LockBit is a data encryption malware in operation since September 2019 and a recent Ransomware-as-a-Service (RaaS), in which developers are in charge of the payment site and development and affiliates sign up to distribute the threat in the wild. This piece of malware was developed to encrypt large companies in a few hours as a way of preventing its detection quickly by security appliances and IT/SOC teams. According to McAfee, LockBit encrypted approximately 25 servers and 225 workstations in just three hours during a recent attack.
When executed, the ransomware renames the files with the extension “.abcd” after compromising a device. After this process, a text file – “Restore-My-Files.txt” is created in all affected folders.
LockBit in depth
This malware is usually launched by criminals after a network has been compromised as one of the final stages of infection. LockBit deployment is launched via a PowerShell command also observed on other mediatic ransomware, including Netwalker. [CLICK IMAGES TO ENLARGE]
Figure 1: PowerShell command launching the first stage of LockBit
In detail, the PowerShell command retrieves a .png file (rs40 and rs35 according to the .NET version installed on the infected device) from a website probably compromised by criminals, which starts the second stage. The second stage is a .NET downloader written in C# and compiled via Microsoft Visual Studio. As presented below, the binary has three sections and it is not packed, so it can be reversed for better understanding.
Figure 2: LockBit second stage — number of sections
This file is a .NET loader that when executed downloads the final payload — LockBit — from the internet. Analyzing the Main() function, it shows that an array with the AES-encrypted base64 string contains the LockBit binary.
Figure 3: String base64 encrypted with AES (Read more...)
*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Pedro Tavares. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/g6BYXFe_DPo/