LockBit Relaunching Partnership Program

The LockBit ransomware group is relaunching its partner intake affiliate program, LockBit 2.0. The program, which started in September 2019, is designed in origin C and ASM language without any dependencies. Its encryption protocol is implemented in stages through the completion port (I/O) and encryption algorithms Advanced Encryption Standard (AES) and Elliptic Curve Cryptography (ECC). No one has yet managed to decrypt the program because of its unparalleled functions, including encryption speed and self-spread capabilities. The only thing affiliates will have to do, according to LockBit’s website, is gain access to the core server and the ransomware will handle the rest of the process. The ransomware launch is realized on all the domain network’s devices in case of administrator rights on the domain controller.

Becoming a LockBit 2.0 affiliate includes several features:

• Administrator panel in Tor system
• Communication with companies through Tor, chat room with PUSH notifications
• Automatic test decryption
• Automatic decryptor detection
• Port scanner in local subnetworks, can detect all DFS, SMB, WebDav shares
• Automatic distribution in the domain network at run-time without the necessity of scripts
• Termination of interfering services and processes
• Blocking of process launching that can destroy the encryption process
• The setting of file rights and removal of blocking attributes
• Removal of shadow copies
• Creation of hidden partitions, drag and drop files and folders
• Clearing of logs and self-clearing
• Windowed or hidden operating mode
• Launch of computers switched off through Wake-in-Lan
• Print-out of requirements on network printers
• Available for all versions of Windows OS

The ransomware group redesigned their Tor sites, overhauled the ransomware, and added more advanced features, including automatically encrypting devices across Windows domains through Active Directory group policies. LockBit 2.0 claims to be the world’s fastest encryption software. The group developed a table (see below) comparing several similar programs and their encryption speed under the same conditions.

LockBit encourages users to download the samples, which have been used for testing if recruits doubt the veracity of LockBit’s data. In addition to the encrypting system, LockBit 2.0 partners will have access to, StealBit. The ransomware operators claim it to be the world’s fastest stealer, which automatically downloads every file from an attacked company to LockBit’s updated blog.

During communications with ransomware victims, only LockBit 2.0 partners will set the ransom terms for encrypted companies. Once the partners receive the payments to their personal e-wallets in any currency, they will transfer LockBit a percentage of the foreclosure amount. LockBit 2.0 states they do not operate in post-Soviet countries and only cooperate with penetration testers experienced in professional tools, including Metasploit, Framework, and Cobalt Strike.

An additional aspect of the affiliate program is that each partner can negotiate their own terms and conditions with LockBit 2.0. The recruitment blog concludes with LockBit operators claiming they, along with new partners, can victimize more targets over the weekend than they’d be able to with any other affiliate program over the week.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.