HC3 Shares Analyses of LockBit 3.0 and BlackCat Ransomware

By | December 13, 2022

The Health Sector Cybersecurity Coordination Center (HC3) has released analyses of two ransomware variants that are being used in attacks on the healthcare sector: LockBit 3.0 and BlackCat.

LockBit 3.0

LockBit ransomware was first detected in September 2019 when it was known as ABCD ransomware. Over the past three years, the ransomware has been continuously improved and updated, and it is now one of the most prolific ransomware families. In 2022, more attacks have been conducted using LockBit ransomware than any other ransomware variant. The cybercriminal group behind LockBit runs a highly professional ransomware-as-a-service (RaaS) operation with a strong affiliate program, which has helped the group stay ahead of its competitors. In a first for a ransomware operation, the release of LockBit 3.0 in June 2022 also saw the launch of a bug bounty program, where security researchers are encouraged to identify vulnerabilities to help the gang improve its operation, for which the group claims it will pay anywhere from $1,000 to $1 million. The ransomware has many anti-analysis features, including requiring a unique 32-character password to be entered each time it is launched.

LockBit 3.0 has most of the same functions as LockBit 2.0, and has code similar to DarkSide and BlackMatter ransomware. It uses the same code as BlackMatter to resolve its needed API functions, the same method for identifying logical drives, and similar debugging features. Functions that are shared include the ability to send ransom notes to networked printers, delete Volume Shadow Copies, and obtain the victim’s operating system. The latest version of the ransomware has worm capabilities and can spread throughout the network with no human interaction. Once deployed, the ransomware will try to download several post-exploitation tools such as Mimikatz for credential theft, and the penetration testing software, Cobalt Strike and Metasploit.

LockBit uses double extortion tactics, first exfiltrating data and then encrypting files, with threats issued to leak victims’ data if the ransom is not paid. Data is exfiltrated using a malware called StealBit, which automates the process. Following the release of LockBit 3.0, the gang has engaged in triple extortion tactics, where in addition to payment for the decryptor and to prevent a data leak, the victim is told they need to pay a fee to buy back their data. Ransom demands vary, with some attacks seeing ransom demands of millions of dollars. Initial access is gained using a variety of methods, including phishing, RDP compromise and credential abuse, and exploiting vulnerabilities in VPN servers and other known vulnerabilities.

BlackCat

BlackCat ransomware is a newer ransomware variant that was first detected in November 2021. The threat actors behind this ransomware are highly capable and are believed to have significant experience and extensive relationships with some of the most significant players in the cybercriminal world, such as FIN12 and FIN7 (Carbon Spider). The ransomware is also one of the most technically sophisticated variants in use, which allows it to be used in attacks on a wide range of corporate targets.

The ransomware is entirely command-line driven and human-operated and is able to use several different encryption routines. It is capable of being programmed for full file encryption, fast (partial) encryption, and DotPattern and SmartPattern encryption, with the latter two benefiting from both strength and speed. The ransomware can self-propagate, delete Volume Shadow Copies, and terminate commercial backup software and other services and processes that protect against file encryption. The ransomware will also render hypervisors ineffective to prevent analysis.

BlackCat ransomware has been used in several attacks on the healthcare sector, with the operation known to target pharmaceutical companies and pharmaceutical manufacturers. Like LockBit, multiple methods are used to gain initial access to victims’ networks, including phishing, exploiting known vulnerabilities, compromising remote access technologies such as RDP and VPNs, and distributed attacks, including supply chain and managed service provider compromise.

The ransomware is highly customizable and relies heavily on internally-developed capabilities, which are constantly evolving. Like LockBit, the group runs a professional RaaS operation, which is one of the most sophisticated of any ransomware actor. Several security researchers believe BlackCat to be the successor to REvil, Darkside, and BlackMatter ransomware. The capabilities of the threat actors and the sophisticated nature of the ransomware itself and the RaaS operation make BlackCat ransomware a significant threat.

The post HC3 Shares Analyses of LockBit 3.0 and BlackCat Ransomware appeared first on HIPAA Journal.