, this ransomware can encrypt any computer system accessible via a network.

In the case of companies targeted by these ransomware attack, the hosts are infected first.

Later, LockBit manages to recognize other similar ones and, after connecting them, the infection spreads through a script.

Everything happens automatically, without the need for any human intervention to trigger the attack.

To fully achieve their goals, hackers using LockBit resort to predefined tools, such as Windows Powershell and Server Message Block (SMB).

Who Uses LockBit?

The criminal group behind LockBit is based in Eastern Europe and is pro-Russian.

As in the case of other RaaS, affiliates retain 70% to 80% of the proceeds of the attacks, while the developers of LockBit keep the remainder.

A kind of call to action was recently launched to recruit new affiliates, the first program to reward bugs.

The goal is to discover the vulnerabilities of the virus, solve them and make it more effective.

As of February 2020, LockBit revealed to the world how dangerous this ransomware is.

A report produced by Interpol confirms this finding by explaining that during the first phase of the pandemic, a massive ransomware campaign was conducted on the American continent through LockBit.

This was mainly aimed at medium-sized companies.

Within these organizations, hackers find the perfect target for their attacks: generally, these companies cannot afford an interruption of services and, therefore, immediately pay the ransom.

In May 2022, according to an analysis conducted by the NCC Group, LockBit was the most widespread ransomware.

LockBit was responsible for 40% of attacks that month, followed by Conti.

Phases of the LockBit attack

There are many TTPs (techniques, tactics and procedures) developed to target victims.

In general, however, recurring phases can be identified in the attack of the LockBit ransomware:

• Exploit: ransomware exploits credentials used multiple times on different platforms or vulnerabilities such as ProxyShell;
• Execution: through scheduled actions, LockBit is executed through command lines executed in a hidden window;
• Persistence: compromised accounts can be used to maintain access to the network or, in rare cases, reports are created specifically for this purpose;
• Privilege escalation: LockBit forces application privileges, ignoring user controls;
• Defense evasion: to avoid attracting the victim’s attention and carrying out its attack undisturbed, this ransomware uses hidden windows and disables anti ransomware software;
• Exfiltration: in some cases, LockBit 2.0 will limit the size of the data transfer to escape the radar of any monitoring service that a user may have set up;
• Final impact: at this point the data has been encrypted and the criminals are demanding a ransom to send the encryption key.

The salient phases of the attack will be considered below.

Exploit

In the first phase of the attack, LockBit scans the network to check for any weak points.

In general, ransomware attacks make use of social engineering to infect organizations.

However, the Proofpoint report shows that 95% of organizations are infected through brute force attacks.

Hackers compromised the cloud servers hosting the data in 32% of cases.

With LockBit hackers force the Remote Desktop Protocol (RDP) which allows you to connect, access and control data on a remote host but as if you were doing it locally.

Public applications such as ProxyShell and Windows SysInternals PsExec, used in both runtime and persistence, are mainly used to launch attacks.

Infiltration

When the hacker enters via ProxyShell, the web shells become a convenient access point.

LockBit 2.0 uses a Windows User Account Control (UAC) bypass tool.

On the Microsoft page dedicated to the topic, UAC is described as:

“It’s a fundamental component of Microsoft’s overall security vision. UAC helps mitigate the impact of malware.”

This tool allows the user to manage the consent for administrator access to the various applications that run on the PC.

If you manage to force this token, the user does not have control over the activities of his device and the hacker has access to all the information.

From this moment on, LockBit begins to act with absolute autonomy.

The real purpose of this second phase is to hinder or prevent automatic system recovery.

In the first place, therefore, we proceed with the deactivation of all security programs, starting with the antivirus.

It relies on the concern of the victims who either give up and pay the ransom or see sensitive and essential data for the company go online.

Almost all the victims, wanting at all costs to restore encrypted files, and bring the operating system back to normal, prove to be inclined to pay.

HelpRansomware, on the other hand, points out that it is vitally important not to pay the ransom.

Many criminals don’t hand over the decryption key after payment, so you won’t solve the problem and only show yourself as an easy target.

Implementation

In the third and final phase, implementation, also known as infiltrate deployment, the encryption payload occurs.

The apex of the danger of the cryptovirus in question is found precisely in this phase.

All the company’s PCs are reached and infected, and all the devices connected to the network are attacked.

Once executed, LockBit locks all system files and a document containing the ransom note is released inside each folder.

It is necessary to insert a personalized decryption key to get out of this impasse.

Remember: don’t give in to blackmail, don’t pay the ransom!

According to Veeam’s annual report, 48% of companies that experienced a ransomware attack could not recover their data.

Contact HelpRansomware specialists before it’s too late – the team specializes in ransomware elimination and encrypted data recovery.

Types of threats from LockBit

Each malware family has different types of ransomware, which also applies to LockBit.

Since it was created, this ransomware has undergone various changes to its code.

This procedure is entirely natural and is because in conjunction with the evolution of ransomware, ransomware decryption tools also evolve.

Hacking groups, therefore, in order not to lose profits and continue to attack victims by extorting money, modify the source strings of the virus to escape control.

Extension .abcd 

Before changing its name to LockBit, this ransomware showed itself with the “.abcd” extension.

Once the PC or device was infected, this first version of LockBit encrypted all documents and files on the disk by adding the .abcd extension.

Only in this way could the victim be aware of the attack and the ransom note that the virus issued inside each file folder.

In addition, the virus deleted user data, backups and shadow copies.

Initially, it was unknown which group of criminals was hiding behind this ransomware.

What is certain is that the virus immediately proved its danger: large companies hit by ransomware worldwide, but subsequent versions have become more sophisticated from time to time.

.LockBit extension

In its second version, this ransomware adds an extension that reveals its name: “.LockBit“.

Compared to the previous variant, LockBit records some changes in the management of applications from the back-end.

In this case, the ransomware does not require you to download the Tor browser for the ransom note, but directs the victims to an alternative website via traditional internet access.

The second version of LockBit enters the device by forcing administrative permissions of applications.

By disabling the UAC security alerts, applications can run as an administrator without the user’s permission.

Furthermore, this ransomware can also be responsible for double extortion.

Since the virus copies all the files of the victim, in case the ransom is not paid, the victim receives the threat of having all personal data published online.

.LockBit versione 3.0 

A new version of the ransomware called LockBit 3.0 was recently released.

This variant encrypts files on the victim’s computer by adding the extension “HLJkNskOq” to each file.

The ransomware decrypts the strings and codes while the device is running and then creates a mutex that allows you to determine when to launch the attack.

It also creates multiple threads to perform different tasks simultaneously so that you can encrypt files faster.

To gain access to the service control manager database and delete them, LockBit 3.0 renames the API (Application Programming Interface) “OpenSCManagerA ()”.

As a final action, the ransomware changes the device’s background with an image explaining how to proceed to decrypt ransomware files and pay the ransom.

The screen reads that hackers will disclose the victim’s data if they do not follow the instructions in the indicated time.

LockBit deletion and decryption

The key word is timeliness if you’ve been the victim of a LockBit ransomware attack.

You need to act quickly to be able to recover encrypted files from your PC or other device affected by this cryptovirus.

The elimination of LockBit 2.0 is not a simple process due to the penetration capacity of the virus.

This ransomware can be difficult to eradicate because it can hide in files, shortcuts, or settings already installed on your computer.

First of all you need to equip yourself with good anti-malware and anti-ransomware that can find all traces of LockBit.

The best and safest way to remove ransomware is to use a powerful automatic removal tool that saves you time and effort.

Can LockBit be decrypted?

Like any ransomware threat, sensitive data is targeted, using a specific encryption algorithm.

These are kept blocked until the ransom of the requested sum is paid.

Eventually, the malicious software generates a text file, named Restore-My-Files.txt.

The file contains all the steps that the victim must follow to be able to decrypt LockBit.

The bad guys must be contacted by e-mail so that they can send the whole procedure aimed at restoring the encrypted files.

To convince the victim, hackers are willing to unlock files by example.

Don’t be fooled: don’t pay the ransom!

In most cases, neither the payment of the ransom nor the use of decryption tools is needed to open encrypted files.

Likewise, deleting the ransomware from your device is not enough: even if you manage to remove LockBit from your PC, you will not be able to recover your data.

Can LockBit 2.0 be decrypted?

LockBit 2.0 and its later version LockBit 3.0 are more aggressive than the previous ones.

If this ransomware has attacked you, your best bet is to consult with specialists as a decryption tool has not yet been created.

HelpRansomware offers effective solutions depending on the virus, guaranteeing to eliminate the ransomware from your device and restoring all damaged files.

The first step remains to eliminate the threat from the device, then you could try to restore your data by recovering the backup.

One thing you absolutely must not do, however, is to restore the system or format the PC, because in this way you will lose any possibility of recovering the data.

How to recover LockBit ransomware data

The procedure for restoring encrypted files depends on the type of system activity on your device, but the methods are similar.

What you will read below is only applicable if you have made a backup of your device data.

If you have not made any backups, there is no way to be able to remove the ransomware and decrypt files automatically.

In the first step, in the case of Windows 7 and Windows XP, start the computer in safe mode:

• Click on the “Start” button and press the F8 key repeatedly until the “Windows Advanced Option” menu appears on the screen;
• Select from the “Safe Mode with Networking” list.

With Windows 8 and 10, the procedure is quite similar, you will have to click F5 repeatedly.

If you could not start your pc in safe mode with networking, you should opt for system restore.

In this way you will be able to recover the files saved from the last backup.

How to protect yourself from LockBit ransomware?

In the case of ransomware, prevention is the best defense.

Having a well-defined protection plan against this threat limits the chances of being attacked and reduces damage if the attack is successful.

To protect yourself from ransomware follow these tips:

• Enter complex alphanumeric passwords and update them continuously;
• Use multi-factor authentication;
• Ask for user account authorization;
• Limits the granting of administrator privileges to the performance of specific activities;
• Keep your accounts active, daddy or inactive accounts are an excellent opportunity for hackers;
• Always keep the applications you use up to date;
• Use periodic backups to have your data saved both online and offline: hard drives and other external devices are essential;
• Segment networks so sensitive data isn’t concentrated on a single device.

The latest report by Entrust demonstrates the importance of a data protection strategy that includes file encryption by the company.

62% of respondents admit that their company has an encryption plan that applies to the entire company.

This is also linked to another aspect that companies must never underestimate: staff training.

What should I do if my data is encrypted by LockBit?

If LockBit has attacked you, you should know that a tool capable of decrypting files has not yet been released.

Nonetheless, there are steps you can take:

• Take a screenshot of the ransom note, it will be helpful to identify the type of ransomware that attacked you;
• Report the crime to the competent authorities,
• Disconnect the device from the network: this will prevent the virus from spreading to other connected devices;
• Turn off your machine: While LockBit may continue to encrypt data in the background, this step reduces the chances;
• Don’t communicate with hackers;
• Contact specialists immediately.

The last point is the key: contact HelpRansomware to take advantage of its data decryption and recovery services.

Conclusions

Falling victim to a ransomware attack is easier than it sounds.

In the following guide we have explained to you how you can protect yourself from LockBit ransomware and these are the conclusions you can draw:

• LockBit is cryptovirus ransomware that falls into the category of RaaS (ransomware as a service);
• The LockBit 2.0 variant has the most significant number of known victims, 850;
• In 2021, the CryptoLocker Poenix variant was confirmed as the third in terms of turnover, with 55 million dollars;
• The sectors most attacked by LockBit are those of health, education and technology;
• The main phases of the LockBit attack are exploit, infiltration and implementation;
• There are several variants of LockBit, each more dangerous and lethal than the previous one;
• Companies must have a data protection strategy that also includes file encryption.

As for the decryption of files encrypted by LockBit, it is a complicated process because there are no automatic tools.

The best option in this and any other case is to contact specialists.

The HelpRansomware team is experienced in identifying and eliminating ransomware and decrypting infected files.