See Cynet’s Autonomous
Breach Protection in Action

Prefer a one-on-one demo? Click here

By clicking next I consent to the use of my personal data by Cynet in accordance with Cynet's Privacy Policy and by its partners

ATTACK TECHNIQUES – HANDS ON

Brought to you by Cynet's CyOps Center

Cynet's 24/7 MDR with the latest security updates and reports

Learn more about CyOps

Network Attacks and Exfiltration

Credential Access & Data Collection

Initial Access and Fileless Attacks

Ransomware Threat Reports

Threat Reports

Vulnerabilities

Persistence

Evasion techniques

Malware Evolution – Analyzing LockBit 2.0

Author: Matan Haim Guez

Introduction

The notorious LockBit ransomware has become the malware of choice for many attack groups in recent months. This increase in popularity is likely due to the gang behind it offering LockBit as a Ransomware-as-a-Service (RaaS), which lets other groups use the tool to encrypt and attack companies as they wish.

LockBit was first observed in the wild as “ABCD” ransomware, then was later renamed as LockBit (you can read Cynet’s coverage of version 1.0 here). Today, the ransomware has evolved, and is known as LockBit 2.0

Graphical user interface, text, application Description automatically generated

As evidenced in the above image (a wallpaper set by LockBit 2.0 on an encrypted device), one of the most common ways the gang gains initial access is by offering large sums of money to organization insiders to infiltrate the ransomware to internal assets through an RDP connection. Additionally, the gang also exploits vulnerabilities in VPN servers and other public servers.

Text Description automatically generated

Attempt to recruit other organization insiders on the wallpaper

 

Today, LockBit 2.0 uses several methods to successfully exfiltrate data that will be published should the victim not pay the ransom, including StealBit Trojan, Cobalt Strike, and Metasploit.

The LockBit gang is proud to claim on their website that their ransomware has the fastest encryption speed among a list of other respected ransomwares on the market:

Table Description automatically generated

Lockbit encryption speed comparison against other ransomwares

LockBit Around the Globe

The latest and most publicized LockBit 2.0 attack is on the global consulting company Accenture, along with other companies from the United States, China, Italy, Africa, Japan, Australia, and several European countries.

Each LockBit victim has a limited time to pay the ransom to prevent their stolen files from being published:

Technical Analysis

The LockBit gang has implemented several measures to slow down analysis in the newest version of their notorious ransomware. One method used is to obfuscate the binary itself. LockBit uses an FNV hashing algorithm to decrypt the API which is dynamically resolving.

The dynamic function resolution procedure starts by decrypting the pointer of the desired function using the decryption tool, storing the pointer in a register, and invoking it directly from the register:

A picture containing text Description automatically generated

The decryption function is invoked and then the API is invoked from the register

 

Graphical user interface, text Description automatically generated with medium confidence

Part of the FNV (Fowler-Noll-Vo) decryption function

 

Once the decryption is completed, the pointer to the API function is stored at the EAX (or ECX) register for execution:

Another tricky method used by LockBit is the termination of Process Hacker, Process Monitor, and other processes that analyze and monitor utilities to to prevent them from detecting it among other running applications and processes:

Text Description automatically generated

Once it gets started, LockBit deletes important records and backups from the host to prevent victims from recovering from the attack. The rarnsomware then transfers its execution through a COM before continuing its anti-recovery activities.

– “vssadmin delete shadows /all /quiet” – deletes all the shadows copies from the host.

– “bcdedit /set {default} bootstatuspolicy ignoreallfailures” – Ignores failures in the boot time (LockBit is executed on boot as part of the persistence).

– “bcdedit /set {default} recoveryenabled no” – prevents from the user to enter Windows 10 recovery boot option.

LockBit generates SID, and uses it to set a persistence in the Run key at the registry which allows execution each time the host boots up:

Graphical user interface, text, application, email Description automatically generated

LockBit 2.0 comes with an icon for encrypted files. The ransomware associates the icon with every “.lockbit” file in the registry:

A screenshot of a computer Description automatically generated with medium confidence

Application Description automatically generated with medium confidence

Setting registry key associated with default icons

 

Setting value in the created key with the icon path

 

The ransomware sets two more registry entries which include additional data for the encryption process:

Graphical user interface Description automatically generated with medium confidence

As part of the spreading process, LockBit enumerates additional hosts within the network:

Table Description automatically generated

and tries to establish SMB connection (port 445) to spread the malicious file across the host network:

Initiate SMB connection with host found in the network

 

Graphical user interface, text, application Description automatically generated

In addition to spreading via SMB, LockBit utilizes Powershell to publish group-policy updates within the domain to further spread the ransomware file:

The ransomware disables the security software on the host through the registry by setting values related to enabling/disabling the software:

After finishing the encryption procedure, the ransomware drops a file containing details for the victim of how to restore their files and send them for printing.

The module that contains the API for printing is resolved and loaded through the FNV decryption performed at the beginning of the execution:

EAX contains the module name after decryption, ECX contains the location of “LoadLibrary”

 

As described earlier, when the encryption procedure is finished, the command for printing the documents is executed:

Graphical user interface, text, application Description automatically generated

Printing commands

 

File’s path: C:\Users\[USERNAME]\AppData\Local\Microsoft\Windows\INetCache

 

LockBit drops an HTA file called “LockBit_Ransomware.hta” which contains the page presented to the user in the application window opened by the ransomware:

A picture containing graphical user interface Description automatically generated

LockBit 2.0 Attack-Chain

Graphical user interface, application, Teams Description automatically generated

MITRE Techniques Map

ATT&CK TacticATT&CK Technique
Reconnaissance
  • Active Scanning – Scanning IP Blocks – T1595.001
Resource Development
  • Compromise Infrastructure – Domains – T1584.001
Initial Access
  • Exploit Public-Facing Application – T1190
  • External Remote Services – T1133
Execution
  • Command and Scripting Interpreter – PowerShell – T1059.001
  • Windows Command Shell – T1059.003
  • Windows Management Instrumentation – T1047
Persistence
  • Boot or Logon Autostart Execution – Registry Run Key – T1547.001
Lateral Movement
  • Remote Services – Remote Desktop Protocol – T1021.002
  • Lateral Tool Transfer – T1570
Impact
  • Data Encrypted for Impact – T1486
  • Inhabit System Recovery – T1490
  • Service Stop – T1489

Cynet VS LockBit 2.0

LockBit 2.0’s techniques allow it not only to stay hidden from the user/analyst’s eye but also to prevent recovery and set up persistence.

Cynet is able to detect and block LockBit and the encryption process itself using the following detection mechanisms:

Detection Engine – Malicious Binary – Infected File- File Dumped on the Disk / Attempt to run

This alert triggers when Cynet’s AV/AI engine detects a malicious file that was dumped on the disk.

Graphical user interface, text, application Description automatically generated

LockBit 2.0 executable dropped on the host

 

A screenshot of a computer Description automatically generated with medium confidence

LockBit 2.0 executable executed on the host

 

Ransomware Heuristic

This alert triggers when Cynet detects suspicious behavior which can be associated with Ransomware (such as changing file extensions to “.Lock”).

A screenshot of a computer Description automatically generated

LockBit 2.0 encrypting files and blocked by Cynet

 

Malicious Process Command

This alert triggers when Cynet detects a CMD process which executes a command that contains suspicious arguments or is associated with malicious patterns.

LockBit 2.0 and other ransomware in the wild delete the backups used to recover the system to prevent data loss. Cynet is able to detect and block those operation:

A screenshot of a computer Description automatically generated

VSSADMIN used to delete all shadows copies from the host

 

Memory Pattern

This alert will trigger when a file is loaded to the memory and will run on its memory unique strings related to a malware.

A screenshot of a computer Description automatically generated

Conclusions

The LockBit gang has utilized not only digital approaches for spreading the ransomware, but also attempts to attack through the human vector.

The ransomware evolution to version 2.0 is interesting, from the obfuscation in the code and the termination of monitoring applications or security products to behaviors observed during the analysis, it is important to have security products that are able to detect similar behaviors and block them before sensitive data is lost.

IOCs

TypeValues
LockBit 2.0 Executable626a4fa1f52623e89b3011c37c2d3ca4069dc5a4d3f5c4f74d4579c2d3d50356
HTA File“LockBit_Ransomware.hta”:

90f3a33919fdd766e90fd96f8f20a92c2d1376b7cfdc8b738c2f8e7e6c7498b1

Printing Document1d1294dce38b2ae0a5dbe5743097868eac471b559989665ec6b758608b7f2a56
Registry Keys– HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{SID} – value – path to the LockBit executable

– HKCU\Software\1A6895EB2455B9 – values names: “Public”, “Private”

– HKCU\Software\Classes\.lockbit\DefualtIcon