LockBit 3.0 RaaS Gang Incorporates BlackMatter Capabilities

The LockBit 3.0 Ransomware as a Service (RaaS) gang has incorporated BlackMatter capabilities into its operations.

LockBit Brings BlackMatter Bits Aboard

Researchers at Trend Micro detected several similarities between LockBit 3.0 and BlackMatter. These commonalities were especially evident in the following areas:

  • Privilege escalation – This involves the abuse of native functionality and/or weaknesses to gain rights that go beyond what was originally intended for the user.
  • API harvesting – In the words of the Digital Preservation Coalition, API harvesting is when "an API allows authenticated users to extract data directly from the platform through the web." API harvesting is not necessarily malicious, though cyber threat actors (CTAs) like the operators of LockBit 3.0 and BlackMatter can use it to perpetuate their attack chains.
  • Anti-detection and evasion – CTAs may employ multiple techniques to avoid detection by traditional security tools such as anti-virus, Intrusion Detection Systems (IDSs), and Intrusion Prevention Systems (IPSs).

Let's explore the commonalities in each of these techniques below.

Privilege Escalation

In its analysis, Trend Micro found that LockBit 3.0 replicated BlackMatter's use of the ICMLuaUtil COM interface under dllhost.exe to bypass user account control (UAC) for privilege escalation. The researchers also observed the two operations duplicating the Explorer.exe token towards that same end. (Ultimately, they used 32-bit or 64-bit shellcode injection to elevate their token.)

API Harvesting

The security firm witnessed LockBit 3.0 using an externally available script to hash the API names of a DLL and then comparing those names to a list of APIs necessary for the ransomware to perform its functionality. Further investigation revealed LockBit 3.0 to be using the same script as the BlackMatter operation had used in the past.

LockBit 30s routine for API harvesting Source Trend Micro thumbnail

LockBit 3.0’s routine for API harvesting. (Source: Trend Micro)

Anti-Detection and Evasion

LockBit 3.0 used BlackMatter as its model for deleting shadow copies, thereby complicating the process of data restoration and recovery. While its previous version used vssadmin.exe for deletion, LockBit 3.0 turned to Living off the Land (LotL) in that it leveraged Windows Management Instrumentation (WMI) through COM objects. That's the same functionality employed by BlackMatter in its attacks.

Beyond deleting shadow copies, the two threats used the same technique to crash debuggers and leveraged threading when interacting with an API. Both methods made it more difficult for researchers to analyze the ransomware operations.

A Busy Year for LockBit

It's important to look back to what happened in November 2021. At that time, Bleeping Computer reported that BlackMatter's handlers were ceasing operations under increasing pressure from law enforcement. As part of the shutdown, some affiliates from BlackMatter received decryptors for negotiations with existing victims. They then moved those victims over to LockBit's negotiation site and began providing victims with links to LockBit Tor sites.

It's this transition from BlackMatter to LockBit that adds useful context not only for the similarities discussed above but also for LockBit's other activities observed this year:

  • In January, Trend Micro observed the LockBit gang targeting Linux-based ESXi servers from VMware, indicating that the operation was expanding its scope to include Linux targets.
  • About six months after that, the LockBit group became the first Ransomware-as-a-Service (RaaS) scheme to create a bug bounty platform. Those responsible for the ransomware offered up to $1 million for researchers and developers who reported vulnerabilities in their website, locker, Tox messenger, and related infrastructure, reported Spiceworks.
  • The following month, Bleeping Computer wrote about LockBit's release of a new data leak site. This platform was unique in that it became one of the first portals (along with BlackCat) to allow visitors to search for listed victims.
  • Later in July, news emerged of a Canadian town having fallen victim to LockBit. The mayor of the town told The Verge that they were working with a team of experts as part of their response to the attack.
  • It was around that same time that the LockBit gang announced its newest offering: LockBit 3.0. This update differed from LockBit 2.0 in that it didn't publicly disclose an attack initially, per VentureBeat. Instead, it gave victims the ability to extend their time to pay, wipe their extracted data, or download data for a fee. These techniques increased the total payout from each victim.
  • Similarly, in late July, the LockBit RaaS scheme stole 78 GB from Italy's tax agency and threatened to leak it if they didn't receive payment by the end of the month. Italian law enforcement launched an investigation after the data breach came to light, wrote The Register.
  • Finally, most recently in August, The Hacker News shared that LockBit 3.0 had begun abusing the command-line tool in Windows Defender to decrypt and load Cobalt Strike payloads. The threat did this after gaining initial access via a VMware Horizon server vulnerable to Log4Shell.

Conceptualizing the Risk Posed by LockBit 3.0

Before it shut down, BlackMatter was a ransomware that heavily aligned itself with Russian state interests – namely, targeting critical infrastructure and U.S. State, Local, Tribal, and Territorial (SLTT) government organizations. That doesn't necessarily mean that there will be an increase in attacks involving LockBit. But it does signal how ransomware schemes like LockBit are becoming more pervasive and more sophisticated, thus posing a bigger risk to SLTTs in general.

Acknowledging this reality, organizations need to protect themselves against LockBit 3.0. They can do this implementing the basics of ransomware defense that are embodied in the CIS Critical Security Controls. For instance, by implementing multi-factor authentication (MFA) and email security policies, they can help reduce instances of ransomware caused by stolen credentials or phishing. They can also use an in-depth data backup plan to assist with post-ransomware recovery.

Beyond that, SLTTs and other organizations can use threat intelligence to proactively defend themselves against ransomware attacks. They can do this using the stats, data, and best practices included in the joint ransomware guide from CISA and the MS-ISAC. Additionally, they can use the CIS Endpoint Security Services (ESS), a key benefit of the MS-ISAC, to achieve device-level protection against both behavior-based (unknown) and signature-based (known) threats.