What is LockBit?
LockBit is a type of ransomware that encrypts files on infected devices and demands a ransom payment in cryptocurrency to decrypt them. It first appeared in September 2019 and has been actively deployed in ransomware attacks since at least January 2022 (Kaspersky, 2022).
LockBit is classified as a Ransomware-as-a-Service (RaaS) because its developers enable affiliates to use the malware’s infrastructure and code to deploy attacks and take a percentage of any ransom payments. This model has allowed LockBit to become one of the most prolific ransomware strains currently in circulation (CISA, 2022).
When a device is infected with LockBit, the ransomware locates and encrypts a wide range of file types using the AES and RSA-2048 algorithms. Encrypted files are given the extension “.lockbit” (BlackBerry, 2022). To decrypt files, the attackers demand ransom payments typically between $10,000-$200,000 in Bitcoin or Monero.
LockBit accesses devices through various vectors, including phishing emails, remotely exploited vulnerabilities, and compromised administrator credentials. Its operators frequently scan the internet for vulnerable systems and sell access to these networks to affiliates conducting ransomware campaigns (Kaspersky, 2022).
How LockBit Encrypts Files
LockBit ransomware uses advanced encryption techniques to lock victims’ files. According to Palo Alto Networks, LockBit 2.0 leverages the Advanced Encryption Standard (AES) and Elliptic Curve Cryptography (ECC) algorithms to encrypt files 1. Specifically, it uses AES in CBC mode with 256-bit keys to encrypt file contents. Elliptic curve Diffie-Hellman is used to generate the AES encryption keys 2.
Kaspersky notes that LockBit uses RSA-1024 and RSA-2048 to encrypt the AES keys. The ransomware appends the .lockbit extension to encrypted files. Only the first 4KB of data is encrypted in each file 3. This allows the ransomware to quickly encrypt millions of files while keeping file sizes small. The hybrid encryption scheme makes it very difficult to decrypt files without paying the ransom.
Is There a Decryptor for LockBit?
Unfortunately, there is currently no free decryptor available for LockBit ransomware. The cybercriminals behind LockBit utilize strong encryption algorithms like RSA-4096 and AES-256 to encrypt files, making it very difficult to crack the encryption without the private key (1). Some security firms have attempted to create decryption tools, but so far none have succeeded in reliably decrypting LockBit infections.
One of the main challenges with decrypting LockBit is that each infection uses a unique encryption key generated on the victim’s computer. So there is no universal key that can decrypt all LockBit infections (2). The criminals behind the ransomware hold the private keys on their servers and will only provide the decryption tool if the ransom is paid.
While it’s not impossible that a decryption tool could be developed in the future, currently the only way to reliably recover encrypted files is by obtaining the private key from the attackers. However, paying the ransom should be an absolute last resort with no guarantee of getting working decryption.
(1) https://cypfer.com/lockbit-ransomware/
(2) https://www.beforecrypt.com/en/lockbit-ransomware-removal/
Attempts to Crack LockBit Encryption
The information security community has made several attempts to crack the encryption used by LockBit ransomware variants. When LockBit first emerged in 2019, security researchers were able to find flaws in its encryption implementation that allowed free decryption in some cases [1]. However, LockBit developers subsequently strengthened their encryption scheme.
With the release of LockBit 2.0 in 2021, researchers noted the use of “an improved cryptographic scheme” that made decryption more difficult [2]. The ransomware uses a combination of AES and RSA encryption to lock files. While cryptanalysts have had some success in cracking previous ransomware strains with similar schemes, LockBit’s implementation has so far resisted such efforts.
LockBit 3.0 introduced further enhancements to stymie decryption attempts. Sophisticated tactics like anti-tamper mechanisms, encrypted configuration files, and obfuscated code have frustrated reverse engineering work. As of early 2023, there is still no free decryptor available for LockBit 3.0 victims.
Prevention of LockBit Infections
The best way to avoid a LockBit infection is through proactive prevention measures. According to Kaspersky (https://usa.kaspersky.com/resource-center/threats/lockbit-ransomware), there are several steps organizations and individuals can take to reduce the risk of infection:
– Use strong passwords and enable multi-factor authentication wherever possible. This makes it much harder for attackers to gain access to accounts through brute forcing or credential stuffing.
– Conduct regular user account audits and remove any unused accounts. Unused accounts are prime targets for attackers.
– Ensure proper patch management for operating systems, software, and firmware. Unpatched vulnerabilities are often exploited to execute ransomware.
– Implement email security solutions to filter out phishing attacks and malware-laden attachments. LockBit is often distributed through phishing.
– Train employees on how to identify social engineering techniques and suspicious emails. Human error is a major infection vector.
– Back up critical data regularly and keep backups offline and immutable. This provides restoration capability if ransomware encrypts files.
– Use next-gen antivirus, endpoint detection and response tools to block exploits, detect unusual activity, and stop malicious files from executing.
– Segment networks and use firewalls to restrict lateral movement after an infection. This can limit damage.
– Disable macros in Office files and limit software that runs scripts/executables. LockBit often relies on macro enablement.
Following cybersecurity best practices is key to avoiding becoming a victim of LockBit or any other ransomware operation.
Dealing with a LockBit Infection
If your organization is infected with LockBit ransomware, it is critical to take immediate action. According to Trend Micro, the first step is to isolate infected systems to prevent further spread of the malware across your network https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit. Unplug infected devices from the network and shut them down. You should also disconnect any storage devices or backups that may have been connected to infected systems.
Notify your IT security and incident response teams so they can investigate the attack’s scope and impact. Check your backups to see if intact data is available for restoration. According to Stonefly, recovering from backups may be the best way to regain access to encrypted files without paying the ransom https://stonefly.com/blog/lockbit-ransomware-inside-the-cyberthreat-and-defense-strategies/.
If you receive a ransom demand, do not immediately pay it. Law enforcement advises against paying ransoms since it funds criminal activity and there is no guarantee you will get your data back. You may be able to negotiate a lower ransom price, but be cautious in communicating with criminals. Consult cybersecurity experts for guidance on dealing with ransomware attacks.
Law Enforcement Options
Law enforcement agencies around the world are actively working to take down ransomware groups like LockBit and decrypt files for victims. In November 2022, the Japanese National Police Agency successfully decrypted networks infected with LockBit, although details of their decryption method remain undisclosed [1]. Other agencies like the FBI and Europol have had success decrypting other major ransomware strains like BlackCat, by taking control of the group’s leak sites and decryption keys [2].
However, law enforcement decryption efforts are still limited in scope. There is currently no widely available official decryptor for LockBit released by authorities. Victims generally cannot rely on law enforcement to decrypt their files. Investigations and takedowns take significant time, and success is not guaranteed. Still, it’s recommended to report ransomware attacks to law enforcement like the FBI’s Internet Crime Complaint Center. They may obtain decryption keys in future operations against LockBit.
Should You Pay the Ransom?
There are pros and cons to paying a ransom in a ransomware attack. Some of the potential pros of paying include:
- You may get your data back if the attackers honor the agreement
- It can be faster and cheaper than recovering data through other means
- It may allow business operations to resume more quickly
Some potential cons to paying the ransom include:
- There is no guarantee you will get your data back after payment [1]
- It encourages further criminal activity by making cyberattacks profitable [2]
- It may be illegal depending on laws where the attack occurred
- It could make you a target for future attacks
- The ransom payment can be substantial
There are also legal considerations, reputational risks, and ethical dilemmas that should be evaluated. Overall, the decision to pay a ransom is complex with reasonable arguments on both sides. Consult experts like law enforcement to explore options before deciding.
Data Recovery Without Decryption
While the most effective way to recover encrypted files is to obtain the decryption key from the attackers, this is not always possible. However, there are some other options for trying to recover data without paying the ransom or decrypting files.
Having a recent backup of your files is the best way to restore data without needing to decrypt it. Backup solutions like cloud storage, offline external drives, and snapshot-based backups can help restore a previous unencrypted version of your files [1]. Maintaining regularly updated backups and testing restores is crucial for protecting against ransomware.
In some cases, data recovery software like Photorec can help recover files by scanning the drive for file signatures rather than relying on the original filesystem [1]. However, this does not recover filenames, folder structures, or all file metadata. Data recovery without decryption typically recovers only a portion of the encrypted data.
While challenging, some security researchers have occasionally found flaws in ransomware implementations that allow recovery of some files. However, this is unreliable and not a recommended approach. The most prudent strategy is maintaining recent backups according to best practices.
The Future of LockBit
LockBit ransomware continues to pose an active threat, with the developers behind it innovating to try and stay ahead of security researchers. According to the CISA, “LockBit ransomware actors are prolific ransomware threat actors who are likely to continue attacking U.S. critical infrastructure organizations, especially the Information Technology and Healthcare and Public Health Sectors.”
In their threat assessment report on LockBit, the CISA notes that “LockBit actors demonstrate moderate operational security by continually enhancing their malware to evade detection and hinder analysis.” They point out innovations like the implementation of a “VPN-like network overlay on victim networks to mask true attacker infrastructure.”
The CISA predicts that the developers behind LockBit will continue to refine their malware and operations. Some areas where LockBit may evolve include:
- More sophisticated encryption and anti-analysis techniques
- Expanded attack surface targeting mobile devices and non-Windows platforms
- Shifting infrastructure and development to jurisdictions with weaker law enforcement capabilities
While individual LockBit campaigns may slow at times, the CISA assesses that the overall threat “will remain heightened given the actor’s victimology, reliance on affiliates, and continued development of ransomware-as-a-service products.” Security specialists will need to stay on top of LockBit innovations to protect organizations against this adapting danger.