As crime grows in the digital world, cyber criminals try to make their malware more sophisticated. Ransomware is one such malware that tries to lock the victim’s data by encrypting and making them inaccessible by the victim and demand for ransom to unlock it. In this blog, we will see the most prevalent Ransomware of 2022, which is Lockbit Ransomware. Lockbit was first caught in September 2019, and after that, it has seen a lot of improvement with the release of Lockbit 2.0 in 2021 and Lockbit 3.0 in mid of 2022. Since Lockbit 3.0 is the currently running version of the Lockbit family, let’s dive into learning what is Lockbit 3.0, who is behind it, how Lockbit 3.0 works and its stages of the attack, its victims, IOCs, and finally, how to protect from Lockbit 3.0 ransomware, in this post.
Table of Contents
What is Ransomware and Ransomware as a Service (RaaS)
Ransomware is nothing but malicious software (Malware) that lock the system by encrypting the files and demanding a ransom for releasing it. Ransomware as a service (Raas) is a business model which uses an already developed ransomware tool and provide it as a service for attackers in exchange for financial compensation.
The most common RaaS revenue models are
- No profit sharing with a monthly fee
- Flat fee and subscription-based
- Only profit sharing
- Subscription model and also share a profit percentage
The most widely exploited Ransomware of the year 2022 is Lockbit 3.0. In this post, we will look into what is Lockbit 3.0 and how to protect from Lockbit ransomware.
What is Lockbit 3.0? Who is Behind It?
Lockbit 3.0 is the latest strain of malware released by the popular Lockbit ransomware family. Lockbit ransomware was First observed in September 2019. However, the Lockbit gang became prevalent through Lockbit 2.0 in 2021.
Lockbit ransomware gang targets multiple organizations all around the world. This family of ransomware programs is self-spreading. The main target of this group are organizations that are able to pay a large ransom. This ransomware family uses Ransomware as a service(RaaS) operating model where users can pay and get the ransomware services as a subscription. It is also suspected that Lockbit ransomware gang has roots in the black matter threat actors.
After successful years of using Lockbit 2.0, by late 2022, the ransomware family released a more powerful strain of the ransomware program Lockbit 3.0 aka Lockbit black. To make things worse, they also adopted a double extortion model, which means they not only encrypt the files but do exfiltration as well. These files are shared to another device, making it scarier for the victim and urging them to pay the ransom.
How Lockbit 3.0 Works?
Like every other attacker group, Lockbit ransomware group also has some specific features, one of the most remarkable features of this Ransomware is its ability to self-propagate. There are multiple predefined automated processes set in the code of Lockbit, which makes it unique from other ransomware groups which are driven manually, which helps in completing recon much faster.
After infecting a single host, Lockbit ransomware can propagate itself and find other accessible hosts without any human intervention. One of the other notable features used by the Lockbit ransomware is the tools in a pattern that is native to an operating system which makes it more difficult for the endpoints to detect any suspicious behavior. They also hide the executable file in a .PNG format to deceive the defense mechanism.
Stages of Lockbit Attack
Lockbit attack can be roughly divided into three stages
- Exploit
- Infiltrate
- Deploy
Exploit:
The initial stage of a ransomware attack is by exploiting a weakness in a network. This initial exploitation can be via multiple methods, which may include phishing, social engineering, and other tactics as well. The attacker can also utilize weak password policies or other vulnerabilities, zero days, and misconfigurations in the network to gain initial access. It’sIt’s RaaS module recruits Initial Access Brokers (IAB) to obtain stolen credentials for Remote Desktop Protocol (RDP) or Virtual Private Network (VPN) access.
Once the initial foothold is established, the Ransomware prepares itself to be spread across multiple devices in the network. Before that, the threat actor makes sure all requirements are in place.
Infiltrate:
Once the Ransomware is in the network, the attacker tries to download C2 tools on the compromised environment. Lockbit uses Red Team framework tools like Cobalt Strike Beacon, MetaSploit, and Mimikatz to infiltrate further to make the system ready for attack. As previously mentioned, the Lockbit program has multiple automated processes, which helps it to propagate independently to gain access by privilege escalations and lateral movement.
In this stage, the Ransomware prepares the system by disabling security programs or any other defensive mechanism so that they can deploy the encryption portion of the Ransomware safely.
The main goal of this stage is to make the victim helpless in recovering the encrypted files unassisted, hence urging them to pay ransom to restore the operations.
Deploy:
Once the exploit and infiltrate stages are completed successfully the Ransomware installs itself in the Windows Registry to maintain persistence and releases its encryption payload, which travels effortlessly through the network and starts encrypting or putting a lock on all the system files. It uses a pair of ECC (Curve25519) session keys, with the private key encrypted with an ECC public key stored in the Windows Registry. The deploy stage is much easier as a single system with high privilege can do complete damage.
Once the encryption is completed, all system files will be locked from the victim, which can be only unlocked by a custom key created by Lockbit’s proprietary decryption tool. The attacker also makes sure to leave a ransom note which provides instructions on what can be done to access the file back. It may also include a threatening blackmailing note.
After all the stages are completed, the rest is up to the victim. They may pay the ransom for restoring the files by following their demands. However, this is not advised as the victim has no guarantee of what the attackers may request.
What Did Security Researchers Find About Lockbit 3.0 in Their Analysis?
- Trend Micro researchers say that the Lockbit 3.0 is a Win32.exe file that has multiple sections packed with an undisclosed packer.
- As per the original source of the malware below argument is used for execution.
- An Icon file (.ico) will be dropped in the %PROGRAMDATA% folder, which has the same file name as the one appended to encrypted files.
- The extension ”HLJkNskOq” will be appended, and the icons will be changed.
- The ransom note is dropped where they mention “”Ilon Musk”” and “”GDPR””
- They also change the wallpaper so that the victim understands they have been hacked.
{04830965-76E6-6A9A-8EE1-6AF7499C1D08}.exe -k LocalServiceNetworkRestricted -pass db66023ab2abcb9957fb01ed50cdfa6a
On Sep 2022, An unknown user, @ali_qushji published that his team had hacked the Lockbit servers, and he made the malware build available on GitHub. Please check out the post published on VMware blogs for more technical details about the Lockbit Black.
Who Can Be Affected by Lockbit 3.0?
If we talk about the operating system platforms, Lockbit predominantly targets the windows platform. However, it is also seen that the new version of Lockbit has evolved to target Linux systems, including virtual environments such as VMWare ESXi.
When you look at the geo-locations, the malware has tried victimizing the United States, Canada, Europe, Asia, and Latin America. And also, it has been observed that the group has been seen ignoring the countries from Eastern Europe region and the Commonwealth of Independent States except for Ukraine.
When you look at the Organization list, Lockbit most likely targeted small to mid-sized businesses. This doesn’t mean that large-sized organizations should ignore this malware. All organizations must be very vigilant in such kinds of ransomware attacks. As per the statistics shared by BlackBerry, at least 478 blocks on the Lockbit malware family are observed, which makes it almost five attempts per day worldwide, including all Lockbit versions
Indicator Of Compromise IOC
Hash
060bd55768e0edc037651bf50c54248e9451d57d4da795b9d8ea03829085cea1 |
0815277e12d206c5bbb18fd1ade99bf225ede5db |
091b490500b5f827cc8cde41c9a7f68174d11302 |
10039d5e5ee5710a067c58e76cd8200451e54b55 |
6490c1fec33f70d41c8112be2022d5f656c5d060b12db00a8f945938fda2cab5 |
729eb505c36c08860c4408db7be85d707bdcbf1b |
82bd4273fa76f20d51ca514e1070a3369a89313b |
a512215a000d1b21f92dbef5d8d57a420197d262 |
c05216f896b289b9b426e249eae8a091a3358182 |
e35a702db47cb11337f523933acd3bce2f60346d |
eed31d16d3673199b34b48fb74278df8ec15ae33 |
ff01473073c5460d1e544f5b17cd25dadf9da513 |
IOC | Description |
c2bc344f6dde0573ea9acdfb6698bf4c | MD5 Builder File |
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77 | SHA1 Builder File |
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db | SHA256 Builder File |
71c3b2f765b04d0b7ea0328f6ce0c4e2 | MD5 keygen File |
bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4 | SHA1 keygen file |
ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37 | SHA256 keygen file |
4d388f95a81f810195f6a8dfe86be755 | MD5 Resource 100 |
cb6fdb25a15b7797890fadc2b823984f93da5368 | SHA1 Resource 100 |
cc3d006c2b963b6b34a90886f758b7b1c3575f263977a72f7c0d1922b7feab92 | SHA256 Resource 100 |
87308ec0a44e79100db9dbec588260ec | MD5 Resource 101 |
939ff7e5eeaccb0c2f4ee080a8e403e532b6317a | SHA1 Resource 101 |
03b8472df4beb797f7674c5bc30c5ab74e8e889729d644eb3e6841b0f488ea95 | SHA256 Resource 101 |
4655a7ac60ed48df9b57648db2f567ef | MD5 Resource 103 |
02ea524429ba2aefac63fed27e924ab3659f8c00 | SHA1 Resource 103 |
a0db5cff42d0ee0de4d31cff5656ed1acaa6b0afab07d19f9f296d2f72595a56 | SHA256 Resource 103 |
23a30838502f5fadc97e81f5000c4190 | MD5 Resource 106 |
9c1142122370c9b28b13aa147c6e126b3be50845 | SHA1 Resource 106 |
ae993930cb5d97caa5a95b714bb04ac817bcacbbf8f7655ec43e8d54074e0bd7 | SHA256 Resource 106 |
Yara Rules to Detect Lockbit Black
import "pe"
rule LockBit_3_dll
{
meta:
author = "VMware TAU" //bdana
date = "2022-Oct-12"
description = "Identifies LockBit 3.0 DLL encryptor by exported function names."
rule_version = “1”
yara_version = "4.2.3"
exemplar_hash = “c2529655c36f1274b6aaa72911c0f4db7f46ef3a71f4b676c4500e180595cac6”
condition:
pe.exports("del") and
pe.exports("gdel") and
pe.exports("gdll") and
pe.exports("gmod") and
pe.exports("pmod") and
pe.exports("sdll") and
pe.exports("wdll")
}
rule LockBit_3_exe
{
meta:
author = "VMware TAU" //bdana
date = "2022-Oct-12"
description = "Identifies LockBit 3.0 exe encryptor section names, and artifact section names."
rule_version = “1”
yara_version = "4.2.3"
exemplar_hash = “5202e3fb98daa835cb807cc8ed44c356f5212649e6e1019c5481358f32b9a8a7”
strings:
$text = ".text" ascii wide
$itext = ".itext" ascii wide
$data = ".data" ascii wide
$rdata = ".rdata" ascii wide
$idata = ".idata" ascii wide
$xyz = ".xyz" ascii wide
$reloc = ".reloc" ascii wide
$bss = ".bss" ascii wide
condition:
#text > 2 and
#itext > 1 and
#data > 1 and
#rdata > 2 and
#idata > 3 and
$reloc and
$bss and $xyz and not
for any i in (0..pe.number_of_sections-1) : (
pe.sections[i].name == ".xyz" or
pe.sections[i].name == ".bss"
)
}
How to Protect From Lockbit 3.0?
After we learn what is lockbit 3.0, now it’s time to know how to protect from Lockbit 3.0 malware. We have listed a few guidelines that help you protecting your assets from Lockbit 3.0.
- Every organization must be prepared by having an effective endpoint detection and response software that will quickly identify and isolate the system which is likely to be infected by the Ransomware.
- RDP hardening should be done, and users with RDP access must make sure to turn it off when not in use.
- The principle of least privilege must be in place so that privilege escalation and lateral movement will be very hard.
- All users in an organization must be aware of basic cyber security policies, and appropriate training should be provided on time.
- Multi-factor authentication and strong password policies should be implemented.
- Make sure to clean outdated and unused user accounts.
- All system configurations must be in line with the security policies.
- Even at best, preparedness breaches can still happen. Hence a disaster recovery plan must be in place for all organizations.
Conclusion
As technology is advancing, methods to exploit are also increasing exponentially. Every organization or individual must be prepared against this kind of ransomware attack. We hope this post helped you understand what is Lockbit 3.0 and how to protect from Lockbit ransomware attacks.
If you find this information valuable, please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/292596.html