By Caique Barqueta: Ransomware is a very lethal type of malware for all technology assets. But what actually makes it dangerous?
As the name implies, "ransom" means "Ransom" - so it's malicious software used to extort you by locking your device/asset or certain objects/files stored on your device and then demanding a ransom to unlock it.
LockBit is one type of ransomware in a long line of malicious code aimed at carrying out attacks and making a profit through extortion. It was known as "ABCD" ransomware and has become a unique threat.
The attacks using LockBit began in September 2019, when it was nicknamed "virus. abcd". The nickname was a reference to the name of the file extension used when encrypting the victim's files. Notable targets include organizations in the United States, China, India, Indonesia and Ukraine. Other European countries such as France, the UK and Germany have suffered attacks.
There are a few variants of LockBit, such as:
- Extension ".abcd"
The original version of LockBit where it renames the files with the extension ".abdc". In addition, it includes a ransom note with demands and instructions for supposedly restoring the "Restore-My-Files.txt" file, which is inserted into all the folders.
- LockBit" extension
The second known version of this ransomware adopted the file extension ".LockBit", giving it its current nickname. However, victims will notice that other features of this version look almost identical, despite some backend revisions.
- Extension ".LockBit" version 2.
This 3rd variant no longer requires downloading the Tor browser in the ransom instructions. Instead, it sends victims to an alternative site via traditional Internet access.
- Various extensions used.
This latest variant, known as LockBit 3.0 or LockBit Black, was identified in 2022 and uses some random extensions, such as "HLjkNskOq", in which case a command line key "-pass" is required to perform the encryption.
We would also point out that this ransomware could act as a Ransomware-as-a-Service (RaaS). Willing people make a deposit for the use of customized ransomware attacks and profit from an affiliate structure. The ransom payments are split between the LockBit developer team and the attack affiliates, who receive up to ¾ of the ransom funds.
The malicious agents who operate ransomware leave their mark by carrying out certain actions during and after the attack, such as:
- Interruption of system operations.
- Extortion for payment and financial gain.
- Data theft and illegal publications as blackmail if the victim doesn't pay up.
As an example, they have a website on the Darkweb/Deepweb that can be accessed and which shows who their victims have been, as well as all the details related to that group, such as the membership program, bug bounty, etc.
Latest LockBit 3.0 appearances
The LockBit group has paid out the first Bug Bounty (a reward program for people who identify bugs in programs). The amount paid was US$50,000 for the discovery of a bug in cryptographic software. The bug identified allowed anyone to decrypt any vmdk or vhdx file. The information was published on the group's website.
Recently, in September of this year, a user called "Ali Qushju" made a post on Twitter claiming to have hacked into the servers of LockBit's Ransomware-as-a-Service platform and succeeded in discovering a compiler for the LockBit 3.0 encrypted ransomware. In the same publication, he provided an address for the SendSpace storage platform and a password. These files are files for creating a Decrypter for the LockBit 3.0 sample.
ISH Tecnologia analyzed these artifacts and succeeded in identifying yet another LockBit ransomware executable, including the first submission of the file to Vírus Total, which immediately assimilated the code with other samples and categorized it as Ransomware.LockBit and Ransomware.BlackMetter.
Following the alleged invasion and the creation of the ransomware decrypter, the LockBit group made a statement via a note on restricted forums, as shown in the image below:
Given all the above, we can conclude that the ransomware market is highly lucrative. Even among the groups mentioned above, there are certain competitions and a big hunt by all organizations and police forces to identify the creators and operators of these malicious groups.
LockBit artifact analysis
After introducing all the points about creation, operation and recent news, we can analyze some of the samples used by LockBit. Below are all the identified IOCs of the malicious artifacts:
| File-name | LB3.exe |
| MD5 | 2614ba00bdf6847e0b30f66332fabd0a |
| SHA-1 | 9291f4ec6ebf96502b3ec07d7af9ab4fdaea8a08 |
| SHA-256 | aa0d0c6dcb69623ac4cfd87ecd991d8fe55807cec6628b92ba698844a24ba58e |
| Imphash | 41fb8cb2943df6de998b35a9d28668e8 |
| TrID (File type) | Win32 Dynamic Link Library |
| Virus Total | https://www.virustotal.com/gui/file/aa0d0c6dcb69623ac4cfd87ecd991d8fe55807cec6628b92ba698844a24ba58e/detection |
| File-name | LBB_pass.exe |
| MD5 | 7fb11398c5be61445bee1efa7c9caa31 |
| SHA-1 | ced1c9fabfe7e187dd809e77c9ca28ea2e165fa8 |
| SHA-256 | f9b9d45339db9164a3861bf61758b7f41e6bcfb5bc93404e296e2918e52ccc10 |
| Imphash | 50e4645798779602979868f1b8517523 |
| TrID (File type) | Win32 Dynamic Link Library (generic) |
| Virus Total | https://www.virustotal.com/gui/file/f9b9d45339db9164a3861bf61758b7f41e6bcfb5bc93404e296e2918e52ccc10/detection |
| File-name | LBB_pass.exe |
| MD5 | 03b14473eef5b7e38d9a5041c1af0a76 |
| SHA-1 | 371353e9564c58ae4722a03205ac84ab34383d8c |
| SHA-256 | a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e |
| Imphash | a50a0d82b9120fc73965c28fea79e1f9 |
| TrID (File type) | Win32 Dynamic Link Library (generic) |
| Virus Total | https://www.virustotal.com/gui/file/a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e/detection |
| File-name | lockbit_v3_unpacked.mal_ |
| MD5 | 628e4a77536859ffc2853005924db2ef |
| SHA-1 | c2a321b6078acfab582a195c3eaf3fe05e095ce0 |
| SHA-256 | d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee |
| Imphash | a50a0d82b9120fc73965c28fea79e1f9 |
| TrID (File type) | Win32 Dynamic Link Library |
| Virus Total | https://www.virustotal.com/gui/file/aa0d0c6dcb69623ac4cfd87ecd991d8fe55807cec6628b92ba698844a24ba58e/detection |
All the artifacts used in the analysis were submitted to Virus Total, and in all hypotheses they were identified as malicious artifacts of the type ransomwareThey can be consulted using the Virus Total links in the attached tables. One of the important points is that the initial delivery of LockBit ransomware payloads is usually handled through third-party structures, such as Cobalt Strike.
The payloads are standard Windows PE files (executables) with many similarities to previous generations of LockBit and all the BlackMatterransomware families.
In analyzing the behavior of these artifacts, various means of persistence in the Operating System were used - remembering that each execution of the artifact will install various services, using the Operating System's SecurityHealthService, which calls other services in the operating system, such as: svchost, wsappx, wscsvc, WinDefend, sppsvc, VSSamong others.
Another relevant fact is that if the operating system is affected, it will have services such as msexchange, sophos, veear, memtas sql, vs and other services.
As an example of what we are going to talk about below, in the case of execution with an executable/artefact containing Anti-Debugger and Anti-VM protection, it will cancel the process, i.e. it will not perform its normal behavior:
Once the encryption has been executed, because it is very fast, it will be able to encrypt the entire host in a matter of minutes even when it is spread out to adjacent hosts.
When running LockBit 3.0, it was possible to see several ransom notes created in conjunction with a desktop background. The following is an example of the ransom note template used by LockBit3.0:
As mentioned, the host 's desktop is also changed, in which case it is displayed as shown in the image below:
The extension used on the files will be different for each sample or campaign, there have been cases where extensions such as "HLJkNskOq", "futRjC7nx", "8CXBivJ6f" and "WTHEfoi8l" have been used.
One of the interesting points in the case of Incident Response is that the executable of this ransomware, after execution, copies itself to the %programdata% directory , making it possible to identify the creation of Yara Rules. After infection and activation of the services and actions carried out by the ransomware, LockBit 3.0 victims are instructed to contact the attacker via the "support" portal using TOR.
As a result, the victim in this case has a system completely infected by this ransomware, in which case there is the possibility of reversing the system through backups.
LockBit and its anti-analysis and anti-sense
These LockBit 3.0 samples use a variety of anti-analysis techniques aimed at making static and dynamic analysis more difficult, while still showing similarities to the BlackMetter ransomware. Among these techniques are code packing, obfuscation and dynamic resolution of function addresses, function trampolines and anti-debugger techniques.
I would point out that the LockBit 3.0 payloads require a specific password to be executed, and these passwords are unique to each sample or campaign and serve to make dynamic and sandbox analysis more difficult if the password has not been recovered along with the sample.
The encrypted content located in the LockBit 3.0 payload is decrypted at runtime using an XOR mask.
As an example, the content of the .text section (executable segment) is encrypted:
LockBit 3.0 also obfuscates the addresses of functions that springboards execute using the XOR obfuscation and/or bit rotation technique. Other techniques have been identified to detect the presence of a debugger and make dynamic analysis more difficult, for example, it evaluates heap memory parameters that indicate the presence of a debugger. The flags are for example: HEAP_TAIL_CHECKING_ENABLED(0x20) and HEAP_VALIDATE_PARAMETERS_ENABLED(0x4000000).
Another relevant fact is that LockBit 3.0 executes NtSetInformatonThread through a springboard, so that ThreadHandle and ThreadInformationClass have the values of 0Xfffffffe and 0x11 as function parameters. This interrupts the flow of events from the ransomware thread to an attached debugger, which hides the debugger thread and makes dynamic analysis more difficult.
In short, it has many functions that prevent it from being analyzed by debuggers, and another relevant fact is that, in recent research carried out by researcher Chuong Dong, it was discovered that it has many similarities between the LockBit 3.0 ransomware and the BlackMetter ransomware, as can be seen on the following page: https://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/.
In other samples of LockBit 3.0, it uses the anti-forensic technique of file deletion - that is, instead of using CMD.EXE to execute a batch file or command that will perform the deletion, it discards and executes a ".tmp" file decrypted from the binary. The executed .tmp file replaces the contents of the ransomware binary and then renames the binary several times, with the new filenames based on the length of the original filename.
By way of example, if the LockBit 3.0 executable is 9 characters long, Lock.exe (including the extension), it will be renamed to AAAAAAAAAA, then BBBBBBBBBBB, up to ZZZZZZZZ. After all the possible renamings of the file, LockBit 3.0 finally deletes it, which is an attempt by the LockBit group to prevent recovery through forensic techniques by removing its traces of the ransomware.
Domains used by LockBit 3.0
- http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead[.]onion
- http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd[.]onion
- http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd[.]onion
- http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd[.]onion
- http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd[.]onion
- http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd[.]onion
- http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid[.]onion
- http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd[.]onion
- http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd[.]onion
- http://lockbit7z2jwcskxpbokpemdxmltipntwlkmidcll2qirbu7ykg46eyd[.]onion
- http://lockbit7z2mmiz3ryxafn5kapbvbbiywsxwovasfkgf5dqqp5kxlajad[.]onion
- http://lockbit7z2og4jlsmdy7dzty3g42eu3gh2sx2b6ywtvhrjtss7li4fyd[.]onion
- http://lockbit7z355oalq4hiy5p7de64l6rsqutwlvydqje56uvevcc57r6qd[.]onion
- http://lockbit7z36ynytxwjzuoao46ck7b3753gpedary3qvuizn3iczhe4id[.]onion
- http://lockbit7z37ntefjdbjextn6tmdkry4j546ejnru5cejeguitiopvhad[.]onion
- http://lockbit7z3azdoxdpqxzliszutufbc2fldagztdu47xyucp25p4xtqad[.]onion
- http://lockbit7z3ddvg5vuez2vznt73ljqgwx5tnuqaa2ye7lns742yiv2zyd[.]onion
- http://lockbit7z3hv7ev5knxbrhsvv2mmu2rddwqizdz4vwfvxt5izrq6zqqd[.]onion
- http://lockbit7z3ujnkhxwahhjduh5me2updvzxewhhc5qvk2snxezoi5drad[.]onion
- http://lockbit7z4bsm63m3dagp5xglyacr4z4bwytkvkkwtn6enmuo5fi5iyd[.]onion
- http://lockbit7z4cgxvictidwfxpuiov4scdw34nxotmbdjyxpkvkg34mykyd[.]onion
- http://lockbit7z4k5zer5fbqi2vdq5sx2vuggatwyqvoodrkhubxftyrvncid[.]onion
- http://lockbit7z4ndl6thsct34yd47jrzdkpnfg3acfvpacuccb45pnars2ad[.]onion
- http://lockbit7z55tuwaflw2c7torcryobdvhkcgvivhflyndyvcrexafssad[.]onion
- http://lockbit7z57mkicfkuq44j6yrpu5finwvjllczkkp2uvdedsdonjztyd[.]onion
- http://lockbit7z5ehshj6gzpetw5kso3onts6ty7wrnneya5u4aj3vzkeoaqd[.]onion
- http://lockbit7z5hwf6ywfuzipoa42tjlmal3x5suuccngsamsgklww2xgyqd[.]onion
- http://lockbit7z5ltrhzv46lsg447o3cx2637dloc3qt4ugd3gr2xdkkkeayd[.]onion
- http://lockbit7z6choojah4ipvdpzzfzxxchjbecnmtn4povk6ifdvx2dpnid[.]onion
- http://lockbit7z6dqziutocr43onmvpth32njp4abfocfauk2belljjpobxyd[.]onion
- http://lockbit7z6f3gu6rjvrysn5gjbsqj3hk3bvsg64ns6pjldqr2xhvhsyd[.]onion
- http://lockbit7z6qinyhhmibvycu5kwmcvgrbpvtztkvvmdce5zwtucaeyrqd[.]onion
- http://lockbit7z6rzyojiye437jp744d4uwtff7aq7df7gh2jvwqtv525c4yd[.]onion
- http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd[.]onion
- http://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd[.]onion
- http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd[.]onion
- http://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad[.]onion
- http://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd[.]onion
- http://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd[.]onion
- http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd[.]onion
- http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd[.]onion
- http://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd[.]onion
IOCs collected and identified by the GTI
Below we present information on the top 10 IOCs related to LockBit 3.0 in the last 30 days, collected and assembled by ISH'sGlobal Threat Intelligence - GTI.
We can see that the main IOCs related to LockBit 3.0 malicious agents are the use of malicious URLs and also other IOCs related to files (signatures). In addition to the above, we know that the main trace that malicious agents leave along the way is the IP address, which clearly has great value for the investigation of a cyber attack, since it can be enriched and aided with geolocation data.
ISH collects and analyzes the malicious activity of these main offenders on a daily basis, as shown in the image below:
Recommendations:
Below, we've listed some security tips to adopt and use for all your organization's assets and infrastructure.
- Implement strong passwords.
- Activate Dual Factor Authentication (MFA).
- Re-evaluate and simplify user account permissions.
- Always have backups of the entire system and snapshots/images of the local machine prepared and stored securely so that they can be used in the event of ransomware.
- Use tools to monitor e-mails, the network and other methods of inputting and outputting files and company data, in order to immediately identify potentially malicious files.
- We also recommend using the information extracted by consuming IOCs in continuous infrastructure monitoring tools.
References:
- Heimdall Global Threat Intelligence by ISH (GTI)
- Malware Bazzar
- Content Analyst, Caique Barqueta.