LOCKBIT RANSOMWARE
Introduction
LockBit ransomware, formerly known as ABCD ransomware made its first appearance in 2019 as it was being distributed by phishing emails and brute force attacks on exposed machines.
Attacks involving the LockBit ransomware have been frequent and have been recorded to target organisations of medium to large size from many countries including United States, China, India, Indonesia, Ukraine, and various countries throughout Europe.
There is no decryptor for any of the active variants of the LockBit ransomware and the average ransom required is $57,600 which can be paid via TOR chat link addresses provided in the ransomware note.
Modus Operandi
Initial access
The infection vectors used by threat actors are phishing emails and brute force attacks on the target’s exposed servers. As soon as they have gained access to a compromised machine, they execute a remote PowerShell script which downloads another script from a heavily obfuscated google sheets document that connects to a C&C server to retrieve and install a PowerShell module which is a backdoor installer module. During the heavy usage of PowerShell, the threat actor renames their copies of PowerShell and the binary used to run Microsoft HTML Application Host (mshta.exe) to evade monitoring. After the backdoor is installed, it creates a Task Scheduler to executes a VBScript that downloads a second backdoor from another C&C server and executes the second backdoor whenever the compromised machines restarts.
Installation
The threat actor then runs a PowerShell command that retrieves a .png which is .NET loader from a compromised website and then it is used to execute the download of the final payload of LockBit. The payload is a base64 string encrypted with AES, so it is decrypted and then the .NET loader checks for vbc.exe or downloads vbc.exe before using vbc.exe to compile and execute the decrypted payload. Then LockBit is loaded into memory by using performing a technique of process hollowing, where the LockBit creates a new process in a suspended state, then writes its malicious code into the process before resuming the execution of the suspended process. LockBit will scan the network for shadow copies and then deletes any shadow copies that were found. It also kills processes and stop services related to antivirus, database, backup, and document editing software from a list of predefined service and process names.
Encryption
LockBit Ransomware use AES and RSA cryptography algorithms to encrypt all the target files. While LockBit is encrypting the files, it will also attempt to scans the whole target’s network and then tries to connect to the other machines via SMB port 445. Whenever it connects to another machine, it attempts to run a PowerShell script that downloads the LockBit malware onto another machine and therefore spreads the ransomware through the target’s network.