Cybereason vs. LockBit2.0 Ransomware

The Cybereason Nocturnus team has been tracking the LockBit ransomware since it first emerged in September 2019 as a ransomware-as-a-service (RaaS). Following the rise of the new LockBit2.0 and the latest events, including the attack against the global IT company Accenture, we wanted to provide more information about the attack and show how the Cybereason Defense Platform protects customers from this threat.

LockBit2.o Ransomware Key Details:

    • Emerging Threat: In a short amount of time, Lockbit2.0 ransomware caused great damage and made headlines across the world, with over 40 known victims on their website.
    • High Severity: The Cybereason Nocturnus Team assesses the threat level as HIGH given the destructive potential of the attacks.
    • The fastest encryption on the market: The group claims that both the LockBit2.0 ransomware and the StealBit info-stealer are the fastest on the market - in encrypting files and in stealing them.
    • Uses group policy update to encrypt network: LockBit2.0 is the first ransomware to automate the process of executing the ransomware on the entire network with a single command.
    • Possibly triple extortion?: The group claims to attack Accenture, one of its victims, using DDOS attacks daily.
    • Detected and Prevented: The Cybereason Defense Platform fully detects and prevents the LockBit2.0 ransomware. 


 

Cybereason Blocks LockBit2.0 Ransomware

In August 2021, the group published on their website that they have breached the security company Accenture, and threaten to publish their sensitive information and stolen data. 

unnamed-Aug-20-2021-04-01-46-18-PMLockBit2.0 leaked data website

After a few days of not publishing the data stolen from them, and extending their countdown multiple times. The group added this sentence to Accenture’s description: “Dudos every day” - which might imply that they are conducting DDOS activity against Accenture to push them into paying the ransom fee. This tactic is not unique, different ransomware groups have adopted the triple extortion trend, since (apparently) sometimes, double extortion is not enough for them.

The LockBit group is suspected to be operated by Russian speakers. In the past, the group was recruiting affiliates in Russian hacking forums but since many hacking forums started to ban ransomware-related threads, the group started recruiting directly on their website. Similar to other Russian-based threat actors, they avoid targeting any victims in former Soviet states.

According to the LockBit group, LockBit2.0 is “the fastest encryption software all over the world,” and they are even sharing a test sample on their website, so everyone who “has any doubts” can check their claim: 

unnamed-Aug-20-2021-04-03-14-03-PMEncryption speed comparative table as shown in the LockBit2.0 blog

unnamed-Aug-20-2021-04-05-00-12-PMThe ransomware test sample as shown in the LockBit2.0 blog

According to the group’s website, there are major improvements in the new version of LockBit2.0, and addition of new features. Among the new features are: port scanner, using wake-on-lan to switch on turned off machines, print-out using network printers and automatic distribution in the domain, which puts corporates and small businesses in great danger:

unnamed-Aug-20-2021-04-05-57-58-PMList of features as shown in the LockBit2.0 blog

Same as other ransomware emerged over the years, the LockBit group follows the growing trend of double extortion (and sometimes even triple extortion, as mentioned above). They steal sensitive files and information from their victims, potentially by using another tool from their arsenal called StealBit, and later use it to extort the victims by threatening to publish the data unless the ransom is paid:

unnamed-Aug-20-2021-04-06-49-79-PMIntroducing StealBit in the LockBit2.0 blog

Breaking Down the LockBit Ransomware Attack:

LockBit2.0 Ransomware Infection Vector

Since LockBit mostly relies on affiliates to carry out the operations, there are different infection vectors observed being used to infiltrate a network and install the ransomware. Most commonly seen method is through buying Remote Desktop Protocol (RDP) access to servers, but some affiliates also use typical phishing attacks to launch their operations.

Another interesting approach the LockBit group uses is trying to gain access to corporate networks by recruiting employees who can grant them insider access. They offer "millions of dollars'' for corporate insiders who provide access to networks where they have an account. Since the message appears after the already breached the network, it is most likely targeting external IT/IR consultants who may see the message while responding to the attack, or other people reading about it:

unnamed-Aug-20-2021-04-08-44-62-PMPart of the message targeting corporate insiders

LockBit2.0 Ransomware Data Exfiltrator

Once the ransomware operator or affiliate makes their way into a network, they begin to collect sensitive information and files and exfiltrate them. One tool that is used for this purpose, and is also offered to affiliates by the LockBit group, is a stealer they named “StealBit”, which, according to the group, is the fastest stealer in the world and it automatically downloads all the files to the LockBit blog:

PDB found: E:\work\proj\file_sender\x64\file_sender.pdb

First, the stealer collects information about the environment such as machine name, username, OS version, available disk space and physical and virtual memory status. The stealer enumerate the logical drives that are available on the victim's computer and recursively walk through the files in them and collects office documents files and pdf files, encrypts them send it to the server as “uploadFile.php” using HTTP POST method:

unnamed-Aug-20-2021-04-09-57-92-PMWireShark packet showing the communication with the C2 -1

Each file is added with information such as the file size, original file name and machine name:

unnamed-Aug-20-2021-04-11-19-84-PMWireShark packet showing the communication with the C2 -2

After exfiltrating the files, the stealer runs a PowerShell command that kills the malware's process and then deletes the malware file from the filesystem:

unnamed-Aug-20-2021-04-12-31-79-PMStealBit as shown in the Cybereason Defense Platform

LockBit2.0 Ransomware Spreading in the Network

LockBit2.0 tries to spread via shared folders. It copies it’s binary to remote machines and then executes it. In addition, the group mentioned on their website that they provide a port scanner to their affiliates that can detect all DFS, SMB, WebDav shares - which suggest other ways of spreading in the network.

LockBit2.0 Ransomware Uses Group Policy Update to Encrypt Network

When executed on the Domain Controller, the ransomware has the ability to spread in the network using GPO. 

First, the ransomware will query the Active Directory and create a list of machines to whom it will attempt to spread. For that it will perform LDAP queries and search for objectCategory=computer. Then, the ransomware will create several new group policies on the domain controller that are then pushed out to every device on the network using the following PowerShell command:

PowerShell.exe -command “Get-ADComputer -filter * -Searchbase ‘%s’ | foreach{ Invoke-GPUpdate -computer $_.name -force -RandomDelayInMinutes 0}”

unnamed-Aug-20-2021-04-13-32-72-PMLockBit2.0 execution as shown in the Cybereason Defense Platform

unnamed-Aug-20-2021-04-14-33-01-PMWindows Event log showing the creation of a new group policy object

One policy was created for disabling Microsoft Defender's real-time protection, alerts, submitting samples to Microsoft, and default actions when detecting malicious files:

unnamed-Aug-20-2021-04-15-27-81-PMStrings from memory - disabling Windows Defender

Another group policy was created for the purpose of spreading the ransomware binary and creating persistence on the remote machines to execute it via scheduled task:

unnamed-Aug-20-2021-04-17-37-41-PMStrings from memory - creation of a scheduled  task named “DisplayClibrator”

LockBit2.0 Ransomware Print Bombing Network Printers

After LockBit has finished the encryption process, it starts to bomb the ransom note to all networked printers- repeatedly print the ransom note to any connected network printers to get the victim's attention. This feature was previously used by the Egregor Ransomware, which caused ransom notes to shoot out of receipt printers:

unnamed-Aug-20-2021-04-18-58-88-PMPrinted ransom notes Source: BleepingComputer

LockBit2.0 Ransomware Encrypting the Files and Leaving the Ransom Note

Once the files are encrypted, the ransomware drops the ransom “Restore-My-Files.txt” note in every folder, making sure it is noticeable to the victim. In addition, the icons of the files are replaced with LockBit's icon and the extensions .lock and .lockbit are added to the encrypted files:

unnamed-Aug-20-2021-04-19-50-13-PMEncrypted files by LockBit2.0

To make sure that the end user wouldn’t miss the message, LockBit also start a process that is responsible to shows this message:

unnamed-Aug-20-2021-04-20-49-55-PMPop-up message opened by LockBit2.0

If, by any chance, the end user didn’t see the pop-up message, the new files icons, the ransom notes, or the printed ransom notes, LockBit also changes the desktop background:

unnamed-Aug-20-2021-04-21-45-91-PMDesktop background changed by LockBit2.0

Finally, same as most of the ransomware gangs these days, LockBit sets a deadline for the victim to pay the ransom, and if the deadline passes without payment, they leak the victim data on their website.

Cybereason Detects and Prevents LockBit2.o Ransomware

The Cybereason Defense Platform is able to prevent the execution of LockBit2.0 Ransomware using multi-layer protection that detects and blocks malware with threat intelligence, machine learning, and next-gen (NGAV) capabilities. Additionally, when the Anti-Ransomware feature is enabled, behavioral detection techniques in the platform are able to detect and prevent any attempt to encrypt files and generates a MalopTM for it:

unnamed-Aug-20-2021-04-22-34-98-PMRansomware MalOp triggered due to the malicious activity

Using the Anti-Malware feature with the right configurations (listed in the recommendations below), The Cybereason Defense Platform will also detect and prevent the execution of the ransomware and ensure that it cannot encrypt targeted files. The prevention is based on machine learning, which prevents both known and unknown hashes:

unnamed-Aug-20-2021-04-23-24-83-PMUser notification, blocking the execution of the ransomware in the endpoint

Security Recommendations

    • Enable the Anti-Ransomware Feature on Cybereason NGAV: Set Cybereason Anti-Ransomware protection mode to Prevent - more information for customers can be found here
    • Enable Anti-Malware Feature on Cybereason NGAV: Set Cybereason Anti-Malware mode to Prevent and set the detection mode to Moderate and above - more information can be found here
    • Keep Systems Fully Patched: Make sure your systems are patched in order to mitigate vulnerabilities
    • Regularly Backup Files to a Remote Server: Restoring your files from a backup is the fastest way to regain access to your data
    • Use Security Solutions: Protect your environment using organizational firewalls, proxies, web filtering, and mail filtering

INDICATORS OF COMPROMISE

Open the chatbot on the bottom right corner of this report to access the LockBit2.0 ransomware IOCs

MITRE ATT&CK TECHNIQUES

Initial Access

Lateral Movement

Persistence

Defense Evasion

Discovery

Command and Control

Impact

Phishing

Taint Shared Content



Scheduled Task/Job

Deobfuscate / Decode Files or Information

Account Discovery

Commonly Used Port

Data Encrypted for Impact

Valid Accounts

Lateral Tool Transfer

Boot or Logon Autostart Execution

Masquerading

Application Window Discovery

Remote File Copy

System Shutdown/Reboot

 

   

Domain Policy Modification

File and Directory Discovery

Standard Application Layer Protocol

 

 

     

Process Discovery

Standard Cryptographic Protocol

 

 

 

   

System Information Discovery

Standard Non-Application Layer Protocol

 

 

Author: LIOR ROCHBERGER, SENIOR THREAT RESEARCHER AND THREAT HUNTER, CYBEREASON

As part of the Nocturnus team at Cybereason, Lior has created procedures to lead threat hunting, reverse engineering and malware analysis teams. Lior has also been a contributing researcher to multiple threat and malware blogs including Bitbucket, Valak, Ramnit, and Racoon stealer. Prior to Cybereason, Lior led SOC operations within the Israeli Air Force.

Indicators of Compromise

IOC

Type

Description

16a707a3965ebd71ebc831b68863b855b2c8d60aef8efdef1e0c0a6cc28e9bc7

e32dc551a721b43da44a068f38928d3e363435ce0e4d2e0479c0dfdb27563c82

0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d

92ec3373b528e0040fae1c34b6edc8d623d03eac84267bd3ed408fe547b9c944

9dd6cc25b2f920b825e15682a4d06435a42b281674ba6e99c8e2b2222c9d638f

56fd91787c641c2329a86813497d0e6ff219c81a4d61ac10fedef9cd68c3baed

b583058e06ecee9905c3fb73b44feb6ef0ce66dead14620b8a7682067df2c8bc

4edbf2358a9820e030136dc76126c20cc38159df0d8d7b13d30b1c9351e8b277

6d26226f99724c18faf355a4e07b74bad72f5837e0de8c8361f7d9a18525b5ae

98900768d564c6962981edde2759889fdda11bb1113c851468e5c40ddafe1d4d

36446a57a54aba2517efca37eedd77c89dfc06e056369eac32397e8679660ff7

34e6f4317e223d712a9464cd2e6ba9e6d7915eac75a8c06648813ea1d7a80b80

a7591e4a248c04547579f014c94d7d30aa16a01bb2a25b77df36e30a198df108

4bb152c96ba9e25f293bbc03c607918a4452231087053a8cb1a8accb1acc92fd

f2d0e13a6ec546f169d45ad5b62ced1bcc3a4e01ae6dc3666239defc959e2baa

717585e9605ac2a971b7c7537e6e311bab9db02ecc6451e0efada9b2ff38b474

bcbb1e388759eea5c1fbb4f35c29b6f66f3f4ca4c715bab35c8fc56dcf3fa621

0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049

acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c

SHA256

LockBit2.0

5c268313821c3e851f500e5dea135cce0670f1f2efe4466394d7dcdaeb321aa8

7c7317c7f036c00d4c55d00ba36cb2a58a39a72fe24a4b8d11f42f81b062f80b

8ea24457df1459297503237411594b734794ee0d2654b22c66d3a976e2e6ff4f

0d7358a3c04d860883da564d51c983e262d5b3057da29a3804d5e8f67644e02e

8cfd554a936bd156c4ea29dfd54640d8f870b1ae7738c95ee258408eef0ab9e6

a7cf0f72bb6f1e0a61fbf39e3a3a36db6540250caeef35b47fb51a8959f40984

dcc4ac1302ac5693875c4a4b193242cbb441b77cd918569c43fe318bcf64fe3d

SHA256

StealBit

51.161.82[.]135

167.172.170[.]139

51.81.153[.]212

51.77.110[.]6

IP

StealBit

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd[.]onion

 

LockBit onion website

Cybereason Nocturnus
About the Author

Cybereason Nocturnus

The Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks.

All Posts by Cybereason Nocturnus