To hunt for infrastructure related to LockBit ransomware using Censys, we need to craft specific queries that focus on identifying the distinct characteristics of the LockBit ransomware group. LockBit uses a variety of infrastructure, including C2 servers, data leak sites, TOR hidden services, and services for victim communications, among other things.
1. Hunting for Known LockBit IP Addresses
LockBit’s infrastructure may persist over time, and known IP addresses can help track them.
Query:
Explanation: Replace the IPs with those identified from threat intelligence feeds or past LockBit incidents.
2. Search for Tor Exit Nodes
LockBit may use Tor services to anonymize its C2 infrastructure and victim communication portals.
Query:
Explanation: This query identifies SSL certificates associated with .onion domains, which may indicate services running over the Tor network.
3. SSL Certificates for Self-Signed or Generic Certificates
LockBit actors frequently use Let’s Encrypt or self-signed certificates to secure their infrastructure.
Query:
Explanation: This query identifies SSL certificates issued by Let’s Encrypt or certificates with "LockBit" in the issuer fields.
4. Search for Exposed RDP Ports
LockBit may exploit exposed RDP ports for initial access.
Query:
Explanation: This query looks for exposed RDP services (port 3389) with an HTTP service also running, potentially showing LockBit activity.
5. Identifying Potential LockBit C2 Servers
LockBit C2 servers can be identified by their use of certain HTTP headers or running on specific ports.
Query:
Explanation: This query searches for servers running Apache with a response body related to LockBit operations.
6. Searching for Known Data Leak Sites
LockBit maintains data leak sites where they publish stolen data. These sites may be hosted on publicly accessible servers.
Query:
Explanation: This query hunts for web servers containing the phrase "LockBit Data Leak" in the HTTP body.
7. Finding Custom HTTP Headers Used by LockBit
LockBit servers may use unique HTTP headers or configurations.
Query:
Explanation: This query looks for nginx servers using a custom X-Powered-By header indicating potential LockBit-related infrastructure.
8. Hunting for Publicly Exposed Vulnerable Web Applications
LockBit may target outdated web applications with known vulnerabilities.
Query:
Explanation: This query identifies outdated versions of Apache web servers, which are frequently targeted by attackers for exploitation.
9. Searching for Services Running on Common LockBit Ports
Certain ports are commonly used by LockBit for C2 communications.
Query:
Explanation: This query looks for services running on port 50050 (commonly used for C2 communication) and port 8080.
10. Identifying Self-Signed Certificates
LockBit infrastructure may use self-signed certificates.
Query:
Explanation: This query searches for self-signed certificates with common names like "example.com" that might be used in LockBit C2 infrastructure.
11. Combining Queries for Comprehensive Hunting
To refine the search for LockBit infrastructure, combine multiple filters.
Advanced Query Example:
Explanation: This combined query searches for nginx servers potentially related to LockBit, filtering by port 8080 and limiting results to servers hosted in Russia (RU).
1. Hunting for Known LockBit IP Addresses
LockBit’s infrastructure may persist over time, and known IP addresses can help track them.
Query:
Код:
ip:"198.51.100.123" OR ip:"203.0.113.45"Explanation: Replace the IPs with those identified from threat intelligence feeds or past LockBit incidents.
2. Search for Tor Exit Nodes
LockBit may use Tor services to anonymize its C2 infrastructure and victim communication portals.
Query:
Код:
services.tls.certificates.leaf_data.subject.common_name: "*.onion"Explanation: This query identifies SSL certificates associated with .onion domains, which may indicate services running over the Tor network.
3. SSL Certificates for Self-Signed or Generic Certificates
LockBit actors frequently use Let’s Encrypt or self-signed certificates to secure their infrastructure.
Query:
Код:
services.tls.certificates.leaf_data.issuer.common_name: "Let's Encrypt" OR services.tls.certificates.leaf_data.issuer.organization: "LockBit"Explanation: This query identifies SSL certificates issued by Let’s Encrypt or certificates with "LockBit" in the issuer fields.
4. Search for Exposed RDP Ports
LockBit may exploit exposed RDP ports for initial access.
Query:
Код:
services.port:3389 AND services.http.response.status_code:200Explanation: This query looks for exposed RDP services (port 3389) with an HTTP service also running, potentially showing LockBit activity.
5. Identifying Potential LockBit C2 Servers
LockBit C2 servers can be identified by their use of certain HTTP headers or running on specific ports.
Query:
Код:
services.http.response.headers.server: "Apache" AND services.http.response.body: "LockBit"Explanation: This query searches for servers running Apache with a response body related to LockBit operations.
6. Searching for Known Data Leak Sites
LockBit maintains data leak sites where they publish stolen data. These sites may be hosted on publicly accessible servers.
Query:
Код:
services.http.response.body: "LockBit Data Leak"Explanation: This query hunts for web servers containing the phrase "LockBit Data Leak" in the HTTP body.
7. Finding Custom HTTP Headers Used by LockBit
LockBit servers may use unique HTTP headers or configurations.
Query:
Код:
services.http.response.headers.server: "nginx" AND services.http.response.headers.x-powered-by: "LockBit"Explanation: This query looks for nginx servers using a custom X-Powered-By header indicating potential LockBit-related infrastructure.
8. Hunting for Publicly Exposed Vulnerable Web Applications
LockBit may target outdated web applications with known vulnerabilities.
Query:
Код:
services.http.response.headers.server: "Apache/2.2.15"Explanation: This query identifies outdated versions of Apache web servers, which are frequently targeted by attackers for exploitation.
9. Searching for Services Running on Common LockBit Ports
Certain ports are commonly used by LockBit for C2 communications.
Query:
Код:
services.port:50050 OR services.port:8080Explanation: This query looks for services running on port 50050 (commonly used for C2 communication) and port 8080.
10. Identifying Self-Signed Certificates
LockBit infrastructure may use self-signed certificates.
Query:
Код:
services.tls.certificates.leaf_data.issuer.common_name: "example.com" AND services.tls.certificates.leaf_data.self_signed: trueExplanation: This query searches for self-signed certificates with common names like "example.com" that might be used in LockBit C2 infrastructure.
11. Combining Queries for Comprehensive Hunting
To refine the search for LockBit infrastructure, combine multiple filters.
Advanced Query Example:
Код:
services.http.response.headers.server: "nginx" AND services.http.response.body: "LockBit" AND services.port:8080 AND location.country_code: "RU"Explanation: This combined query searches for nginx servers potentially related to LockBit, filtering by port 8080 and limiting results to servers hosted in Russia (RU).