Mapping LockBit to MITRE ATT&CK TTPs
How do you protect against one of the world's most prolific and successful ransomware cyber threats today? One that has an extensive list of victims, goes after enterprises as well as SMBs, and is known to disable organisations’ defensive controls.
A notorious ransomware-as-a-service (RaaS) group, LockBit has been active since 2019. Since then, it has released several ransomware variants, including LockBit, LockBit Linux-ESXi Locker version 1.0, LockBit 2.0, LockBit 3.0, and LockBit Green.
Unfortunately, regardless of the cybersecurity measures an organisation might have in place (firewalls, multi-factor authentication or MFA, antivirus/anti malware, etc.), full ransomware prevention is not realistic.
Instead, organisations must also be able to detect their adversaries' tactics, techniques, and procedures (TTPs) in real-time. One of the easiest ways to do that is to use the MITRE ATT&CK framework - threat intelligence sourced from actual attacks.
The problem? Manually mapping the behaviour of every event/log/alert in your environment to ATT&CK isn’t possible.
But it is possible to do that with the help of automation and a tool like SenseOn.
SenseOn’s platform has ATT&CK techniques built into its core. This means that instead of flagging an event as suspicious, it also connects it back to a corresponding technique in ATT&CK - making it much easier and faster to understand what threat group is behind the potential attack and simplifying incident response.
Mapping LockBit to the MITRE ATT&CK Framework
Over the last few years, cybersecurity researchers have reported on the ATT&CK techniques they’ve seen LockBit use.
Recently, the Cybersecurity & Infrastructure Security Agency (CISA) and its partners released a joint advisory on the group, which includes a collection of many of these techniques in one place.
Another CISA advisory document lists the indicators of compromise, or IOCs, associated with LockBit.
Here are some ATT&CK techniques that could indicate a LockBit ransomware campaign might be underway in your organisation.
Initial Access
LockBit frequently uses sophisticated phishing campaigns (T1566) to gain access to a network. It is not unusual for several emails to be exchanged to build trust.
Valid accounts (T1078) is another initial access technique utilised by LockBit. In a recent example, LockBit hacked a train operating company after successfully compromising a privileged Microsoft Office 365 account.
Cybercriminals affiliates with LockBit have also been observed engaging in brute force attacks on remote service accounts (T1133) and using RDP during operations (T1021.001).
Like most ransomware groups, LockBit looks for vulnerabilities in public-facing applications (T1190), too. CISA’s document on LockBit lists some of the CVEs the group and its affiliates are known to exploit.
Execution
To execute malicious commands or payloads, LockBit is known to use scripting interpreters like Windows command shell (T1059.003). It has also been observed using the open-source command line package manager Chocolatey (T1072).
Persistence
LockBit creates registry run keys (T1547.001) to maintain persistence on the network (under the technique “Boot or Logon Autostart Execution, T1547). It can also achieve persistence through valid accounts (T1078).
Privilege Escalation
The two ATT&CK techniques (Boot or Logon Autostart Execution and Valid Accounts) LockBit might use for persistence can also be used to increase permissions in victim systems.
LockBit has also been noted to escalate privileges by modifying group policy objects (T1484.001) or using a Windows User Account Control (UAC) bypass (T1548).
Defence Evasion
LockBit might perform environment keying (T1480.001), code obfuscation (T1027) or indicator removal on host: file deletion (T1070.004), as well as clear Windows event logs (T1070.001) to remove signs of intrusion activity.
LockBit is also capable of disabling or modifying security tools (T1562.001) like antivirus (including Windows Defender) and endpoint detection and response (EDR) to slow down or even completely avoid detection.
Credential Access
LockBit affiliates have been seen using credential dumping via Mimikatz.
Discovery
LockBit uses scanning tools like SoftPerfect Network Scanner to gain more information about the victim, including hostname, OS version, etc. (T1046 & T1082).
LockBit does not attack organisations in post-Soviet countries. To figure out if the target falls within this category, it checks its language settings (T1614.001).
Lateral Movement
Threat actors affiliated with LockBit use Cobalt Strike or PsExec (T1021.002) to move laterally, as well as Splashtop remote desktop software (T1021.001)
Collection
LockBit may use a third-party utility like 7-ZIP (T1560.001) to compress and encrypt data before exfiltrating it.
Command and Control
Among the command and control techniques used by LockBit is the installation of AnyDesk remote access software (T1219).
Exfiltration
Lockbit has developed and maintains its own exfiltration data tool called Stealbit. However, LockBit’s affiliates also use publicly available, legitimate file-sharing web services (T1567&T1567.002). This makes it less likely that network hosts will notice their activity.
Impact
The impact of a LockBit cyber attack includes inhibiting system recovery (T1490) and data encrypted for impact (T1486). According to one report, LockBit can encrypt as many as 25,000 files per minute, 86% faster than the median ransomware family.
LockBit affiliates also engage in DeFacement: Internal Defacement (T1491.001), i.e., changing desktop wallpaper to the ransom note.
Map LockBit MITRE ATT&CK Techniques Automatically
The faster you can identify the threat group behind an attack, the quicker you can stop it.
With every threat alert that SenseOn surfaces, it automatically maps it to the ATT&CK matrix in chronological order, making it easier to understand the stage a potential ransomware attack is in and who may be behind it.
For each technique, SenseOn also includes a link to the ATT&CK framework website that lists examples and mitigation techniques for analyst convenience.
To learn more about how SenseOn can automatically map ATT&CK techniques, try a demo.