In-Depth Analysis Report on LockBit 5.0: Operation and Countermeasures
Summary:
The AhnLab Security Emergency response Center (ASEC) has released a comprehensive analysis of LockBit 5.0, the latest iteration of the dominant Ransomware-as-a-Service (RaaS) group which accounted for approximately 21% of known ransomware attacks in 2023. This group targets a wide array of sectors, including IT, electronics, and legal firms, often utilizing the "Stealbit" tool to exfiltrate sensitive data prior to encryption. Following initial access, typically achieved via vulnerability exploitation, phishing, or compromised credentials—the malware executes a sophisticated encryption routine using ChaCha20-Poly1305 and X25519+BLAKE2b algorithms.
To ensure maximum impact and inhibit recovery, LockBit 5.0 systematically terminates Volume Shadow Copy Services (VSS) and a hard-coded list of backup and security processes (e.g., Veeam, Acronis, Veritas). It further optimizes encryption speed by aggressively deleting files in specific temporary directories (e.g., C:\Users\{Username}\AppData\Local\Temp), ensuring it focuses solely on valuable user data. The ransomware employs a unique file renaming strategy, generating 100 random 8-byte extensions per execution to complicate identification. Additionally, it adapts its encryption method based on file size; files larger than 0x5000000 (approx. 80MB) are encrypted in intermittent chunks to hasten the process, while critical system directories are whitelisted to ensure the host remains functional enough to display the ransom note.
Security Officer Comments:
The persistence of the LockBit brand highlights the resilience of the RaaS economy despite global law enforcement pressure. The "version 5.0" update signifies continued development and investment by the operators to evade detection and ensure encryption speed. Of particular concern to our broad membership is the malware’s hard-coded list of services to terminate, which specifically targets enterprise-grade backup and security solutions. This means that if an affiliate gains access to your environment, their tooling is designed to systematically dismantle your safety nets before you are even aware of the intrusion. Organizations should view the unexpected stopping of backup services or security agents not just as a glitch, but as a potential precursor to a ransomware deployment.
Suggested Corrections:
Immutable and Offline Backups: Since LockBit 5.0 actively targets and terminates backup services, ensure you have immutable backups that cannot be altered or deleted, along with offline copies (air-gapped) that are inaccessible from the network.
Behavioral Monitoring: Configure EDR/SIEM tools to alert on the unexpected termination of critical services, such as VSS (vss, swprv) and specific security or backup processes identified in the report.
Vulnerability Management: Aggressively patch internet-facing appliances and software, as vulnerability exploitation remains a primary entry vector for LockBit affiliates.
Identity Protection: Implement and enforce Multi-Factor Authentication (MFA) for all remote access and administrative accounts to neutralize brute force attempts and the use of stolen credentials.
Network Segmentation: Restrict lateral movement by segmenting networks, ensuring that a compromise in user workstations cannot easily spread to critical servers or backup repositories.
Link(s):
https://asec.ahnlab.com/en/91945/
The AhnLab Security Emergency response Center (ASEC) has released a comprehensive analysis of LockBit 5.0, the latest iteration of the dominant Ransomware-as-a-Service (RaaS) group which accounted for approximately 21% of known ransomware attacks in 2023. This group targets a wide array of sectors, including IT, electronics, and legal firms, often utilizing the "Stealbit" tool to exfiltrate sensitive data prior to encryption. Following initial access, typically achieved via vulnerability exploitation, phishing, or compromised credentials—the malware executes a sophisticated encryption routine using ChaCha20-Poly1305 and X25519+BLAKE2b algorithms.
To ensure maximum impact and inhibit recovery, LockBit 5.0 systematically terminates Volume Shadow Copy Services (VSS) and a hard-coded list of backup and security processes (e.g., Veeam, Acronis, Veritas). It further optimizes encryption speed by aggressively deleting files in specific temporary directories (e.g., C:\Users\{Username}\AppData\Local\Temp), ensuring it focuses solely on valuable user data. The ransomware employs a unique file renaming strategy, generating 100 random 8-byte extensions per execution to complicate identification. Additionally, it adapts its encryption method based on file size; files larger than 0x5000000 (approx. 80MB) are encrypted in intermittent chunks to hasten the process, while critical system directories are whitelisted to ensure the host remains functional enough to display the ransom note.
Security Officer Comments:
The persistence of the LockBit brand highlights the resilience of the RaaS economy despite global law enforcement pressure. The "version 5.0" update signifies continued development and investment by the operators to evade detection and ensure encryption speed. Of particular concern to our broad membership is the malware’s hard-coded list of services to terminate, which specifically targets enterprise-grade backup and security solutions. This means that if an affiliate gains access to your environment, their tooling is designed to systematically dismantle your safety nets before you are even aware of the intrusion. Organizations should view the unexpected stopping of backup services or security agents not just as a glitch, but as a potential precursor to a ransomware deployment.
Suggested Corrections:
Immutable and Offline Backups: Since LockBit 5.0 actively targets and terminates backup services, ensure you have immutable backups that cannot be altered or deleted, along with offline copies (air-gapped) that are inaccessible from the network.
Behavioral Monitoring: Configure EDR/SIEM tools to alert on the unexpected termination of critical services, such as VSS (vss, swprv) and specific security or backup processes identified in the report.
Vulnerability Management: Aggressively patch internet-facing appliances and software, as vulnerability exploitation remains a primary entry vector for LockBit affiliates.
Identity Protection: Implement and enforce Multi-Factor Authentication (MFA) for all remote access and administrative accounts to neutralize brute force attempts and the use of stolen credentials.
Network Segmentation: Restrict lateral movement by segmenting networks, ensuring that a compromise in user workstations cannot easily spread to critical servers or backup repositories.
Link(s):
https://asec.ahnlab.com/en/91945/