1.The OT Ransomware Terrain
According to recent observations by TXOne Threat Research, LockBit 2.0 is a factor in a high percentage of recent ransomware attacks, and it continues to affect operations in critical infrastructure as well as OT environments including Manufacturing, Healthcare, and Retail. It’s our expectation that the LockBit ransomware family will continue to have a significant impact on these verticals – especially manufacturing. Thus, we would like to share the results of our research here to show ICS operators and vendors how to take action to secure their OT environments.
Recently, TXOne Threat Research reviewed the worldwide OT ransomware terrain. From 2021 Q4 to 2022 Q1, the overall numbers of ransomware attacks against Manufacturing and Retail showed slight growth. Ransomware attacks against Government and Healthcare showed a slight decline, but the average percentage is still quite high. The overall trend of ransomware attacks has been targeting verticals such as Manufacturing, Healthcare, and Government. In terms of ransomware attacks against countries, South Korea has experienced the most significant growth in ransomware attacks since 2021 Q4, while Japan and Italy have shown slight growth.
The current statistics and data for 2022 Q1 used to write this post only include relevant data from up until 2022/03/15.
Table 1: Overview of Global Ransomware Impact by Industry
Figure 1: Proportion distribution of global ransomware attacks – By top 7 industries
Table 2: Proportion distribution of global ransomware attacks- By Top 10 Countries
2.LockBit 2.0 In Depth
After analyzing the recent proportion of each ransomware family in depth, we found that from 2021 Q2 to 2022 Q1 LockBit 2.0 showed high growth in comparison with the WannaCry, Cryptor and Locker families of ransomware. There has been significant growth in cyber attacks using LockBit 2.0 against Manufacturing and Retail, so we chose LockBit 2.0’s behavior for in-depth analysis.
Table 3: Proportion distribution of global top 10 ransomware
Table 4: Proportional distribution of LockBit 2.0 ransomware by top 5 industries
Table 5: WannaCry family ransomware proportional distribution by top 5 Industries
Table 6: Cryptor family ransomware proportional distribution by top 5 industries
Table 7: Proportional distribution of Locker family ransomware by top 5 industries
Next, we delved into the attack patterns and threats of LockBit 2.0, and found that the top five industries that LockBit 2.0 has mainly targeted since 2021 Q2 are Manufacturing, Healthcare, Retail, Technology, and Transportation. One thing we were surprised to uncover was that Healthcare has recently shown a sharp decline in LockBit 2.0-based attacks, but this doesn’t change the fact that LockBit 2.0 is still one of the core threats that we should pay attention to related to OT environments.
So how exactly does LockBit 2.0 generally infect an OT environment? We must say that LockBit 2.0 is very sophisticated, with more advanced sample obfuscation techniques, multi-threading, and anti-debug added since LockBit 1.0, which makes analysis by malware analysts much more challenging. Devious additions to LockBit 2.0 also include disabling assets more quickly by only encrypting the first 4KB of each of the targeted system’s files. The following diagrams show how a LockBit 2.0 attack is generally carried out.
Figure 2: Common Attack Path of the LockBit 2.0 Ransomware
Figure 3: LockBit 2.0 Ransomware Execution Flow
The biggest difference from LockBit 1.0 is that LockBit 2.0 has improved the GPO’s lateral movement techniques. We also deeply analyzed the GPO’s techniques and processes in LockBit 2.0. In short, the goal of LockBit 2.0 at this stage is to deploy ransomware in the Domain Controller and spread it to various domain machines through scheduling, so as to quickly and effectively infect large-scale.
Figure 4: AD GPO Propagation Techniques in LockBit 2.0
To sum up, we look at the whole world of ransomware in OT, LockBit 2.0 is not only complex and mature, but also extremely lethal to the OT environment, it is a threat we urgently need to guard against!
In an overview of the current OT threat terrain, LockBit 2.0 stands out as not only complex and mature, but also extremely lethal to the OT environment. This is a threat that wreaks havoc in OT environments without modernized cyber defenses.
TXOne’s solution architects recommend OT zero trust to protect against these kinds of threats, which includes application trust listing and network segmentation. By setting up a checkpoint to scan devices that enter the facility with a rapid scanning tool, employees and vendor technicians are stopped from carrying malware into OT facilities hidden in their laptops or USB thumb drives. With application trust lists deployed on endpoints, malware like LockBit 2.0 can’t execute. Finally, with the network segmented, even when a threat is somehow introduced to the environment it’s unable to spread, ensuring the the operation continues uninterrupted.