The Cybereason Global Security Operations Center (GSOC) Team issues Cybereason Threat Analysis Reports to inform on impacting threats. The Threat Analysis Reports investigate these threats and provide practical recommendations for protecting against them.
In this Threat Analysis report, Cybereason GSOC team analysts have analyzed two different cases that involved LockBit infections, occurring at two very different time periods. Following this introduction, we describe in detail the attack chain from the initial infection to the ransomware deployment.
In September 2019, a new version of a worm-like ransomware was reported. This ransomware was known as LockBit. Since then, a new variant of LockBit was discovered, dubbed–LockBit 2.0.
LockBit 2.0 is very efficient and can spread quickly within a target network. It also operates in a RaaS (Ransomware-as-a-service) model, which has become an increasingly popular business model for ransomware operators in the past few years, helping ransomware groups expand their reach and revenue while scaling up, without considerably growing their core team or expenses.
RaaS is a subscription-based model that enables affiliates to use existing ransomware tools and infrastructure in order to execute ransomware attacks. LockBit 2.0 incentivizes affiliates to earn a percentage of each successful ransom payment by leveraging their tools to compromise entire networks and systems.
Similar to other ransomware, LockBit 2.0 uploads the compromised files to a public repository, where they are available to everyone on the internet:
We have observed many different ransomware attacks which have increased massively over the past months. LockBit is one of the dominating ones, and in fact, is a highly sophisticated form of ransomware (see also: White Paper - Inside Complex RansomOps and the Ransomware Economy). Current potential LockBit 2.0 victims’ business sectors range from IT services, to financial institutions, to other large organizations.
After the attackers have cleared their footstep by tampering with Windows security features to eliminate the possibility of recovering the encrypted data by deleting backups and restoring features, the attackers proceed to encrypt the files on the affected machines.
After the encryption, the user receives a ransom note informing them about the encryption of the files and provides instructions on how to decrypt them by paying the ransom:
The high demand for LockBit’s services and its effective affiliate program makes it a growing threat that should not be overlooked.
Cybereason successfully detects LockBit’s operation and is able to facilitate the scoping of the threat, its magnitude and spread, and thus helps impacted organizations to act on time and stop the attack from infecting more systems and crucial assets.
This case study describes how LockBit affiliates penetrated a network in Q4 2021 and worked their way through it to encrypt the assets of the victim, a company in the industrial sector.
The affiliates working with LockBit are using their own malware and tools to launch the actual attacks on their targets. In most of the infections that we have encountered, the infection vector that led to the delivery of LockBit was a misconfigured service, particularly a publicly opened RDP port.
In other cases, affiliates would use a more traditional phishing email that will allow them to remotely connect to a network via an employee’s computer, or utilize malicious attachments, downloads, application patch exploits or vulnerabilities to gain access to a network.
Once the attacker established an initial foothold on the compromised network (machine), their next step was to start the reconnaissance activity and credentials extraction.
In this case, the attackers used tools such as Mimikatz and Netscan, a powerful network monitoring system that is used to identify the network’s structure and valuable assets on the network. Both of these tools were used to assist lateral movement throughout the network:
As can be seen in the image below, the attacker also used taskmgr.exe (Windows Task Manager) to create a memory dump of lsass.exe (Microsoft Local Security Authority Subsystem Service) to extract the user’s credentials:
To achieve more stealth and gain elevated privileges, the attackers also attempted to exploit the SpoolFool vulnerability (CVE-2022-21999), which was first reported in February 2022. This vulnerability allows an unprivileged user to create arbitrary and writable directories by configuring the SpoolDirectory attribute on a printer.
Since an unprivileged user is allowed to add remote printers, an attacker can create a remote printer and grant everyone the right to manage this printer. Eventually, this is further used to perform tasks such as injecting malicious modules:
The attacker used PsExec to execute commands and other malicious executables and files on different machines on the network.
PsExec is a portable tool from Microsoft that lets you run processes remotely using any user's credentials. It’s similar to a remote access program but instead of controlling the computer with a mouse, commands are sent via the Command Prompt.
PsExec may be used by the attacker not only to manage processes on the remote computer, but also to redirect an application’s console output to his computer, making it appear as though the process is running locally.
As can be seen in the image below, the attacker used PsExec to remotely execute files and tools on the affected machines, such as :
These commands were used to enable RDP connections and tamper with the Windows Defender settings. These actions were taken in order to allow the attacker to remotely connect to the machines via compromised credentials and view, transfer or manipulate every file on the user’s system.
To enable RDP connections, the attackers used the aforementioned scripts which changed the registry value of the following to zero which specifies that Remote Desktop connections are enabled:
The attackers have also used a Netsh command for adding a rule to the Windows Firewall exceptions list, allowing the use of RDP on local port (3389):
In addition, as part of the executed scripts activity, PowerShell was observed executing the command “-Command Add-MpPreference -ExclusionPath *C:\\” which altered the Windows Defender settings by adding every file located under the (C:) directory to the Windows Defender exclusion list, meaning every file that is located under this directory will not be monitored by Windows Defender.
That gave the attackers a “free hand” to operate and execute every file they desired with no interference or prevention:
For the attack to execute effectively, attackers conduct preliminary actions. Once executed, LockBit deletes important records, backups, and data from the infected host in order to prevent forensics and recovery attempts of the encrypted data:
The attacker used wevtutil, a Windows legacy tool which enables retrieving information about event logs. The commands in the image below were used by the attackers to clear logs that contain records of login/logout activities or other security-related events specified by the system’s audit policy and applications.
The attackers executed this program in order to hide their tracks to avoid future forensics on the host:
Another method we have spotted of deleting footprints by the attacker was using the ping command as a delay mechanism, allowing the ransomware process to terminate. Then the File System utility (Fsutil.exe) is used to prevent the malicious executable from being recovered by overwriting the first 524KB with zeros:
Besides the use of wevtutil, the attackers also destroyed recovery methods with the help of the tools bcdedit.exe, wmic.exe, and vssadmin.exe.
BCDEdit is a command-line tool for managing the Boot Configuration Data. In this case, BCDEdit was used to ensure that system boot failures are ignored and the recovery boot option disabled. This is also a method to make it harder for the user to retrieve their data:
The Volume Shadow Copy Service is an administrative tool that provides the framework for doing volume backups and for creating consistent, point-in-time copies of data (known as shadow copies).
The attacker used both vssadmin.exe and Windows Management Instrumentation utility (wmic.exe) to delete the system’s shadow copies, and in doing so, making it impossible for the user to restore to the latest restore point or use any of the backups:
As part of the attack, the attackers used legitimate tools such as a small portable freeware called “Defender Control” which is used to disable Windows Defender in Windows 10 on some of the affected systems.
This is an easy yet effective method to disable Windows native security features:
This case study describes how LockBit affiliates penetrated a network in Q2 2022 and worked their way through to encrypt the assets of the victim, a company in the retail industry.
The first activity captured in this case study involves the PsExec utility by SysInternals. The threat actor laterally moved from “patient zero” to another server through the PsExec tool:
This allowed the threat actors to progress their intrusion by infecting more machines. Through the attack chain, the threat actors continuously leveraged PsExec.exe and mstsc.exe to pivot from one server to others using the following command:
The threat actors used net.exe to create a domain account and elevate its privileges to “domain administrator” through the following commands :
This implied that the attacker already had high privileges on the Active Directory domain of the victim:
The threat actor then used this account to persist and spread on the victim’s network.
The threat actor launched the following commands on 11 machines (10 servers, 1 workstation):
The binary named “lssas.exe” is masquerading as “lsass.exe” (Windows process in charge of handling authentication on the system) but is in fact the infamous tunneling tool, “Ngrok”:
Ngrok is a legitimate reverse proxy tool that is able to create a tunnel to servers located behind firewalls. It is also able to tunnel traffic to local machines that do not have a public IP. Ngrok has been utilized by threat actors in many campaigns and is known to be famous specifically for lateral movement and data exfiltration functionalities.
Executing Ngrok gave the attackers the ability to access the network remotely, even if the initial infection vector is later patched or removed. The Cybereason GSOC team then observed RDP sessions initiated through this tunnel:
The threat actor then proceeded to steal further credentials on the network, in order to extend their access on the network. In this case study, the threat actors interactively used the Windows executable taskmgr.exe to dump the memory of the process lsass.exe:
The attackers then copied the memory dump file back onto the machine they controlled, using remote desktop (RDP) access and the tunnel created earlier. They then used tools such as “Mimikatz” to extract credentials from the dump file.
A day later, as the attack progressed, the threat actors continued their credential collection activity by launching the Windows executable ntdsutil.exe on one of the domain controllers:
This granted the attackers access to all Active Directory accounts name and password hashes, enabling them to eventually attempt to recover the plaintext password.
Once the LockBit affiliate achieved persistent remote access and sufficient credentials, they proceeded to collect and exfiltrate the data.
The actors used three different tools for that purpose :
First, the threat actor installed and launched the filezilla.exe client using the following command lines :
The Cybereason GSOC team observed the exfiltration activity related to “Filezilla” on six servers. After this exfiltration method was used, the threat actor leveraged Rclone.exe to again, exfiltrate data using the following commands:
This activity is captured below. One can observe that the executable is launched through PsExec and represents unusually high network traffic:
Finally, the threat actor used a third tool to exfiltrate data to Mega[.]co[.]nz cloud hosting servers. The tool used for this is called Megasync.exe. The attackers ran the following commands to exfiltrate the data:
The Cybereason GSOC team only observed the exfiltration activity related to Mega on the company main file server.
At this point, the threat actor presented on the network for a while and had access to multiple servers and workstations. In order to progress to its next and final phase, data encryption, the attacker needed a list of all the assets of the victim. The actor leveraged the “Advanced IP Scanner” tool in order to identify as many machines as possible.
This tool is meant to actively discover hosts and their hosted services. The attacker launched it from two different servers that are considered as “pivoting” machines for the actor:
The actor also used the provided remote desktop client feature to spawn child mstsc.exe processes that are meant to connect through the remote desktop service or RDP. We have observed a very high number of connections to internal IP addresses.
Approximately at the same time, the actor also infected 15 additional machines with the malware “Neshta”. Neshta is a file infector which injects its malicious code to targeted executable files:
As previously mentioned in the community, some LockBit and other ransomware and attacks (REvil/Sodinokibi, for instance) are found to be concurrent with present Neshta infections on the same environment.
We did not find evidence that demonstrates the specific use of Neshta by the attackers, and hence we strongly believe that the tools the attackers used were pre-infected with Neshta:
At this point, the LockBit affiliate had completed all the necessary steps to execute the LockBit payload and commence encryption:
This section describes the “Defense Evasion” and “Impact” phases (according to the MITRE ATT&CK Tactic classification).
Approximately four hours before the global deployment of the LockBit ransomware, the attacker bypassed existing security features and also deleted evidence in order to complicate investigation and forensics attempts.
First, the threat actor attempted to disable the Cybereason sensors, directly from the impacted machine. For that purpose, they used the two following commands :
Both attempts failed in the context of the victim. The threat actor then attempted to disable EPP/AV products on the different machines. Bitdefender was first targeted through the attempt to disable BitDefender mini-filter with the command:
A few minutes before it launched the ransomware, the attacker also launched “defendercontrol.exe” on 14 servers. As stated in the previous case study, Defender Control is used to disable Microsoft Defender:
In addition to the use of “defendercontrol.exe”, the attacker launched the following commands, that were started from a service created by the attacker, named “TrustedInstaller”:
In order to execute all the activities related to “Defense Evasion”, the actor used a batch script to automate the execution:
The threat actor launched the Lockbit ransomware executable. The threat actor used three different methods for this purpose :
The GPO created scheduled tasks that :
The ransomware executed on the victim machines was “Lockbit 2.0”. It was configured to automatically spread on all configured targets and thus created internal network connections:
It also spawned multiple child processes including:
The Lockbit ransomware launched cmd.exe which created different child processes in order to prepare the machine for encryption. The following commands were issued by the executable:
This activity is exactly the same as the one documented in the first case study. You can refer to the first case study for more information.
The system events deletion phase happened approximately at the same time as the launch of the ransomware.
Similar to the activity documented in the first case study, this shows an enhancement compared to the first case study log deletion attempts, as many event sources are targeted, instead of just deleting “security”, “system” and “application” Windows events:
The command “Wevtutil CL [Event source]” is used to clear local Windows event logs.
The infrastructure in use by the attacker that was identified in the second case study is heterogenous, depending on the tool used:
The Cybereason GSOC team analyzed the infrastructure related to this IP address and identified the following key points:
The Cybereason Defense Platform is able to detect and prevent infections with LockBit using multi-layer protection that detects and blocks malware with threat intelligence, machine learning, and Next-Gen Antivirus (NGAV) capabilities:
The Cybereason GSOC recommends the following:
Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere. Schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.
|
Executables |
SHA-256 hash: Neshta - svchost.com b462d28ae1f49b389d1df0213eafc75daf2ce681db989a363348d7f19379c02b SHA-1 hash: db6e1a1dbb0e351c44b49db79b8bad3321d673a1 SHA-256 hash: DefenderControl.exe ce162d2d3649a13a48510e79ef0046f9a194f9609c5ee0ee340766abe1d1b565 |
|
IP addresses |
185.81.68.180 |
The table below summarizes the activities that are most prevalent across all infections with LockBit that the Cybereason MDR team has observed:
|
Initial Access |
Credential Access |
Privilege Escalation |
Lateral Movement |
Persistence |
Exfiltration |
Defense Evasion |
Impact |
||||||||
|
OS Credential Dumping: LSASS Memory
|
Exploitation for Privilege Escalation
|
Remote Services: Remote Desktop Protocol
|
|
Exfiltration Over Web Service: Exfiltration to Cloud Storage
|
Impair Defenses: Disable or Modify Tools
|
|
||||||||
|
|
|
|
|
|
Indicator Removal on Host: Clear Windows Event Logs
|
||||||||||
|
|
|
Remote Services: SMB/Windows Admin Shares
|
Scheduled Task/Job: Scheduled Task
|
|
Impair Defenses: Disable Windows Event Logging
|
|
|||||||||
|
Boot or Logon Initialization Scripts: Network Logon Script
|