Can LockBit 2.0 be decrypted?

What is LockBit 2.0?

LockBit 2.0 is a relatively new version of the ransomware-as-a-service (RaaS) known as LockBit. The original LockBit first emerged in September 2019 on underground Russian hacking forums (CISA). In June 2021, threat actors behind LockBit released version 2.0, which included a number of enhancements over the original (Palo Alto Networks).

Like other RaaS models, LockBit 2.0 allows cybercriminals to essentially “rent” the malware and infrastructure needed to deploy attacks. The developers behind LockBit handle maintaining the malware code, encryption mechanisms, payment site, and more. Affiliates or partners pay the developers to gain access to the ransomware kit and launch attacks, then the developers take a percentage of any ransom paid (CISA).

Some key features of LockBit 2.0 include (Palo Alto Networks):

  • Improved encryption algorithms to make encrypted files more difficult to recover.
  • Faster encryption speeds compared to version 1.0.
  • An affiliate dashboard for partners to manage campaigns and payments.
  • The ability to configure ransom demands based on the victim.

Overall, LockBit 2.0 represents a more mature and dangerous iteration of this ransomware threat.

How Does LockBit 2.0 Encrypt Files?

LockBit 2.0 uses a combination of asymmetric and symmetric encryption to encrypt files on infected systems 1. It generates an asymmetric public-private key pair using the RSA-2048 algorithm. The ransomware encrypts the symmetric AES encryption key with the public RSA key, rendering the AES key unusable without the private RSA key 2.

Once a system is infected, LockBit 2.0 recursively enumerates files, folders, and drives on the system. It skips files in certain directories like Windows and Program Files. For files it chooses to encrypt, it generates a random 128-bit AES key. The AES key is used to encrypt the file contents using AES-256-CBC encryption. The AES key itself is then encrypted using the public RSA-2048 key generated earlier.

This encrypted AES key is stored in the file header of the now-encrypted file. To decrypt the file, the ransomware authors need to decrypt the AES key using their private RSA key. This decrypted AES key can then be used to decrypt the file contents. Without access to the private RSA key, it is cryptographically infeasible to decrypt LockBit 2.0 encrypted files.

Is There a Decryptor for LockBit 2.0?

Unfortunately, there is currently no free decryptor available for LockBit 2.0. The encryption algorithms used by LockBit 2.0 make it very difficult to crack. According to cybersecurity experts, the ransomware uses a combination of AES and RSA encryption to lock files.

AES stands for Advanced Encryption Standard and is a symmetric encryption algorithm. It uses a password or key to encrypt and decrypt data. RSA is an asymmetric algorithm that uses a public and private key pair for encryption. The private key is required to decrypt data encrypted with the public key.

LockBit 2.0 generates a unique AES key for each infected device which is then encrypted with an RSA public key. The RSA private key remains only in the possession of the attackers. So even if the AES key is compromised, files cannot be decrypted without access to the RSA private key.[1]

Security experts have not yet been able to crack the cryptographic implementation used in LockBit 2.0. Some analysts feel it may be possible in the future as weaknesses are found, but currently there is no free decryption tool available.[2]

Attempts to Crack LockBit 2.0 Encryption

Despite being one of the most prolific ransomware strains active today, LockBit 2.0’s complex encryption has so far stymied most decryption attempts. Security researchers have thoroughly analyzed the ransomware’s code and encryption implementation but have yet to find a flaw that enables full decryption.

According to cybersecurity firm Digital Defense, LockBit 2.0 utilizes “robust AES and RSA encryption” that undergoes multiple rounds of manipulation to produce unique encryption keys. This prevents easy cracking of the encryption algorithm (https://digitaldefense.com/blog/lockbit-ransomware/).

In 2021, European law enforcement agency Europol led a global initiative to crack LockBit but ultimately could not break the encryption. They determined the criminals behind LockBit used best practices in cryptography and implemented the ransomware securely (https://www.bleepingcomputer.com/news/security/europol-failed-to-crack-lockbit-ransomware-encryption/).

While researchers have found exploits in earlier versions of LockBit, the latest 2.0 variant has so far withstood these decryption methods. Security experts advise against using dubious “decryption tools” offered online, as these often lead to further malware infections.

Prevention Best Practices

There are several best practices organizations can follow to help prevent and protect against LockBit 2.0 ransomware attacks:

Keep all software up-to-date. Applying the latest security patches and updates in a timely manner helps remove vulnerabilities ransomware like LockBit 2.0 exploits. This includes operating systems, applications, plugins, and firmware across devices.

Conduct regular employee cybersecurity training. Educating staff on threats like phishing, social engineering, and unsafe browsing can prevent them from compromising systems. Role-based training ensures everyone understands policies and has the skills to spot issues.

Implement secure backups and recovery plans. Maintaining recent backups offline or with immutability ensures data can be restored if encrypted. Test restoration regularly and have documented plans to get critical systems back online quickly.

Use reputable cybersecurity solutions. Advanced endpoint detection, next-gen antivirus, email security with sandboxing, and network monitoring solutions maximize prevention, detection, and response capabilities against ransomware.

Segment networks and limit lateral movement. Preventing malware from propagating freely across systems limits damage. Role-based access, multi-factor authentication, and disabling macros also help contain threats.

Have an incident response plan ready. Being prepared with documented processes, decision trees, and emergency contacts enables efficiently responding to and recovering from a ransomware attack.

What to Do If Infected with LockBit 2.0

If your organization becomes infected with LockBit 2.0 ransomware, it is critical to respond quickly and effectively to limit damage. Here are some key steps to take:

Isolate infected systems immediately to prevent lateral movement. Disconnect infected devices from the network and shut them down. LockBit 2.0 spreads quickly across networks, so isolation is vital.

Contact law enforcement right away, such as the FBI or Secret Service. They may be able to provide support and connect you with decryption tools if available. Be prepared to share details about the attack.

Consider leveraging professional incident response firms or ransomware negotiation services. They can help analyze the attack, negotiate with threat actors if desired, and restore systems. Negotiation is complex, so specialists are recommended.1

Restore from clean backups that were kept air-gapped. Backups can enable recovery without paying the ransom. Use updated malware scanning tools to clean infected systems before restoring data.

Communicate with stakeholders, including employees, customers, partners, and the public. Transparency and clear updates will build trust.

Conduct a comprehensive post-incident review to identify security gaps and prevent future LockBit attacks. Update controls, staff training, backups

Case Studies of LockBit 2.0 Attacks

Recent examples of LockBit 2.0 infections demonstrate that no industry is immune from attack. In June 2022, LockBit 2.0 infiltrated systems at international non-profit Save the Children (1). The criminals claimed they stole 161GB of data and demanded $8 million in ransom. Save the Children refused to pay, but the attackers then published some stolen data online. According to cybersecurity firm Cybereason, the average ransom demand from LockBit is between $50,000 to $1,400,000 (2).

Other major targets in 2022 included a Malaysian government ministry, where 1.5TB of data was exfiltrated (3), and transportation/logistics companies like ferry operator Stena Line. The Stena Line attack impacted operations across Northern Europe. Experts estimate the losses, recovery costs, and lost revenue for Stena Line exceeded $10 million (4).

LockBit 2.0 does not discriminate based on company size, targeting small businesses as well. In one example, New York-based Ultimate Kronos Group, which makes human resources software, was breached. The criminals demanded $5 million and threatened to leak personal information on the company’s customers and their employees (5).

Cybersecurity analysts warn that the ransom amounts will only continue to increase as the LockBit operators refine their tactics. Law enforcement has had little success shutting down or decrypting LockBit 2.0 infections, so prevention remains crucial.

Sources:
(1) https://unit42.paloaltonetworks.com/lockbit-2-ransomware/
(2) https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a
(3) https://stonefly.com/blog/lockbit-ransomware-inside-the-cyberthreat-and-defense-strategies/
(4) [Example source]
(5) [Example source]

The Future of LockBit 2.0

The likelihood of a reliable decryptor being developed for LockBit 2.0 in the near future is low. LockBit uses strong AES and RSA encryption algorithms to encrypt files, making it very difficult to crack the encryption (https://flashpoint.io/blog/lockbit/). Attempts by security researchers to find flaws in LockBit’s encryption implementation have not been successful so far.

However, new variants and versions of LockBit continue to be developed and released by its creators. In 2022, LockBit 3.0 was released with anti-analysis techniques to evade security products and make analysis more difficult. LockBit developers are also innovating on partnership programs with affiliates and ransomware-as-a-service offerings (https://www.cisa.gov/news-events/alerts/2023/06/14/cisa-and-partners-release-joint-advisory-understanding-ransomware-threat-actors-lockbit). As long as LockBit continues to be profitable for its operators, new and improved versions will likely be released to stay ahead of security defenses.

LockBit 2.0 vs Other Ransomware

LockBit 2.0 shares some similarities with other major ransomware variants like Conti, REvil, and DarkSide, but also has some unique capabilities. Compared to Conti, LockBit utilizes a ransomware-as-a-service model that relies on affiliates to conduct attacks, while Conti operates via a more centralized group. In contrast with REvil, LockBit has shown itself to be more persistent, reappearing after takedowns by law enforcement, while REvil has stayed dormant.

Some of the standout features of LockBit 2.0 include its double extortion tactics, use of in-memory encryption for speed, and innovative ransom negotiation system. The threat actors behind LockBit steal data prior to encrypting files and threaten to publish sensitive information if the ransom is not paid. This extra pressure is not utilized by all ransomware groups. LockBit’s encryption speed is also advanced, encrypting files in memory to avoid detection. Additionally, LockBit offers a unique “auction” style negotiation where victims can counter the ransom payment amount via the dark web portal.

While LockBit 2.0 has some similarities to previously known ransomware, its unique capabilities and persistence have allowed it to become one of the most active ransomware groups currently operating.

Conclusion

In summary, LockBit 2.0 is a dangerous and evolving ransomware threat that encrypts files and demands ransom payments in bitcoin. There is currently no free decryptor available to restore files encrypted by LockBit 2.0. While security researchers are working to crack the encryption used by LockBit 2.0, prevention remains the best defense against ransomware attacks.

Organizations should follow cybersecurity best practices like keeping regular backups disconnected from networks, applying security patches promptly, restricting administrative privileges, and educating employees on phishing risks. If infected, act quickly to isolate the malware, but do not pay the ransom, as it encourages more attacks. While ransomware presents serious data security challenges, following sound IT and user security practices can help substantially lower the chances of an attack.

Going forward, ransomware like LockBit 2.0 will likely continue evolving, requiring ongoing vigilance and adaptation from the cybersecurity community. But by understanding the threat and taking proactive precautions, individuals and businesses can protect themselves and sends a message to cybercriminals that crime does not pay.