Cyble-Lockbit-2.0-Ransomware

A Deep-dive Analysis of LOCKBIT 2.0 

The LOCKBIT 2.0 ransomware group has been highly active in the past few months. The Threat Actors (TAs) linked to this ransomware use a Ransomware-as-a-Service (RaaS) business model. LOCKBIT 2.0 developers customize ransomware variants as per their affiliates’ needs. They also offer various panels and attack statistics to provide victim management capabilities to their affiliates.   

The malware uses the double extortion technique to compel victims into paying ransoms. Through this technique, attackers exfiltrate the victim’s data, after which they proceed to encrypt the data on the victim’s system. Data encryption is followed by the TAs demand ransom in exchange for a decryptor. If the victim refuses or cannot pay the ransom, the TA threatens to leak the data. This ransomware was previously known as ABCD ransomware as the file extension used for encrypting files was .abcd. Now the extension used by this ransomware is .lockbit.   

Figure 1 shows the LOCKBIT 2.0 ransomware gang hosting a blog in the TOR network. This blog, in particular, is used by the TA to share the list of victims and screenshots of the sample data exfiltrated by the attackers from affected systems.  

Figure 1: LOCKBIT 2.0 Blog displaying Victim companies

Like other recently emerging RaaS gangs, LOCKBIT 2.0 also has an affiliate program to attract potential affiliates. Figure 2 shows the affiliate program page. 

Figure 2: Affiliate Program of LOCKBIT 2.0

LockBit is trying to position itself as the fastest encryptor compared to its competitor, RaaS gangs. They have listed the time spent on encryption for datasets of 100GB, 10TB, etc. Figure 3 shows the comparison of LOCKBIT 2.0 with other ransomware gangs. 

Figure 3: LOCKBIT 2.0 Comparing itself with other Ransomware Gangs

Additionally, this ransomware gang does not function in countries formerly a part of the Soviet Union. This gang also uses tools such as StealBIT, Metasploit Framework, and Cobalt Strike.  

StealBIT is an information stealer used by the gang for data exfiltration. Metasploit Framework and Cobalt Strike are penetration testing tools used to emulate targeted attacks on sophisticated networks. 

Figure 4 shows the post in detail.  

Figure 4: Additional affiliate details shared by the LOCKBIT 2.0

Technical Analysis 

Our static analysis of the ransomware shows that the malware file is a Windows x86 architecture Graphical User Interface (GUI) executable compiled on 2021-07-26 13:04:01, as shown in Figure 5. 

Figure 5: Static information About LOCKBIT 2.0 Ransomware

Cyble Research Labs has also found that the malware uses only a few libraries, shown in Figure 6.  

Figure 6: Libraries Used by Ransomware

Furthermore, only a few Application Programming Interfaces (APIs) were present in the ransomware import table, as shown in Figure 7. 

Figure 7: Import Table APIs List 

Figure 8 shows that the ransomware has encrypted user document files and appended them with a .lockbit extension while also changing the icon of all encrypted files. Additionally, the ransomware also drops a ransom note in several folders. 

Figure 8: Encrypted Files and Ransom Note dropped by ransomware 

 Figure 9 shows the content of the ransom note, which instructs the victims on how they can contact the ransomware gang. 

Figure 9: Content of ransom note 

 The ransomware also changes the desktop background, showing additional ransomware gang information, as shown below. 

Figure 10: LOCKBIT 2.0 Changing Desktop Background

To get further insights into the ransomware, we checked which string symbols were present in the malware. 

Figure 11 shows the details of the initial strings which are present in the malware. These strings indicate that the malware can query connected systems in the Active Directory Domain using the Lightweight Directory Access Protocol (LDAP). In query strings, CN stands for Common Name, OU stands for Organization Unit, and DC stands for Domain Component. This information could be used for discovering other linked networks and systems. 

Figure 11: Setting LDAP parameters for Microsoft Active Directory

As seen in Figure 12, the ransomware could use PowerShell commands to query the DC to get the list of computers. Once the list is received, malware could invoke the GPUpdate command remotely on the listed systems. 

Figure 12: PowerShell command for searching computers in the network

Additionally, the ransomware checks for additional mounted hard drives, network shared drives, shared folders of VMs, and deletes the running process using taskkill.exe shown in Figure 12. 

Figure 13 depicts the policy updates that ransomware can push in the active directory environment to other connected systems. To evade detection, the ransomware can disable Windows Defender on running systems and remote systems as well. 

Figure 13: Windows Defender Policies are changed by the ransomware

 While running the ransomware, we observed that it injects itself in dllhost.exe, as shown in Figure 14. 

Figure 14: Ransomware infecting dllhost.exe 

The ransomware adds its execution folder to the Path of the System variables, as shown in Figure 15. 

Figure 15: Malware Added its Present Working Directory in System Path

Figure 16 shows the ransomware looking for various running services like backup services, database-related applications, and other applications shown in Figure 15. If any service is found running in the system, the ransomware kills it. The ransomware uses OpenSCManager and OpenServiceA, as shown in Figure 16. 

Figure 16: Ransomware searching for Services

An additional list of services searched by the ransomware is shown in the table below. 

DefWatch RTVscan tomcat6 
ccEvtMgr sqlbrowser zhudongfangyu 
SavRoam SQLADHLP vmware-usbarbitator64 
Sqlservr QBIDPService vmware-converter 
sqlagent Intuit.QuickBooks.FCS dbsrv12 
sqladhlp QBCFMonitorService dbeng8 
Culserver msmdsrv MSSQL$MICROSOFT##WID 
MSSQL$KAV_CS_ADMIN_KIT MSSQLServerADHelper100 msftesql-Exchange 
SQLAgent$KAV_CS_ADMIN_KIT MSSQL$SBSMONITORING MSSQL$SHAREPOINT 
MSSQLFDLauncher$SHAREPOINT SQLAgent$SBSMONITORING SQLAgent$SHAREPOINT 
MSSQL$VEEAMSQL2012 QBFCService QBVSS 
SQLAgent$VEEAMSQL2012 YooBackup YooIT 
SQLBrowser vss SQL 
SQLWriter svc$ PDVFSService 
FishbowlMySQL MSSQL memtas 
MSSQL$MICROSOFT##WID MSSQL$ mepocs 
MySQL57 sophos veeam 
MSSQL$MICROSOFT##SSEE backup MSSQLFDLauncher$SBSMONITORING 

The ransomware creates a shared folder for VMWare to spread to other systems, as shown in Figure 17. 

Figure 17: Ransomware creating VMWare shared folder and Dropping Sample 

The encryption operation of the LOCKBIT 2.0 is similar to what we have observed in other ransomware groups. The flow of operation is shown below. 

Figure 18: Common Encryption Operation 

Conclusion  

LOCKBIT 2.0 is a highly sophisticated form of ransomware that uses various state-of-the-art techniques to perform ransomware operations. Current and potential LOCKBIT 2.0 victims’ range across multiple domains, from IT, services to banks. Our research indicates that affiliates of the group drop this ransomware inside an already compromised network.  

Our Recommendations 

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below: 

  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.  
  • Use a reputed anti-virus and internet security software package on your connected devices.     
  • Refrain from opening untrusted links and email attachments without verifying their authenticity. 
  • Conduct regular backup practices and keep those backups offline or in a separate network. 

Indicators of Compromise (IoCs):   

Indicators Indicator type Description 
0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049 Hash SHA-256 

About Us  

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.  

%d bloggers like this: