- Share on Twitter
- Share on Facebook
- Share on Linked In
The gang behind LockBit Ransomware-as-a-Service (RaaS) appears to have been quite busy lately, judging by their compromise of a top global consulting firm yesterday, reportedly taking encrypted data from the company and demanding $50 million in ransom not to publish it.
LockBit ransomware has gained huge popularity among threat actors since the first version of the ransomware family appeared in September 2019. It is distributed via various underground forums, and targets victims in the United States, Canada, Europe, Asia, and Latin America.
LockBit uses a double-extortion technique to force victims to pay the ransom as fast as possible, as data is both encrypted locally and exfiltrated to the malware operators before the ransom demand is made. If the victim refuses to cooperate with the threat actors, their data is published to LockBit's leak site, titled 'Leaked Data,' which is currently located on the dark web at:
hxxp[:]//lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd[.]onion.
At the time of writing this blog, there were 61 victims listed on their TOR site. New victims are added to the list nearly every day.
Operating SystemLockBit2.0 appeared in the wild in mid-2021. This threat avoids infecting machines in countries that used to be part of the Soviet Union.
Just like Conti, LockBit 2.0 is a ransomware that can spread within a target network using a worm-like functionality. Samples of this version of the threat are generally around 855KB in size.
Upon execution, the malware will search for local subnetworks to try to spread laterally.
Figure 1: Self-spread on local subnetwork
LockBit2.0 then creates the following registry Run key, which points to the location of the malware file: 'HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun{356A6003-1616-ACEA-19AA-194F316EB255}'
It does this as a way of achieving persistence, as this registry key will restart the threat upon reboot.
Figure 2: Registry run key creation
Then it creates two registry keys. The first one points to the location of the icon file that will be used for encrypted files:
- 'HKEY_LOCAL_MACHINESoftwareClasses.lockbitDefaultIcon'
Figure 3: HKEY_LOCAL_MACHINESoftwareClasses.lockbitDefaultIcon registry key creation
Affected files will be renamed with an appended file-extension of '.lockbit.'
Figure 4: Files encrypted by LockBit 2.0
The second key points to the location of the image file that will be used to change the desktop wallpaper upon encryption:
- 'HKEY_CURRENT_USERControl PanelDesktopWallpaper'
Figure 5: Registry key modification
The new desktop wallpaper can be seen in the image below.
Figure 6: Changed desktop wallpaper
It also creates the following two registry keys:
- HKEY_CURRENT_USERSoftware586A9703166BAAPrivate
- HKEY_CURRENT_USERSoftware586A9703166BAAPublic
Figure 7: Public and private registry key creation
These two registry keys are used as part of the encryption process.
LockBit 2.0 performs checks to see if specific processes are running, and it terminates them if they are found. Those processes include various tools that are commonly used to identify malware on a system, such as ProcMon, Wireshark, and Process Explorer.
This threat also carries out checks to find specific services and stop them. Those services include SQL or other database servers, browsers, Microsoft® Office applications and more. Stopping these services unlocks files that are in use, so they can be encrypted.
The malware then deletes shadow copies and backups stored on the victim's computer, to ensure the user can't easily restore their encrypted files.
A ransom note titled 'Restore-My-Files.txt' is dropped in each affected directory, as shown below:
Figure 8: LockBit 2.0 ransom note
The note states that the victim has been infected with LockBit 2.0, and that their files have been 'stolen and encrypted.' If the victim refuses to cooperate, the note says, their data will be published on the malware operator's 'Leaked Data' site:
- hxxp[:]//lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd[.]onion
The LockBit2.0 threat actor offers the victim an option to decrypt one of the encrypted files, as a way of demonstrating that their tool can do as it promises. To do so, the victim is required to input their 'decryption ID' at one of the following two TOR sites (as seen in Figure 10):
- Hxxp[:]//lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid[.]onion
- Hxxp[:]//lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did[.]onion
The decryption IDs are contained in each ransom note. The ID is a 16-byte-long string that is generated from the first 8 bytes of the 'HKEY_CURRENT_USERSoftware586A9703166BAAPublic' registry key, and the 8-byte long file marker 586A9703166B (as seen in the image below) that is appended to each encrypted file:
Figure 9: Encrypted file structure
If the victim goes to the threat actor's webpage, they are presented with the login screen shown in the image below:
Figure 10: LockBit login page
Upon login, the victim is presented with the message, 'Your files are encrypted by LockBit.' This is followed by an explanation of how they got encrypted, and how to recover those files. The page also presents the victim with the option to decrypt a single file, and the ability to chat with their support team, which can be seen in the screenshot below.
Figure 11: Trial decryptor and chat options
The ransom note also specifies that if the victim refuses to cooperate, their data will be publicly disclosed on their dark web site:
- hxxp[:]//lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd[.]onion
Figure 12: LockBit leaked data TOR site
The 'Leaked Data' site includes both newly infected victims who still have time left to cooperate, as well as victims who refused to pay the ransom, and whose data has since been leaked and is available for download.
Figure 13: Stolen data is available for download
The leak site also has a section on 'Conditions for partners and contacts.' The page states that LockBit 2.0 is an affiliate program experiencing 'temporarily [sic] relaunch to intake of partners,' which presumably means that they are now accepting new partners after having paused this program for a period of time.
Figure 14: LockBit2.0 feature list
The LockBit authors claim to have the fastest encryption speed of any current ransomware. They provide a comprehensive list of other ransomware families for comparison, as seen in the image below, including information such as their (purported) encryption speed and their sample size.
Figure 15: Ransomware family encryption speed* table (*accuracy not verified)
The threat actors also include a link for potential partners to download each ransomware and test for themselves.
On their website, the LockBit2.0 gang has provided a variety of different methods to contact them.
Figure 16: LockBit2.0 contact information
Having performed open-source intelligence (OSINT) on the Tox ID, we can see that the user who goes by the alias of 'LockBitSupp' is quite active on the Russian hacking forum xss[.]is.
Figure 17: LockBitSupp xss.is account
Looking at this user's activity, they mention in one thread that they live in China. However, this user has restricted access to view their profile.
Figure 18: LockBitSupp claims to live in China
YARA Rule
The following YARA rule was authored by the BlackBerry Threat Research Team to catch the threat described in this document:
import 'pe'
rule Mal_Ransom_W32_LockBit2
condition: |
File System Actions Created:
Modified:
Registries Created:
Modified:
Processes Created:
|
If you're battling LockBit malware or a similar threat, you've come to the right place, regardless of your existing BlackBerry relationship.
The BlackBerry Incident Response team is made up of world-class consultants dedicated to handling response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases.
We have a global consulting team standing by to assist you providing around-the-clock support, where required, as well as local assistance. Please contact us here: https://www.blackberry.com/us/en/forms/cylance/handraiser/emergency-incident-response-containment
The BlackBerry Research & Intelligence team examines emerging and persistent threats, providing intelligence analysis for the benefit of defenders and the organizations they serve.
- Share on Twitter
- Share on Facebook
- Share on Linked In
Attachments
- Original document
- Permalink
Disclaimer
BlackBerry Ltd. published this content on 12 August 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 13 August 2021 14:11:02 UTC.