The Cybereason Nocturnus team has been tracking the LockBit ransomware since it first emerged in September 2019 as a ransomware-as-a-service (RaaS). Following the rise of the new LockBit2.0 and the latest events, including the attack against the global IT company Accenture, we wanted to provide more information about the attack and show how the Cybereason Defense Platform protects customers from this threat.
Cybereason Blocks LockBit2.0 Ransomware
In August 2021, the group published on their website that they have breached the security company Accenture, and threaten to publish their sensitive information and stolen data.
After a few days of not publishing the data stolen from them, and extending their countdown multiple times. The group added this sentence to Accenture’s description: “Dudos every day” - which might imply that they are conducting DDOS activity against Accenture to push them into paying the ransom fee. This tactic is not unique, different ransomware groups have adopted the triple extortion trend, since (apparently) sometimes, double extortion is not enough for them.
The LockBit group is suspected to be operated by Russian speakers. In the past, the group was recruiting affiliates in Russian hacking forums but since many hacking forums started to ban ransomware-related threads, the group started recruiting directly on their website. Similar to other Russian-based threat actors, they avoid targeting any victims in former Soviet states.
According to the LockBit group, LockBit2.0 is “the fastest encryption software all over the world,” and they are even sharing a test sample on their website, so everyone who “has any doubts” can check their claim:
According to the group’s website, there are major improvements in the new version of LockBit2.0, and addition of new features. Among the new features are: port scanner, using wake-on-lan to switch on turned off machines, print-out using network printers and automatic distribution in the domain, which puts corporates and small businesses in great danger:
Same as other ransomware emerged over the years, the LockBit group follows the growing trend of double extortion (and sometimes even triple extortion, as mentioned above). They steal sensitive files and information from their victims, potentially by using another tool from their arsenal called StealBit, and later use it to extort the victims by threatening to publish the data unless the ransom is paid:
Since LockBit mostly relies on affiliates to carry out the operations, there are different infection vectors observed being used to infiltrate a network and install the ransomware. Most commonly seen method is through buying Remote Desktop Protocol (RDP) access to servers, but some affiliates also use typical phishing attacks to launch their operations.
Another interesting approach the LockBit group uses is trying to gain access to corporate networks by recruiting employees who can grant them insider access. They offer "millions of dollars'' for corporate insiders who provide access to networks where they have an account. Since the message appears after the already breached the network, it is most likely targeting external IT/IR consultants who may see the message while responding to the attack, or other people reading about it:
Once the ransomware operator or affiliate makes their way into a network, they begin to collect sensitive information and files and exfiltrate them. One tool that is used for this purpose, and is also offered to affiliates by the LockBit group, is a stealer they named “StealBit”, which, according to the group, is the fastest stealer in the world and it automatically downloads all the files to the LockBit blog:
PDB found: E:\work\proj\file_sender\x64\file_sender.pdb
First, the stealer collects information about the environment such as machine name, username, OS version, available disk space and physical and virtual memory status. The stealer enumerate the logical drives that are available on the victim's computer and recursively walk through the files in them and collects office documents files and pdf files, encrypts them send it to the server as “uploadFile.php” using HTTP POST method:
Each file is added with information such as the file size, original file name and machine name:
After exfiltrating the files, the stealer runs a PowerShell command that kills the malware's process and then deletes the malware file from the filesystem:
LockBit2.0 tries to spread via shared folders. It copies it’s binary to remote machines and then executes it. In addition, the group mentioned on their website that they provide a port scanner to their affiliates that can detect all DFS, SMB, WebDav shares - which suggest other ways of spreading in the network.
When executed on the Domain Controller, the ransomware has the ability to spread in the network using GPO.
First, the ransomware will query the Active Directory and create a list of machines to whom it will attempt to spread. For that it will perform LDAP queries and search for objectCategory=computer. Then, the ransomware will create several new group policies on the domain controller that are then pushed out to every device on the network using the following PowerShell command:
PowerShell.exe -command “Get-ADComputer -filter * -Searchbase ‘%s’ | foreach{ Invoke-GPUpdate -computer $_.name -force -RandomDelayInMinutes 0}”
One policy was created for disabling Microsoft Defender's real-time protection, alerts, submitting samples to Microsoft, and default actions when detecting malicious files:
Another group policy was created for the purpose of spreading the ransomware binary and creating persistence on the remote machines to execute it via scheduled task:
After LockBit has finished the encryption process, it starts to bomb the ransom note to all networked printers- repeatedly print the ransom note to any connected network printers to get the victim's attention. This feature was previously used by the Egregor Ransomware, which caused ransom notes to shoot out of receipt printers:
Once the files are encrypted, the ransomware drops the ransom “Restore-My-Files.txt” note in every folder, making sure it is noticeable to the victim. In addition, the icons of the files are replaced with LockBit's icon and the extensions .lock and .lockbit are added to the encrypted files:
To make sure that the end user wouldn’t miss the message, LockBit also start a process that is responsible to shows this message:
If, by any chance, the end user didn’t see the pop-up message, the new files icons, the ransom notes, or the printed ransom notes, LockBit also changes the desktop background:
Finally, same as most of the ransomware gangs these days, LockBit sets a deadline for the victim to pay the ransom, and if the deadline passes without payment, they leak the victim data on their website.
The Cybereason Defense Platform is able to prevent the execution of LockBit2.0 Ransomware using multi-layer protection that detects and blocks malware with threat intelligence, machine learning, and next-gen (NGAV) capabilities. Additionally, when the Anti-Ransomware feature is enabled, behavioral detection techniques in the platform are able to detect and prevent any attempt to encrypt files and generates a MalopTM for it:
Using the Anti-Malware feature with the right configurations (listed in the recommendations below), The Cybereason Defense Platform will also detect and prevent the execution of the ransomware and ensure that it cannot encrypt targeted files. The prevention is based on machine learning, which prevents both known and unknown hashes:
Open the chatbot on the bottom right corner of this report to access the LockBit2.0 ransomware IOCs
|
Initial Access |
Lateral Movement |
Persistence |
Defense Evasion |
Discovery |
Command and Control |
Impact |
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
As part of the Nocturnus team at Cybereason, Lior has created procedures to lead threat hunting, reverse engineering and malware analysis teams. Lior has also been a contributing researcher to multiple threat and malware blogs including Bitbucket, Valak, Ramnit, and Racoon stealer. Prior to Cybereason, Lior led SOC operations within the Israeli Air Force.