![]() In some cases, a Group Policy was created to disable Windows Defender. These tools are typically used to disable security products. Some infections were observed to have GMER, PC Hunter, and/or Process Hacker. For persistence, LockBit changes the Run key in the registry thus allowing execution each time the computer boots up.Īside from the credentials obtained from affiliates, LockBit was observed using Mimikatz to gather credentials. It is worth mentioning that execution can be done by the affiliates. ![]() This is usually the case if it is propagated in other machines. LockBit is typically executed via command line or by creating scheduled tasks. In some instances, it arrived via spam email or by brute forcing insecure RDP or VPN credentials, or by exploiting a Fortinet VPN vulnerability ( CVE-2018-13379), ProxyShell ( CVE-2021-34473), Log4Shell ( CVE-2021-44228), or improper SQL sanitization ( CVE-2021-20028). Affiliates typically buy access to targets from other threat actors, who typically obtain it via phishing, exploiting vulnerable apps, or brute forcing Remote Desktop Protocol (RDP) accounts. LockBit infection chains show a variety of tactics and tools employed. In a recent incident, a LockBit affiliate was observed leveraging VMware command-line utility and Microsoft Defender Antivirus utilities to drop Cobalt Strike payloads, a “living off the land” technique used to evade EDR and AV detection. These techniques include code packing, obfuscation and dynamic resolution of function addresses, function trampolines, and anti-debugging techniques. The LockBit 3.0 ransomware uses a variety of anti-analysis techniques to hinder static and dynamic analysis, similar to the BlackMatter ransomware. lnk files, prints the ransom note on any available printers, modifies the desktop wallpaper, and uses the same encryption algorithm as BlackMatter. It also obtains a list of files, folders, and extensions to be avoided from its configuration list, uses pointed files when encrypting. It also claims to offer a reward between one thousand and one million dollars for those who find and report various issues within the LockBit 3.0 structure.Īs explained earlier this year in an article by TrendMicro, LockBit 3.0 works by performing various routines, including, “attempts to log in using credentials from its configuration list with the goal of determining if the compromised system is a part of the domain admin.” Similar to BlackMatter, “it terminates and deletes processes and services from its configuration list, wipes the recycle bin folder on every drive, scans its configuration list for computer name hashes to avoid, connects to the C2 server if the flag is set, and encrypts network shares and Exchange mailboxes if set in its configuration flag”. This program invites security researchers, and hackers (both ethical and unethical) to find flaws in the ransomware project. It also claims to have opened a public “bug bounty” program in an effort to improve the quality of the malware, and financially reward those that assist. This version introduces new management features for affiliates and adds Zcash for victim payments in addition to Monero and Bitcoin. In approximately June, 2022, LockBit operators and affiliates began the shift to LockBit 3.0, also referred to as LockBit Black, a variant which has roots that extend back to BlackMatter and related entities. The ransomware primarily used built-in Windows tools (Living off the Land Binaries, or LoLBins), making detection of malicious activity more difficult. ![]() LockBit 2.0 relied on tools such as Windows PowerShell and SMB to attack organizations, scanning networks to infect compromised devices. During its first year of operation, the group remained a relatively small player, as more prominent gangs received greater attention. LockBit was originally known as ABCD after the file extension. The group has been known to hire network access brokers, cooperate with other criminal groups, recruit company insiders, and sponsor underground technical writing contests to recruit talented hackers. The LockBit group has built itself into one of the most professional organized criminal gangs thanks to its recruitment of affiliates. ![]() Double extortion used in the Accenture attack ( inthecloudtech )
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |