TRENDING

Cyble-Lockbit-3.0-Black

Lockbit 3.0 –  Ransomware group launches new version

Cyble analyzes the return of Lockbit ransomware as Lockbit 3.0/"Lockbit Black" and how it has been actively targeting the BFSI sector.

“Lockbit Black” actively targeting BFSI Sector

LockBit ransomware is currently one of the most popular and active ransomware groups in the wild. This ransomware variant was first detected in September 2019 and used by Threat Actors (TAs) to target multiple sectors and organizations worldwide. The TAs behind LockBit operate under the Ransomware-as-a-Service (RaaS) business model.

In the figure below, we have prepared a breakdown of the industries targeted by the LockBit ransomware. As per our investigation, we determine that over 1/3rd of the ransomware gang’s victims are from the BFSI sector, followed by the Professional Services sector.

Figure 1 Industries Targeted by the LockBit Ransomware
Figure 1 – Industries Targeted by the LockBit Ransomware

In August 2021, LockBit 2.0 ransomware was analyzed by Cyble Research Labs. In March 2022, the TAs behind LockBit announced that LockBit 3.0 would be released shortly. Last week, the TAs updated their leak site with information about their latest version and its features (shown below).

Figure 2 LockBit 3.0 Ransomware Functionalities
Figure 2 – LockBit 3.0 Ransomware Functionalities

While searching for the latest LockBit 3.0 sample, Cyble Research Labs came across a Twitter post wherein a researcher mentioned that a new version of ransomware named “LockBit 3.0” (also referred to as “LockBit Black”) is now active in the wild.

LockBit 3.0 encrypts files on the victim’s machine and appends the extension of encrypted files as “HLJkNskOq.”

LockBit ransomware requires a key from the command-line argument “-pass” to execute. The below figure shows the process chain of the LockBit ransomware file.

Figure 3 LockBit 3.0 Ransomware Process Tree
Figure 3 – LockBit 3.0 Ransomware Process Tree

Technical Analysis

The sample hash (SHA256), 80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932cewas taken for this analysis.

Based on static analysis, we identified that the ransomware is encrypted and decrypts the strings and code during runtime.

The ransomware resolves its API functions dynamically, as shown below.

Figure 4 – Resolved API functions of LockBit 3.0
Figure 4 – Resolved API functions of LockBit 3.0

After that, it creates a mutex to ensure that only one instance of malware is running on the victim’s system at any given time.

The malware exits if the mutex is already present. The below figure shows the created mutex name.

Figure 5 Mutex Creation
Figure 5 – Mutex Creation

The ransomware creates multiple threads using the CreateThread() API to perform several tasks in parallel for faster file encryption, as shown in Figure 6.

Each thread is responsible for querying system information, getting drive details, ransom note creation, getting file attributes, deleting services, file search, encryption, etc.

Figure 6 Multiple Thread Creation
Figure 6 – Multiple Thread Creation

Before encrypting the files, the ransomware uses the WMI query to enumerate Volume Shadow copies using the command “select * from Win32_ShadowCopy”.

It then deletes the copies using “Win32_ShadowCopy.ID,” as shown in Figure 7.

The ransomware performs this operation to prevent any attempts at system restoration after encrypting the files.

Figure 7 Delete ShadowCopy
Figure 7 – Delete ShadowCopy

LockBit 3.0 ransomware deletes a few services to encrypt the files successfully. To delete these services, the ransomware calls the OpenSCManagerA() API to get the service control manager database access.

After gaining access, the ransomware enumerates the services and fetches the service names from the victim’s machine.

It then checks for the presence of these services and deletes them if they are actively running on the victim’s machine. The below image shows the list of some service names targeted by ransomware.

Figure 8 List of Services for Deletion
Figure 8 – List of Services for Deletion

After deleting the services, the ransomware drops two files named “HLJkNskOq.ico” and “HLJkNskOq.bmp” in the %programdata% location.

The ransomware creates a “DefaultIcon” registry key for the extension “HLJkNskOq” shown in the figure below.This operation changes the icons of the encrypted files, which have the extension “HLJkNskOq.”

Figure 9 Registry Modification of Default Icon
Figure 9 – Registry Modification of Default Icon

Before initiating the encryption process, the ransomware drops the below ransom note in multiple folders with the file name “HLJkNskOq.README.txt.”

Figure 10 – LockBit 3.0 Ransomware Note
Figure 10 – LockBit 3.0 Ransomware Note

The ransomware then encrypts the victim’s files, appends the extension “.HLJkNskOq,” and changes the file’s icon as shown below.

Figure 11 Encrypted Files
Figure 11 – Encrypted Files

Finally, the ransomware changes the victim’s wallpaper leveraging the file “HLJkNskOq.bmp” using the systemparametersinfoW() API function.

Figure 12 LockBit 3.0 Changing Desktop Background
Figure 12 – LockBit 3.0 Changing Desktop Background

In the dropped ransom note, victims are instructed on how to pay the ransom to decrypt their encrypted files. Additionally, the TAs threaten the victims stating that their personal data will be posted on their leak site if the ransom is not paid within the specified window.

After visiting the TOR link mentioned in the ransom note, it opens the TA’s leak site page, which is updated with new features containing a Twitter icon to search for posts related to this ransomware on Twitter.

Additionally, TAs created a link on their leak site, redirecting users to a page where they have announced the Bug Bounty program. This program invites all

security researchers/ethical and unethical hackers to find flaws in their ransomware project to make it bug-free and more stable.

Figure 13 LockBit 3.0 Ransomware Home Page
Figure 13 – LockBit 3.0 Ransomware Home Page

The affiliate rules page of the leak site includes ransomware functionalities and affiliate program details, which support languages such as English, Chinese, Spanish, etc.

The TAs behind LockBit 3.0 suggest that their victims buy Bitcoin using the payment options shown in the figure below.

Figure 14 Ways to Buy Bitcoin to decrypt files
Figure 14 – Ways to Buy Bitcoin to decrypt files

The figure below shows the chat option on the leak site for communication with the TAs. Also, the “Trial Decrypt” option is available to victims to test an encrypted file’s decryption.

Figure 15 Trial Decryption Chat Options
Figure 15 – Trial Decryption & Chat Options

Conclusion

Ransomware is becoming an increasingly common and effective attack method to target organizations and adversely impact their productivity.

LockBit 3.0 is a highly sophisticated form of ransomware that uses various techniques to conduct its operations. Cyble will closely monitor the campaign and continue to update our readers with the latest information on ransomware.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

Safety Measures Needed to Prevent Ransomware Attacks

  • Conduct regular backup practices and keep those backups offline or in a separate network.
  •     Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. 
  •     Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
  •     Refrain from opening untrusted links and email attachments without verifying their authenticity.

Users Should Take the Following Steps After the Ransomware Attack

  •     Detach infected devices on the same network.
  •     Disconnect external storage devices if connected.
  •     Inspect system logs for suspicious events.

Impacts And Cruciality of LockBit 3.0 Ransomware

  •     Loss of Valuable data.
  •     Loss of the organization’s reputation and integrity.
  •     Loss of the organization’s sensitive business information.
  •     Disruption in organization operation.
  •     Financial loss.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
ExecutionT1204User Execution
Defence EvasionT1112
T1497
Modify Registry
Virtualization/Sandbox Evasion
DiscoveryT1082
T1083
System Information Discovery
File and Directory Discovery
ImpactT1486Data Encrypted for Impact
CNCT1071Application Layer Protocol
Defense EvasionT1070Indicator Removal on Host

 

Indicator Of Compromise (IOCs)

IndicatorsIndicator
Type
Description
38745539b71cf201bb502437f891d799
f2a72bee623659d3ba16b365024020868246d901
80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce
MD5
SHA1
Sha256
LockBit 3.0
EXE file

Share the Post:

Discover more from Cyble

Subscribe now to keep reading and get access to the full archive.

Continue reading

Scroll to Top