Threat Research

Ransomware Diaries: Volume 1 | Analyst1

Securonix

Analyst1 presents a human-centric examination of the LockBit operation, tracing its evolution from ABCD to LockBit Red/Black and detailing the personalities, inter-gang dynamics, and operational innovations behind one of the world’s most prolific ransomware organizations. The piece blends open-source data with insider-style insights to explore motivations, tools, and tactics, including the rise of LockBit’s RaaS model, data exfiltration, and public relations stunts. #LockBit #LockBitRed #LockBitBlack #StealBit #RaaS #Accenture #Entrust #DarkSide #BlackMatter #Fin7

Keypoints

  • Analyst1 uses human intelligence to profile LockBit leadership (LockBitSupp) and the gang’s internal culture, motivations, and vulnerabilities.
  • LockBit originated as ABCD ransomware, then rebranded to LockBit with a rapid shift to a fully automated RaaS model (LockBit Red, later LockBit Black).
  • LockBit’s RaaS attracted affiliates with fast encryption, self-propagation, a centralized admin panel, and an affiliate-controlled payout model.
  • The group developed StealBit, a native data-exfiltration tool with defense-evasion features, integrated into LockBit’s admin panel for brokers/affiliates.
  • LockBit’s evolution included Linux-ESXi targeting, Wake-on-LAN capabilities, and a Tor-based admin interface to streamline operations.
  • Internal dynamics, cross-gang links (DarkSide/BlackMatter/BlackCat/REvil/Conti) and the notion of a fictitious “ransomware cartel” are explored, with the author arguing there was no true cartel or centralized revenue-sharing.
  • High-profile incidents include an Accenture insider breach, Entrust DDoS retaliation, and a high-profile 0-day Exchange vulnerability exploitation, illustrating LockBit’s aggressive, tech-forward approach.

MITRE Techniques

  • [T1133] External Remote Services – Gained access by exploiting unpatched, vulnerable VPN software. “[LockBit gained access by exploiting unpatched, vulnerable VPN software.]”
  • [T1016] System Network Configuration Discovery – The attacker used ARP tables to identify victim hosts and their IP addresses. “[patient zero performs an ARP request to obtain the Mac addresses of connected hosts and their associated IP addresses listed in the ARP table.]”
  • [T1021.002] SMB/Windows Admin Shares – To identify and move laterally, the attacker used SMB to identify networked devices and shared resources. “[to identify networked devices and shared resources, such as file servers, domain controllers, and other high-value target systems.]”
  • [T1059.001] PowerShell – The operation relied on PowerShell to execute commands and scripts. “[The use of PowerShell to execute commands and run scripts.]”
  • [T1110] Brute Force – LockBit leadership brute-forced an administrative account to obtain credentials for deployment. “[LockBit leadership brute-forced an administrative account to acquire the credentials necessary to deploy ransomware and infect the first host.]”
  • [T1486] Data Encrypted for Impact – All Your Important Files Are Encrypted! “[All Your Important Files Are Encrypted!]”
  • [T1041] Exfiltration Over C2 Channel – LockBit’s StealBit exfiltration tool is used to copy data and exfiltrate it from the victim environment. “[StealBit also includes built-in defense evasion techniques and can delete itself after use.]”
  • [T1070] Indicator Removal on Host – The campaign included clearing and deleting logs and erasing traces to hinder detection. “[clear and delete logs, and remove shadow copies that could allow users to restore data.]”
  • [T1490] Inhibit System Recovery – The ransomware operation sought to hinder recovery by removing shadow copies that could restore data. “[remove shadow copies that could allow users to restore data.]”

Indicators of Compromise

  • [URL] context – example1: hxxps://lockbitsupp[.]uz, example2: hxxps://lockbitapt[.]uz, and other onion domains listed (e.g., hxxp://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd[.]onion and many more onion URLs).
  • [URL] context – additional domains and onion links used for data leakage sites and command-and-control-like communications, such as hxxp://ppaauuaa11232.cc/dlx5rc.dotm and hxxp://ppaauuaa11232.cc/aaa.exe.
  • [URL] context – Decoding site and related infrastructure: hxxps://decoding.at/ and hxxps://bigblog.at.
  • Other IOCs include multiple onion domains and decentralized data-leak sites referenced in the article (e.g., various onion URLs listed in the long IOC table).

Read more: https://analyst1.com/ransomware-diaries-volume-1/