Threat Reports

An Avertium Case Study - LockBit

Written by Marketing | Apr 18, 2023 6:38:34 PM

Executive Summary

Since their emergence in 2019, the LockBit ransomware gang has become a highly infamous cyber gang. This group functions as a ransomware-as-a-service group that includes a core team responsible for creating the malware and overseeing its online presence and a large team of affiliates who carry out cyber attacks and earn a percentage of ransom payments.

The affiliates have been behind LockBit’s most major attacks including the attack on the German automotive giant, Continental, as well as the attack on the UK automotive giant, Pendragon. According to LockBit’s interesting list of affiliate rules, the percentage rate for their affiliate program is 20% of the ransom. Oddly enough, LockBit allows their affiliates to communicate directly with the companies they target and determine ransom demands. This means that affiliates can communicate however they please. Although LockBit is a large operation, their recent activity has led security researchers to believe that their empire may be slowly cracking. There is a lot of confusion surrounding what the group is doing and how their service is being managed.

Recently there have been suggestions that LockBit appears to claim victims without evidence. For example, the group claimed DarkTrace as a victim on their data leak site and implied that they stole the company’s data. However, when DarkTrace investigated, they found no evidence of a breach. It is now clear that LockBit made a mistake, confusing DarkTrace with threat intelligence company, DarkTracer who tweeted about the gang's leak site being filled with false victims. DarkTracer pointed out that LockBit's dependability seems to be diminishing and they have been careless in running their service, filling up their victim list with fake victims and insignificant data.

Avertium’s Cyber Response Unit (CRU) recently reviewed LockBit’s data leak website and found that some of the data exposed for a few companies was of little importance. Also, the website listed victims without corresponding data to go with them. This is consistent with LockBit investigations we have been involved in, where although the group may have had high levels of access to the victim environment, they were clumsy in their attempts to exfiltrate data and often failed to properly deploy their ransomware. Based on our observation, it is evident that the affiliates of LockBit’s operation are relatively unskilled.

However, despite these findings, LockBit remains the most prolific ransomware group by volume of attacks and are continuing to evolve their tools. In April 2023, security researchers discovered that a new version of LockBit ransomware has been targeting Apple’s Mac computers. Usually focusing on Windows and Linux machines, LockBit has a new build named “locker_Apple_M1_64.” It is highly possible that we may soon witness an upsurge in Mac ransomware infections, particularly if LockBit decides to make the Mac version of their ransomware available as a Ransomware-as-a-Service.

During 2022, LockBit was using an encryptor they named LockBit Black. The encryptor was challenging for security professionals due to each instance of the malware requiring a distinct password for successful execution. The password requirement made it very tough and sometimes impossible to analyze. Also, the malware employed a number of undocumented kernel-level Windows functions.

The CRU worked on a case that involved an organization being compromised by LockBit affiliates via the LockBit Black encryptor. During our investigation, we discovered that despite being a well-established and efficient operation, the affiliates deploying LockBit lacked sophistication. Let’s look at the tactics and techniques leveraged by LockBit’s affiliates and how subpar security can serve as an entry point for even the least sophisticated threat actors.

 

 

 

initial access

The victim organization reached out to Avertium after they found multiple indicators of compromise, including the presence of printed “LockBit Black” ransom notes on their internal printers. Following further investigation, ransomware was found on several systems.

The CRU began an investigation and observed that the initial signs of the security breach involved a poorly configured firewall and a vulnerable password. The initial method of compromise was via brute-forcing a username and password. We also found that the firewall had been misconfigured for nine days, and the system had default Windows event log settings that led to minimal records of login attempts. From the available logs it appears that within a matter of days of the firewall misconfiguration the victim IP was listed in Shodan, and multiple sources were actively launching brute force attacks. An account was compromised within seven days of the target system being exposed.

With access to an existing account, the threat actor was able to pivot to a domain account and create a new domain-administrator account with a different name. Using the new account, LockBit logged in via RDP to a Domain Controller before pivoting to and encrypting sixteen server systems.

 

 

mapping internal network

Within two days of the initial compromise the threat actor used Advanced IP Scanner to map the organization’s internal network. The tool was used to gain a better understanding of the network's topology and identify potential vulnerabilities that could be exploited. By scanning the network, LockBit obtained information about hosts, services, and open ports.

 

 

accessing locked files

After successfully mapping the target’s internal network, LockBit downloaded an executable named IOBitUnlocker.exe and used it to access files that were locked or in use. The tool is used to unlock multiple files or folders on desktops or other places at the same time.

 

 

failed remote access/persistence + more mapping

Next, the ransomware group managed to leverage a domain user account to download the ScreenConnect remote-access tool. LockBit installed the tool on three systems, then uninstalled it before conducting further network mapping using Netscan.exe. The CRU did not find any evidence that ScreenConnect was used, and a full disk scan showed that it was installed on one of the domain controllers before it was removed.

 

 

exfiltration of files

The threat actor created zip files, containing approximately 400MB of uncompressed data that was exfiltrated from the target network. Although there were 4TB of files stored on the file share, only .01% of the available data was exfiltrated. To carry out the exfiltration, the attacker utilized the Rclone remote file synchronization utility to transfer the stolen data to api.put.io and premiumize.me. LockBit attempted to use ngrok as well, but that was unsuccessful due to detection and blocking at the firewall.

Despite limited firewall logging detail, there was unmistakable evidence of LockBit having accessed file storage internet sites. Forensic analysis also confirmed successful file uploads.

 

 

encryption

Four days after initial access the threat actor successfully encrypted sixteen server systems, involving multiple file types and filenames. However, it's worth noting that less than 10% of the systems were encrypted, even though with Domain Admin access, it would have been relatively easy for the attackers to encrypt most of the hosts on the network. It's also noteworthy that while the backup server itself was encrypted, the data repository was not, and therefore remained unencrypted. This evidence shows the inexperience of LockBit affiliates.

 

 

collect users from active directory

Strangely, Get-ADUser was used to collect user accounts from Active Directory after systems had been encrypted. Get-ADUser is a command in PowerShell that is used to retrieve information about Active Directory user accounts. Using the Get-ADUser command, threat actors can obtain information related to a user's account in Active Directory, including their name, email address, group memberships, account status, and other information. In most investigations encryption is the final action by the threat actor.

 

 

conclusion

When it comes to the ransomware-as-a-service (RaaS) model, LockBit is often referred to as a "well-oiled machine." However, despite LockBit’s efficiency as ransomware, it appears that not all LockBit affiliates are particularly sophisticated or advanced. There is a difference between the developers of LockBit and the affiliates who purchase the RaaS.

In this case study, we can assume that we are dealing with LockBit affiliates and not developers based on several obvious mistakes. While the developers may not have the most advanced affiliates, their expertise lies in creating a platform that is easy to use and highly profitable for affiliates.

 

 

tools  used

LockBit used several tools to carry out their attack, which include:

  • Advanced IP ScannerLockBit used Advanced IP Scanner as a reconnaissance tool to map their target’s network. Freely available online, Advanced IP Scanner can be executed as an installer and as a portable version - both are used by threat actors.
  • Rclone Rclone is a tool commonly used by threat actors in ransomware attacks to help exfiltrate data. Typically, threat actors use Rclone after gaining remote access to their target’s network.
  • PowerShell - PowerShell is a command-line interface and scripting language created by Microsoft to assist IT experts in automating administrative tasks and system configurations. Unlike most command-line shells, PowerShell is object-oriented and works with objects rather than text. It is built on the .NET framework and has become a widely used automation tool for system administrators in IT departments and external organizations, including managed service providers, due to its powerful scripting abilities. Since PowerShell is pre-installed on Windows systems, a threat actor may use PowerShell because it is easily accessible and allows them to carry out a wide range of activities:
     
    • Downloading and executing malicious payloads
    • Modifying system settings
    • Executing reconnaissance activities
  • NetScan - NetScan is a powerful and adaptable network monitoring tool that directly collects information from both the control and user plane of a network, providing real-time accessibility. Threat actors could use this tool to gain access to critical data, extract data from both planes of a network, and monitor various network components (switches, routers, firewalls, etc.).
  • ScreenConnectScreenConnect (now re-named ConnectWise Control) is a self-hosted application for remote support that allows users to remotely view and control computers or servers. The software was initially created for MSPs and IT specialists to remotely access computers and offer assistance. However, threat actors exploit the tool by installing it to run quietly in the background, waiting for a remote management connection. Once connected, they use it to deploy ransomware and other types of malwares onto the victim's computer.
  • LockBit Encryptor In February 2023, LockBit released a third version of their encryptor called LockBit Green. However, for this case, LockBit used their previous encryptor called LockBit Black. The Black variant thwarts forensic analysis, such as wiping event logs, terminating multiple tasks, and removing services. The encryptor also gains initial access to the target network through SMB brute forcing from various IP addresses.
  • Remote Desktop Protocol (RDP) - Remote Desktop Protocol (RDP) allows users to access and operate Windows on a device located in a different place. The primary peripheral devices such as the keyboard and mouse are shared with the remote system, enabling users to manipulate and control it as though they were physically present in front of it.
  • exe Nssm.exe is often located in a subdirectory of "C:\Program Files", "C:\Users\USERNAME", or occasionally in a subdirectory of C, with typical file sizes ranging from 331,264 bytes (38% of all these files) to 368,640 bytes, along with 10 other variants. This executable file represents the "ExpressVpnService" service, which runs covertly in the background and can be terminated through Windows Task Manager.

It should be noted that most of these tools are legitimate software and will not be detected as malware unless custom rules or application whitelisting is in use.

 

 

INDICATORS OF COMPROMISE (IOCs)

 

Filename

SHA1

LBB.exe

3dbeeed8320fb5c91394dfc0014984e25dc95732

5in_d.exe

50f442ebbb1142db310f6b96f71afef4e49b320f

LBB_ReflectiveDll_DllMian.dll 

b35ab076f864dd5570aff12d535ca5f5bcd2bf6c

Jdwj.sys 

b6c4f2a7585f6ed77a55aa90de98307fc468b882

LBB_pass.exe 

c8db61274c4d102b88a38aadc967e12d1fcffebc

LBB_Rundll32_pass.dll 

e4e2ffa1079faa55d2c0b7177829531feb78255e

LBB_Rundll32.dll 

eeb9611bee1934145e82e8cc2249b7610840e664


 

 

how avertium is protecting our customers

Because the cyber landscape is always changing, it is imperative to be aware of new cyber attack strategies and techniques. Avertium is here to keep you informed and to keep your organization safe. We recommend the following services for the best protection against ransomware attacks:

  • Avertium offers VMaaS to provide a deeper understanding and control over organizational information security risks. If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap.

  • Minimizing the impact of a successful ransomware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior.
  • Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.

  • Avertium offers Zero Trust Architecture, like AppGate, to stop malware lateral movement.

  • It is also recommended by Avertium and the FBI that your business require multi-factor authentication (MFA) to remotely access networks.
  • Reach out to your Service Delivery Manager or Account Executive if you need assistance applying any of the above recommendations.

 

 

 

 

SUPPORTING DOCUMENTATION

Advanced IP Scanner: the preferred scanner in the A(P)T toolbox (huntandhackett.com)

ScreenConnect MSP Software Used to Install Zeppelin Ransomware (bleepingcomputer.com)

ScreenConnect - https://www.screenconnect.com/

NetScan | Netscan

LockBit affiliate behind major attacks arrested in Canada | Cybernews

Uncovering LockBit Black's Attack Chain and Anti-Forensic Activity (quickheal.com)

Rclone

What is nssm.exe (The non-sucking service manager) used for? (file.info)

What is Remote Desktop Protocol? Using it! & Best RDP Alternatives 2023 (comparitech.com)

LockBit 3.0 Ransomware Unlocked - VMware Security Blog - VMware

Darktrace: Investigation found no evidence of LockBit breach (bleepingcomputer.com)

LockBit Ransomware Targets Apple Silicon Macs for the First Time | PCMag

 

Related Resource:

 

     

 

APPENDIX I: lockbit's affiliate rules

Note: Please be advised that the affiliate rules seen below were translated via Google Translator, therefore there may be errors.

 

The oldest international [Ransomware] LockBit affiliate program welcomes you.

We are located in the Netherlands, completely apolitical and only interested in money. We always have an unlimited amount of affiliates, enough space for all professionals. It does not matter what country you live in, what types of language you speak, what age you are, what religion you believe in, anyone on the planet can work with us at any time of the year.

First and foremost, we're looking for cohesive and experienced teams of pentestors. In the second turn we are ready to work with access providers: sale or on a percentage of redemption, but you have to trust us completely. We provide a completely transparent process - you can control the communication with the victim. In case when the company was encrypted and has not paid, you will see the stolen data in the blog.

We also work with those who don't encrypt networks, but just want to sell the stolen data, posting it on the largest blog on the planet. Brief description of functionality:

  • admin panel on the Tor network;
  • communication with companies on the Tor network, chat with notifications and file transfer;
  • the ability to create private chats for secret communication with companies;
  • automatic decryption of test files;
  • automatic decrypter output, by pressing the button in the panel;
  • possibility of maximum protection of the decrypter, in this case the decrypter is stored on the flash drive;
  • StealBit stealer, searchable by file name and extension;
  • automatic data uploading to the blog, by you personally without our participation;
  • Possibility to specify any Internet port in StealBit for downloading, for example 22 or 3389, to bypass network security policies;
  • The ability to upload pictures to the blog;
  • Ability to post the history of correspondence with the attacked company to the blog;
  • ability to generate builds with different settings, but with one encryption key for one corporate network;
  • 2 different encryption lockers for Windows in one panel, written by different programmers, allowing to encrypt the network twice, if time allows, it will be useful for paranoiacs who doubt the reliability and implementation of the cryptographic algorithm and believe in free decryption;
  • ability to edit the list to kill processes and services;
  • ability to edit the list of exceptions - computer name, names and file extensions that do not need to be encrypted;
  • the fastest and most efficient cleanup (without the possibility of recovery) of free space after encryption;
  • file name encryption, helps to avoid even partial recovery of a piece of information from the desired file;
  • killing and removing Windows Defender;
  • impersonation to automatically elevate permissions on local computers;
  • SafeMode operation for bypassing anti-viruses and stronger encryption;
  • port scanner in local subnets, can detect all shared DFS, SMB, WebDav resources;
  • automatic distribution in the domain network at runtime without the need for scripts, GPO or psexec methods;
  • safely delete the shadow copies;
  • delete artifacts from system journals. It necessary to protect from forensics examination;
  • shutting down the computer after finishing work, to make it impossible to remove the dump from RAM;
  • printing claims on network printers in infinite numbers;
  • work on all versions of Windows, with very flexible settings (exe, dll, ReflectiveDll, ps1);
  • running on all versions of ESXi (except 4.0), with very flexible settings;
  • work on multiple Linux versions (14 architectures for NAS encryption, RedHat, KVM and others);

All this and much more awaits you, if you join our team. If you do not find one of your favorite features, please inform us, maybe we will add it especially for you.

 

Rules of the affiliate program:

  • You must be active to work with our software package.

  • It is strictly forbidden to give access to the panel to other people. If you work with an affiliate, you may be given a sub-account with correspondence reading rights for your affiliate. You should be aware that your partner may turn out to be a mole or be arrested by the police at any moment.

  • It is forbidden not to fulfill agreements that you stated in chat before payment. For example, promising to give a file tree, and then not doing so.

  • It is imperative to download valuable information from every company you attack. If you can't bypass your firewall settings and you don't have the ability to download the information, then perhaps our proprietary StealBit Stealer can help you.

  • It is not forbidden to work with competitors, but be sure to report it and explain why and what you like from your competitors, we will implement any of your worthy wishes, we care very much about progress and constant development.

Categories of targets to attack:

  • It is illegal to encrypt files in critical infrastructure, such as nuclear power plants, thermal power plants, hydroelectric power plants, and other similar organizations. Allowed to steal data without encryption. If you can't figure out if an organization is a critical infrastructure, ask your helpdesk.

  • The oil and gas industry, such as pipelines, gas pipelines, oil production stations, refineries, and other similar organizations are not allowed to be encrypted. It is allowed to steal data without encryption.

  • It is forbidden to attack the post-Soviet countries such as: Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Latvia, Lithuania, Moldova, Russia, Tajikistan, Turkmenistan, Uzbekistan, Ukraine and Estonia. This is due to the fact that most of our developers and partners were born and grew up in the Soviet Union, the former largest country in the world, but now we are located in the Netherlands.

  • It is allowed to attack non-profit organizations. If an organization has computers, it must take care of the security of the corporate network.

  • It is allowed to attack any educational institutions as long as they are private and have a revenue.

  • It is allowed to very carefully and selectively attack medical related institutions such as pharmaceutical companies, dental clinics, plastic surgeries, especially those that change sex and force to be very careful in Thailand, as well as any other organizations provided that they are private and have rhubarb. It is forbidden to encrypt institutions where damage to the files could lead to death, such as cardiology centers, neurosurgical departments, maternity hospitals and the like, that is, those institutions where surgical procedures on high-tech equipment using computers may be performed. It is allowed to steal data from any medical facilities without encryption, as it may be a medical secret and must be strictly protected in accordance with the law. If you can't pinpoint whether or not a particular medical organization can be attacked, contact the helpdesk.

  • It is very commendable to attack police stations and any other law enforcement agencies that are engaged in finding and arresting hackers, they do not appreciate our useful work as a pentest with postpaid and consider it a violation of the law, we should show them that a competent computer network setup is very important and write a fine for computer illiteracy.

  • It is allowed to attack government organizations, only with revenue.

  • Percentage rate of affiliate program is 20% of the ransom, if you think that this is too much and because of this you are working with another affiliate program or using your personal software, then you should not deny yourself the pleasure of working with us, just increase the amount of ransom by 20% and be happy.

  • You receive payments from companies to your personal wallets in any convenient currency and only then transfer the share to our affiliate program. However, for ransom amounts over $500 thousand, you give the attacked company 2 wallets for payment - one is yours, to which the company will transfer 80%, and the second is ours for 20%, thus we will be protected from scam on your part.

  • You personally communicate with the attacked companies and decide yourself how much money to take for your invaluable pentest work, which should surely be generously paid.

  • If you have any questions, doubts or complaints, you do not like something, please tell it to TOX support. If you are very shy, you can do it anonymously by creating a new one-time TOX. It is very important for us to know about all our strengths and weaknesses in order to constantly improve our service.

Every candidate to join our affiliate program should understand that we are constantly trying to be hacked and harmed in some way. This is why we pay a lot of attention to the candidates who join our partnership program. When joining, a lot of factors are taken into consideration, such as the reputation on the forums, the team composition, evidence of work with other affiliate programs, your wallet balance, the amount of previous payments and much more. You can also join our team by a guarantee of our partners, who are already active and time-tested.

After many years of experience, we concluded that the most effective way to test a candidate for accession is a deposit. When you join, you deposit 1 bitcoin in our wallet, in fact, this amount is an advance and will be used at your subsequent payments as payment for our 20% share. For example, the company paid you a ransom for decrypting 100 bitcoins, you have to transfer a share of 20 bitcoins to us, but thanks to the deposit you made when you joined, the amount of the share paid will be 19 bitcoins. This procedure is required only once, only when you join the affiliate program. The deposit weeds out insecure newbies, cops, FBI agents, journalists, white haters, web pentesters, competitors, and other small rodent pests.

The deposit amount may be reduced or not required at all, depending on what reputation you have and what information you can provide about yourself. For those who are afraid to trust us with their money and think that we are scammers, it is possible to carry out this procedure through a guarantor, any reputable forum, in this case, you make a deposit on the balance of the forum, where we describe the conditions of the deposit, which are very simple, for example, if you can not earn 5 bitcoins in a month, then your deposit goes to us.

Please, be understanding with such a careful attitude to your candidacy, because you personally would not be very pleased if your newly encrypted company was decrypted for free by the FBI thanks to some person who easily gained access to the panel and made a masterful hack of our servers using zero-day vulnerabilities.

 

Recommended, but not required, application form when joining:

1) Links to your profiles on various hacker forums - the older your account, the better.

2) Describe your experience with other affiliate programs, preferably with some evidence, such as screenshots and transactions that show your payouts.

3) Show your balance in cryptocurrency at the moment.

4) Explain the reasons why you left another affiliate program and want to work with us.

5) Tell about the current accesses you have and are ready to attack immediately after joining us. It is recommended to prove yourself immediately after joining - the sooner you get the first payment, the less doubt will be cast on your identity.

6) It is desirable to have already downloaded information for the blog from the intended target for the attack and provide evidence of the existence of this information, such as screenshots, file tree or access to these files.

7) Ask your friends or acquaintances who already work with us to vouch for you.

8) Request a bitcoin or monero wallet to make a deposit, in case you are confident in your abilities and ready to earn millions of dollars with us.

 

To summarize, the reasons why it is better to work with us:

  • LockBit brand - the whole planet knows about us, we are trusted by encrypted companies, we have shown everyone that it is safe to cooperate with us, we are responsible for our words, we have never cheated anyone and always fulfill our agreements. Decrypter work, stolen data is deleted.

  • Stability: we have been working for 3 years, and no negative news regarding ransomware could scare and stop us, and so far we could not be caught by the FBI. If they couldn't catch us in 3 years, they probably never will, and we will keep working.

  • Probably the best software and the most extensive list of operating systems and architectures you can attack.

  • You negotiate and make all the decisions yourself.

  • Payments to your wallet: there is no way we can cheat you and commit exit scams, as many affiliate programs have done and will continue to do. In addition, in 3 years we have earned a lot of money, so much so that there is no point in ruining your reputation because of some insignificant amount of a few million dollars. We store stolen company data for as long as possible on our blog so that companies are afraid to allow leaks and pay for stolen data if there are backups and there is no need to pay for a decrypter.

  • We have no payout limits - you can encrypt RDP individuals or companies with any income level, any payout is nice for us - both $5,000,000 and $50 million, because we love our work and the process itself, and money is just a nice addition. The best anti-ddos protection and a lot of mirrors, stability of communication with companies is very important for getting payouts.

  • Possibility to create private chats for secret communication with Recovery companies: it is very useful to keep secrecy of correspondence and avoid disrupting negotiations.

  • Decryptor security: the maximum protection for decrypters allows you to be sure that your company will not be decrypted for free due to any vulnerabilities in the web panel.

  • Bug bounty program: we understand that there is always a possibility of zero-day vulnerability attacks and we fight this threat with all possible means.

 

APPENDIX II: Disclaimer

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.

 

COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.