LockBit 2.0 Ransomware Analysis

This image is about LockBit 2.0 ransomware analysis.

1 Executive Summary

1.1 Overview

LockBit 2.0 is a Ransomware as a Service (RaaS), with an Affiliate program in place. Oftentimes, their binaries are cryptographically signed with valid, stolen certificates. LockBit Ransomware have some similarity with Maze Ransomware in UAC bypass techniques but Encryption Routine makes LockBit 2.0 so powerful and fast against other gangs. Recently, we have seen ransomware groups taking more advanced concepts and applying it to their crafts. One of these advanced concepts applied in LockBit is the use of Input/Output Completion Ports (IOCPs).

Main goal of LockBit Ransomware group is, to get the Initial Access (Metasploit Framework, and Cobalt Strike used) on a Domain Admin account by Exploiting Publicly Facing Applications like RDP – “CVE-2019-0708 (BlueKeep)”. Then the Reconnaissance of valuable data and Active Directory environment. LockBit group, then, use this valuable data to take hostage and threaten companies to share this data to public on DarkNet, and try to get paid by blackmailing those companies.

Attackers abuse Active Directory Environment as a spreading function. After obtaining Domain Admin rights, LockBit Ransomware gang execute the Ransomware on every computer inside the Internal Network by using Group Policy feature of Active Directory. This process oftenly performed after deactivating AV/EDR Services via Group Policy.

Attack Cycle of LockBit 2.0 :

2 Technical Analysis

2.1 Target Selection and Spreading

LockBit 2.0 Ransomware is mostly spreading itself with RDP, Phishing Emails and Drive-by Downloads. When Lockbit gang performs a targeted operation, they usually try to exploit public IP address inside target company’s internal network. If Lockbit gang can’t find any vulnerable application on their target network, they go back to collecting information phase, searching for employees of the target company on Linkedin and other platforms and choosing a person with Admin Rights. When they find their target, they start sending Phishing Emails for obtaning Initial Access.

LockBit Ransomware gang usually try to understand the net worth of a company before choosing it as a target. Iif it’s worth attacking, they start to make a targeted operation at that point. In this phase, attackers need collection of data like; “social media accounts of target company’s Network Admin”, “Personnel of the target company who do not have knowledge of cybersecurity”,” email addresses” etc. and all these data can easily be obtained on Linkedin page of the company.

2.2 Deployment and Execution

2.2.1 – Import Address Table (IAT)

It appears that the the PE section names are very normal and the entropy are a medium for the .text and the .rdata sections but not that high, which indicates that most probably this Ransomware sample is not packed; however, some obfuscation techniques were applied for evasion purpose.

Some of the Windows APIs used for malicious purposes:

One of the most noticeable thing in that list is unusual Cryptography functions like; “CrpyGenRandom”. This function is used in the Encryption phase and strictly protected against debugging. We can see functions beginning with Nt, which can signify NTDLL Windows APIs used for Anti Virus evasion purpose.

2.2.2 – Deletion of Shadow Copies

LockBit 2.0 Ransomware uses String Obfuscation techniques and hides Shadow Copies commands against AV/EDR solutions. We are able to decode these hidden Strings inside the malware for further analysis. Which allows us to learn later that LockBit 2.0 Ransomware uses multiple techniques to delete Event Logs and Shadow Copies. In the first execution, majority of Ransomware gangs delete victim’s Shadow Copies because they want to ensure that victims will be unable to restore encrypted data with help of Shadow Copies.

Process List of LockBit 2.0 Ransomware on first execution:

(Multiple Windows legit services abused on this process like WMI , bcdedit , mmc and vssadmin.)

This String has been extracted and decoded from inside the Ransomware:

vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

After Decrypting the Commands In Memory with Debugger

2.2.3 – Persistence

Ransomware developers avoid disruption of Encryption Process and ensure that victims data has been Encrypted. To achieve this, they prevent computer shut downs, killing Ransomware in Task Manager or like in the example of LockBit Ransomware; they put the Ransomware binary inside “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01” Registry key.

In that way, if victim users shut down the computer while the Encryption phase was not finished yet, Encryption process begins again when the victim powers on the computer back. When Encryption is finished, LockBit 2.0 Ransomware sample deletes itself for reducing the artifacts it leaves on the infected system. In order to do that, it runs the following command “/C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”

Self Deleting can be seen on this debugger

Registry data for Persistence

2.2.4 – Windows User Account Control (UAC) bypass.

LockBit Ransomware uses one of the most known techniques for UAC bypass. User Account Control helps the Windows Users avoid unwanted clicking on suspicious executable files like a mandatory access control system. In order to evade this protection, Ransomware developers use COM objects that are known to be vulnerable to UAC bypassing.

dllhost.exe executions with specific CLSIDs that being vulnerable to UAC evasion

  • DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
  • DllHost.exe /Processid:{DC4537C3-CA73-4AC7-9E1D-B2CE27C3A7A6}
  • DllHost.exe /Processid:{49F6E667-6658-4BD1-9DE9-6AF87F9FAF85}
  • DllHost.exe /Processid:{448AEE3B-DC65-4AF6-BF5F-DCE86D62B6C7}

2.2.5 – Shutdown Prevention

In order to ensure that the Encryption Process didn’t get disrupted even by shutting the system down, LockBit will create a shutdown block reason by calling Windows API ShutdownBlockReasonCreate.

2.2.6 – Anti Debugging

LockBit Ransomware checks the NtGlobalFlag which exists in the Process Environment Block at offset 0x68 to know whether the process is being debugged or not. It performs a test to check the value of the flag, if it equals 0x70 (which means the process is being debugged), the execution will be transferred to a block of code that exists in the process.

LockBit has multiple calls to Sleep with a high number of seconds, this usually being done to avoid being automatically analyzed inside a sandbox, as most of the free sandboxes limit the amount of execution time to a limited number of minutes.

2.2.7 – Privilege Escalation

LockBit Ransomware uses Token Impersonation from the logged on victim user via the physical console by firstly getting the session identifier of the console session by calling WTSGetActiveConsoleSessionId. Then it will pass that sessionId to WTSQueryUserToken to obtain the primary access token of the logged user. If it fails to get the token, it will create the process with the current security context by calling CreateProcessW. However, if it manages to get the user’s access token, it will duplicate the token by calling DuplicateTokenEx. Then it will use the duplicate token to create the new process using CreateProcessAsUserW.

This technique helps attackers to get privilege escalation: if the impersonated user has a higher privilege and evasion of defence: to bypass access controls.

Disassembled LockBit Ransomware show us TokenHandle process

2.3 Evasion Techniques of LockBit 2.0

2.3.1 – String Obfuscation

LockBit has all of its strings encrypted via XOR encryption with a unique key for each String. Each encrypted sequence of bytes will have the first byte as the key. During execution, it loads the encrypted Strings into the stack first, then it runs the decryption loop.

2.3.2 – Impair Defense (Killing Processes)

LockBit 2.0 calls API CreateToolhelp32Snapshot for getting a snapshot of the running processes. Then, it uses Process32First and Process32Next to enumerate the snapshot. For each process, it’ll compare its name against a list of a process, and if it matches it will pass the process handle that it got by calling OpenProcess to TerminateProcess to terminate the process. The list of the processes was also encrypted using XOR.

Process Names After Being Decrypted In Memory

List of services that the LockBit Ransomware tries to stop include anti-virus software (to avoid detection) and backup solution services. Services are stopped because they might lock files on the disk, and might make it more difficult for the ransomware to easily acquire handles to files. That’s why stopping the services improves LockBit’s effectiveness.

Some of the services of note that the ransomware attempts to stop, in the order they are coded into the ransomware, are:

Full Kill List : https://gist.github.com/whichbuffer/c6d6839de5b58a5fa5fad971c07825ab

2.4 Encryption Routines

2.4.1 Utilizing IOCP (Completion I/O ports)

LockBit Ransomware use of Input/Output Completion Ports (IOCPs) for the Encryption phase.

IOCPs are a model for creating a queue to efficient threads to process multiple asynchronous I/O requests. They allow processes to handle many concurrent asynchronous I/O more quickly and efficiently without having to create new threads each time they get an I/O request.

LockBit’s aim was to be much faster than any other multi-threaded Ransomware gangs. The group behind the ransomware claims to have used the following methods to boost the performance of their file encryption:

  • Open files with the FILE_FLAG_NO_BUFFERING flag, write by sector size
  • Transfer work with files to Native API
  • Use asynchronous file I/O
  • Use I/O port completion
  • Pass control to the kernel yourself, google KiFastSystemCall

Once a file is marked for encryption, it does not match entries on the kill list. LockBit routine checks whether the file already has a .lockbit extension. If it does not, it encrypts the file and appends the .lockbit extension to the end of the filename.

CryptGenRandom in use

2.4.2 Generating And Storing the Decryption Keys

LockBit uses two algorithms for the encryption which are RSA and AES.

In the first one, it will generate an RSA session key pair. Then it will encrypt the private key using a hard-coded public key, stores the encrypted key in the SOFTWARE\LockBit\full registry key and the public key will be stored in SOFTWARE\LockBit\Public

RegCreateKeyExA API for create Registry key

LockBit will randomly generate a new AES key for each file. Once it’s being used for encrypting the file, the AES key will be encrypted using the RSA public session key and at the end of the encrypted file.

LockBit registry keys (full and Public) that are related to the victim machine.

Keys storing and querying : full

Public

For generating the random numbers, LockBit will use LoadLibraryA and GetProcAddress to dynamically load bcrypt.dll for importing the BCryptGenRandom API and generating 32 bytes of random number. If it was unable to load the necessary libraries, it’ll call CryptAcquireContextW and CryptGenRandom to get the job done.

2.5 Impact

2.5.1 Encrypted Files and Ransom Note dropped by ransomware

While LockBit is performing the encryption, it will drop a text file called Restore-My-Files.txt which is the ransom-note.

The Ransom-Note In Memory

2.5.2 Changing Desktop Background

To get the user’s attention, the malware (as is typical) creates and displays a ransom note wallpaper. A set of API calls are involved in this process, listed below.

The created wallpaper gets stored under %APPDATA%\Local\Temp\A7D8.tmp.bmp.

In the meantime, the malware also sets a few registry keys so that the wallpaper is not tiled, and the image is stretched out to fill the screen:

HKEY_CURRENT_USER\Control Panel\Desktop

  • TileWallpaper=0 (No tile)
  • WallpaperStyle=2 (Stretch and fill)

2.6 MITRE ATT&CK TTPs

Technique NameTechnique ID
Command and Scripting Interpreter: Windows Command ShellT1059.003
Inter-Process Communication: Component Object ModelT1559.001
Windows Management InstrumentationT1047
Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderT1547.001
Abuse Elevation Control Mechanism: Bypass User Account ControlT1548.002
Access Token Manipulation: Token Impersonation/TheftT1134.001
Access Token Manipulation: Create Process with TokenT1134.002
Access Token Manipulation: Parent PID SpoofingT1134.004
Impair Defenses: Disable or Modify ToolsT1562.001
Indicator Removal on Host: File DeletionT1070.004
Indicator Removal on Host: Clear Windows Event LogsT1070.001
File and Directory DiscoveryT1083
Network Share DiscoveryT1135
System Information DiscoveryT1082
Remote Services: SMB/Windows Admin SharesT1021.002
Data Encrypted for ImpactT1486
Inhibit System RecoveryT1490
Service StopT1489

2.7 IOC

SHA256 bc7a8a1a103aba8623b7cb73a8c32d5a3a9a8550d1a0fabbb1a01a48497ad0fb

SHA256 3407f26b3d69f1dfce76782fee1256274cf92f744c65aa1ff2d3eaaaf61b0b1d

SHA256 a0ad4cc0041d5d8de8584b495d98ce46987ed8834d027c01d048da3aa7fb67fe

88.80.147.102
168.100.11.72
139.60.160.200
174.138.62.35
193.38.235.234

3 Conclusion

LockBit 2.0 is a highly sophisticated Ransomware that uses various techniques to perform Ransomware operations. Potential LockBit 2.0 victims’ range across multiple domains, from IT services to banks. Our research indicates that affiliates of the group drop this ransomware inside an already compromised network.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below:

  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
  • Use a reputed antivirus and internet security software package on your connected devices.
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.
  • Conduct regular backup practices and keep those backups offline or in a separate network.

More posts

This image is about monthly vulnerabilities for September 2024.
This image is about the ServiceNow data leak.
This image is about monthly vulnerabilities for July 2024.
This image is about cyber strategies for the Paris Olympics 2024.
This image is about Russian influence operations targeting the Paris Olympics 2024.
advanced divider

Share this article

Found it interesting? Don’t hesitate to share it to wow your friends or colleagues
advanced divider
Subscribe to our blog newsletter to follow the latest posts