The Story of Lockbit Ransomware
After penetrating the network, the attackers take several steps to ensure that the Ransomware attack is successful. They want to infect as many systems as possible, stop business processes and urge victims to pay ransom. The Ransomware is executed by means of UAC bypass, which runs in the background while the device is encrypted.
Ransomware attackers love to force their victims to pay by bank transfer or cryptocurrency as money transfers are harder for law enforcement to track. Ransomware operators use malware that encrypts and locks systems to steal sensitive data during an attack. If you lose money or the second system fails to respond, the affected company is attacked with a second volley designed to put pressure on you.
Interesting in this case is that there is its own host, which downloads the Ransomware itself. The attacker only needs access to a system account and has enough permissions to download other computers in the network and run the ransomware.
Many large ransomware gangs’ online presence tends to be limited to things like affiliate recruitment and their own private networks. Over the years, Lockbit ransomware operations have been active online, with gang representatives promoting the operation and providing support in hacker forums. Like most Ransomware, the Lockbit Group maintains forums on topics that are known as underground web boards to advertise their products.
What is LockBit ransomware?
Lockbit is a new family of ransomware that exploits widely available protocols and tools such as SMB and PowerShell. Lockbit Ransomware Services operations were launched in September 2019, and Lockbit Ransomware is recruited by penetrating networks of encrypted devices. In these operations, ransomware services threaten actors to be recruited by breaking through networks of encryption devices.
The Lockbit ransomware is a malicious software developed to deny users access to computers in exchange for a ransom payment. It is considered by many authorities as part of the Lockergoga and Megacortex malware families. Lockbit examines valuable targets before it spreads the infection by encrypting all publicly accessible computer systems on the network.
The new variant of Lockbit 2.0 Ransomware is able to encrypt Windows domains with Active Directory Group Policy policies. Researchers from MalwareHunterTeam, Bleepingcomputer and malware expert Vitali Kremez report that they have discovered a new version of the worm known as Lockbit 2.0.
The new version of Lockbit 2.0 Ransomware automates the interaction and subsequent encryption of Windows domains with Active Directory group policies. It adds a novel approach to interact with Active Directory to spread rogue malware to local domains by creating an updated global policy that disables antivirus, making it easier for new malware operators to engage in operations. The Lockbit 2.0 has some interesting features that can be used in an Egregor Ransomware operation.
How LockBit Operates?
Lockbit, which was first spotted in late 2019 under the name ABCD Virus, is more of an overhaul and evolution than previous attacks. Researchers are taking a closer look at Lockbit, one of the latest ransomware groups to work in the field. Lockbit operates in a RaaS structure, providing a central control panel for affiliated groups to create new Lockbit samples, manage their victims, post blog posts, and compile statistics about the success and failure of their attacks.
Once an initial foothold is established, it can come to compromises in administrative references, internal reconnaissance and lateral movement of encryption files, whereby the Lockbit Ransomware can steam through digital systems in just a few hours. This identification serves as a last reminder that ransomware campaigns can move at a speed through organizations that exceed the human response, demonstrating the need for automatic responses at machine speed to contain the threat before the damage is done.
Research has shown that Lockbit partners gain Remote Desktop Protocol (RDP) access to their servers as the first vector of attack using common phishing and credentialing techniques. These exploits are used to compromise vulnerable systems, such as Fortinet VPN vulnerabilities, which have not been patched on the target machines. According to forensic investigations, the machines attacked by Lockbit-linked threat groups are trying to identify mission-critical systems such as NAS devices, backup servers, and domain controllers.
The actions of the Himalayas and Lockbit are indicative of the things to come as the ransomware threat continues its explosive growth trend and criminals are able to escape arrest and prosecution.
The list of processes that LockBit will check are:
wxServer wxServerView
sqlservr RAgui
supervise Culture
RTVScan DefWatch
sqlbrowser winword
QBW32 QBDBMgr
qbupdate QBCFMonitorService
axlbridge QBIDPService
httpd fdlauncher
MsDtSrvr tomcat6
zhudongfangyu vmware-usbarbitator64
vmware-converter dbsrv12
What can be done against Lockbit?
Furthermore, you’ll need to put in place countermeasures to guarantee that your business is resistant to ransomware or malicious assaults from the start. Here are some techniques to defend:
- Strong passwords should be implemented.
- Activate multi-factor authentication.
- Reassess user account permissions.
- Clean out outdated and unused user accounts.
- Ensure system configurations are following all security procedures.
- Always have system-wide backups and clean local machine images prepared.
- Be sure to have a comprehensive enterprise cyber security solution in place.
MITRE TAXONOMY
Technique ID Technique Description
T1107 File Deletion
T1055 Process Injection
T1112 Modify Registry
T1215 Kernel Modules and Extensions
T1060 Registry Run Keys / Start Folder
T1179 Hooking
T1055 Process Injection
T1179 Hooking
T1124 System Time Discovery
T1046 Network Service Scanning
T1083 File and Directory Discovery
T1016 System Network Configuration Discovery
T1012 Query Registry
T1082 System Information Discovery
T1057 Process Discovery
T1063 Security Software Discovery
T1047 Windows Management Instrumentation
T1035 Service Execution
T1075 Pass the Hash
IOC’s
SHA256 Compile TimeStamp
ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d 1992:06:20
286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f 2009:02:12
76a77def28acf51b2b7cdcbfaa182fe5726dd3f9e891682a4efc3226640b9c78 2009:02:12
faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869 2009:02:12
70cb1a8cb4259b72b704e81349c2ad5ac60cd1254a810ef68757f8c9409e3ea6 2019:11:29
ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d 2019:12:01
13849c0c923bfed5ab37224d59e2d12e3e72f97dc7f539136ae09484cbe8e5e0 2019:12:11
6fedf83e76d76c59c8ad0da4c5af28f23a12119779f793fd253231b5e3b00a1a 2019:12:17
c8205792fbc0a5efc6b8f0f2257514990bfaa987768c4839d413dd10721e8871 2019:12:18
15a7d528587ffc860f038bb5be5e90b79060fbba5948766d9f8aa46381ccde8a 2020:01:23
0f5d71496ab540c3395cfc024778a7ac5c6b5418f165cc753ea2b2befbd42d51 2020:01:23
0e66029132a885143b87b1e49e32663a52737bbff4ab96186e9e5e829aa2915f 2020:01:23
410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677 2020:02:12
e3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877 2020:02:16
0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335 2020:02:16
1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18 2020:02:17
26b6a9fecfc9d4b4b2c2ff02885b257721687e6b820f72cf2e66c1cae2675739 2020:02:17
69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997 2020:02:17
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76 2020:02:17
1e3bf358c76f4030ffc4437d5fcd80c54bd91b361abb43a4fa6340e62d986770 2020:02:17
5072678821b490853eff0a97191f262c4e8404984dd8d5be1151fef437ca26db 2020:02:20
ca57455fd148754bf443a2c8b06dc2a295f014b071e3990dd99916250d21bc75 2020-02-20
Discover SOCRadar® Free Edition
With SOCRadar® Free Edition, you’ll be able to:
- Discover your unknown hacker-exposed assets
- Check if your IP addresses tagged as malicious
- Monitor your domain name on hacked websites and phishing databases
- Get notified when a critical zero-day vulnerability is disclosed
Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets.
Try for free