LockBit malware: What it is, how it works and how to prevent it | Malware spotlight

Introduction

LockBit is a data encryption malware in operation since September 2019 and a recent Ransomware-as-a-Service (RaaS), in which developers are in charge of the payment site and development and affiliates sign up to distribute the threat in the wild. This piece of malware was developed to encrypt large companies in a few hours as a way of preventing its detection quickly by security appliances and IT/SOC teams. According to McAfee, LockBit encrypted approximately 25 servers and 225 workstations in just three hours during a recent attack.

When executed, the ransomware renames the files with the extension “.abcd” after compromising a device. After this process, a text file – “Restore-My-Files.txt” is created in all affected folders.

LockBit in depth

This malware is usually launched by criminals after a network has been compromised as one of the final stages of infection. LockBit deployment is launched via a PowerShell command also observed on other mediatic ransomware, including Netwalker. [CLICK IMAGES TO ENLARGE]

Sponsorships Available

Sponsorships Available

Sponsorships Available

Figure 1: PowerShell command launching the first stage of LockBit

In detail, the PowerShell command retrieves a .png file (rs40 and rs35 according to the .NET version installed on the infected device) from a website probably compromised by criminals, which starts the second stage. The second stage is a .NET downloader written in C# and compiled via Microsoft Visual Studio. As presented below, the binary has three sections and it is not packed, so it can be reversed for better understanding.

Figure 2: LockBit second stage — number of sections

This file is a .NET loader that when executed downloads the final payload — LockBit — from the internet. Analyzing the Main() function, it shows that an array with the AES-encrypted base64 string contains the LockBit binary.

Figure 3: String base64 encrypted with AES (Read more...)