Search results for:
Author: Matan Haim Guez
The notorious LockBit ransomware has become the malware of choice for many attack groups in recent months. This increase in popularity is likely due to the gang behind it offering LockBit as a Ransomware-as-a-Service (RaaS), which lets other groups use the tool to encrypt and attack companies as they wish.
LockBit was first observed in the wild as “ABCD” ransomware, then was later renamed as LockBit (you can read Cynet’s coverage of version 1.0 here). Today, the ransomware has evolved, and is known as LockBit 2.0
As evidenced in the above image (a wallpaper set by LockBit 2.0 on an encrypted device), one of the most common ways the gang gains initial access is by offering large sums of money to organization insiders to infiltrate the ransomware to internal assets through an RDP connection. Additionally, the gang also exploits vulnerabilities in VPN servers and other public servers.
Attempt to recruit other organization insiders on the wallpaper
Today, LockBit 2.0 uses several methods to successfully exfiltrate data that will be published should the victim not pay the ransom, including StealBit Trojan, Cobalt Strike, and Metasploit.
The LockBit gang is proud to claim on their website that their ransomware has the fastest encryption speed among a list of other respected ransomwares on the market:
Lockbit encryption speed comparison against other ransomwares
This is part of an extensive series of guides about Ransomware Protection.
The latest and most publicized LockBit 2.0 attack is on the global consulting company Accenture, along with other companies from the United States, China, Italy, Africa, Japan, Australia, and several European countries.
Each LockBit victim has a limited time to pay the ransom to prevent their stolen files from being published:
The LockBit gang has implemented several measures to slow down analysis in the newest version of their notorious ransomware. One method used is to obfuscate the binary itself. LockBit uses an FNV hashing algorithm to decrypt the API which is dynamically resolving.
The dynamic function resolution procedure starts by decrypting the pointer of the desired function using the decryption tool, storing the pointer in a register, and invoking it directly from the register:
The decryption function is invoked and then the API is invoked from the register
Part of the FNV (Fowler-Noll-Vo) decryption function
Once the decryption is completed, the pointer to the API function is stored at the EAX (or ECX) register for execution:
Another tricky method used by LockBit is the termination of Process Hacker, Process Monitor, and other processes that analyze and monitor utilities to to prevent them from detecting it among other running applications and processes:
Once it gets started, LockBit deletes important records and backups from the host to prevent victims from recovering from the attack. The rarnsomware then transfers its execution through a COM before continuing its anti-recovery activities.
– “vssadmin delete shadows /all /quiet” – deletes all the shadows copies from the host.
– “bcdedit /set {default} bootstatuspolicy ignoreallfailures” – Ignores failures in the boot time (LockBit is executed on boot as part of the persistence).
– “bcdedit /set {default} recoveryenabled no” – prevents from the user to enter Windows 10 recovery boot option.
LockBit generates SID, and uses it to set a persistence in the Run key at the registry which allows execution each time the host boots up:
LockBit 2.0 comes with an icon for encrypted files. The ransomware associates the icon with every “.lockbit” file in the registry:
Setting registry key associated with default icons
Setting value in the created key with the icon path
The ransomware sets two more registry entries which include additional data for the encryption process:
As part of the spreading process, LockBit enumerates additional hosts within the network:
and tries to establish SMB connection (port 445) to spread the malicious file across the host network:
Initiate SMB connection with host found in the network
In addition to spreading via SMB, LockBit utilizes Powershell to publish group-policy updates within the domain to further spread the ransomware file:
The ransomware disables the security software on the host through the registry by setting values related to enabling/disabling the software:
After finishing the encryption procedure, the ransomware drops a file containing details for the victim of how to restore their files and send them for printing.
The module that contains the API for printing is resolved and loaded through the FNV decryption performed at the beginning of the execution:
EAX contains the module name after decryption, ECX contains the location of “LoadLibrary”
As described earlier, when the encryption procedure is finished, the command for printing the documents is executed:
Printing commands
File’s path: C:\Users\[USERNAME]\AppData\Local\Microsoft\Windows\INetCache
LockBit drops an HTA file called “LockBit_Ransomware.hta” which contains the page presented to the user in the application window opened by the ransomware:
| ATT&CK Tactic | ATT&CK Technique |
| Reconnaissance |
|
| Resource Development |
|
| Initial Access |
|
| Execution |
|
| Persistence |
|
| Lateral Movement |
|
| Impact |
|
LockBit 2.0’s techniques allow it not only to stay hidden from the user/analyst’s eye but also to prevent recovery and set up persistence.
Cynet is able to detect and block LockBit and the encryption process itself using the following detection mechanisms:
Detection Engine – Malicious Binary – Infected File- File Dumped on the Disk / Attempt to run
This alert triggers when Cynet’s AV/AI engine detects a malicious file that was dumped on the disk.
LockBit 2.0 executable dropped on the host
LockBit 2.0 executable executed on the host
Ransomware Heuristic
This alert triggers when Cynet detects suspicious behavior which can be associated with Ransomware (such as changing file extensions to “.Lock”).
LockBit 2.0 encrypting files and blocked by Cynet
Malicious Process Command
This alert triggers when Cynet detects a CMD process which executes a command that contains suspicious arguments or is associated with malicious patterns.
LockBit 2.0 and other ransomware in the wild delete the backups used to recover the system to prevent data loss. Cynet is able to detect and block those operation:
VSSADMIN used to delete all shadows copies from the host
Memory Pattern
This alert will trigger when a file is loaded to the memory and will run on its memory unique strings related to a malware.
The LockBit gang has utilized not only digital approaches for spreading the ransomware, but also attempts to attack through the human vector.
The ransomware evolution to version 2.0 is interesting, from the obfuscation in the code and the termination of monitoring applications or security products to behaviors observed during the analysis, it is important to have security products that are able to detect similar behaviors and block them before sensitive data is lost.
| Type | Values |
| LockBit 2.0 Executable | 626a4fa1f52623e89b3011c37c2d3ca4069dc5a4d3f5c4f74d4579c2d3d50356 |
| HTA File | “LockBit_Ransomware.hta”:
90f3a33919fdd766e90fd96f8f20a92c2d1376b7cfdc8b738c2f8e7e6c7498b1 |
| Printing Document | 1d1294dce38b2ae0a5dbe5743097868eac471b559989665ec6b758608b7f2a56 |
| Registry Keys | – HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{SID} – value – path to the LockBit executable
– HKCU\Software\1A6895EB2455B9 – values names: “Public”, “Private” – HKCU\Software\Classes\.lockbit\DefualtIcon |
In this article
Let’s get started
Ready to extend visibility, threat detection and response?
Prefer a one-on-one demo? Click here
By clicking next I consent to the use of my personal data by Cynet in accordance with Cynet's Privacy Policy and by its partners
