Malware Analysis Report: Lockbit Black Ransomware
What is Lockbit 3.0 Ransomware?
⮚ Lockbit ransomware is known for its ability to spread rapidly across networks, encrypting files and demanding payment for decryption keys. The “3.0” in LockBit 3.0 likely indicates a newer version or variant of the original LockBit ransomware. Ransomware attacks are often carried out by cybercriminals seeking financial gain.
⮚ Lockbit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model. It is Know As Lockbit Black Ransomware.
Technical Analysis:
⮚ I was checked the sample in pestudio its shows the MZ (magical Bits) it means it’s a Windows Executable File. For more confirmation I checked in Another Tool called “Detect it easy”.
⮚ After that in Next Virustotal Section in Pestudio its shows 62 Threat Vendors out of 72 said this is malicious Lockbit Ransomware.
⮚ In Indicators Section it shows the tool which is used by this Ransomware is Visual Studio 2008.
⮚ In Libraries Section List of DLLs which is used by this Lockbit Ransomware.
⮚ In the Imports Section I found the Functionalities like Process Injection using Virtual memory Allocation Technique, terminate any process etc. used by this Lockbit variant.
⮚ then we need to know whether it is packed or not. Packing is a kind of technique used by malware authors to make analysis difficult for malware analysts.
⮚ Almost 80% it said not packed only .text section is packed.
⮚ For more Details of what type of capabilities used by this Lockbit Ransomware I use the CAPA tool which is build in Flare-VM which have the Capabilities to provide the what types of Tactics & Techniques and what type of capabilities it is have.
⮚ I found Defense Evasion, Execution Tactics capabilities in this variant.
⮚ In MBC (Malware Behavior) It shows that RC4 Encryption Algorithm used by this Lockbit Variant.
⮚ RC4 is a Symmetric key algorithm which is used for data encryption one byte at a time.
⮚ In Dynamic Analysis Run the That Ransomware in Flare-VM which DNS route set to with Second Remnux OS.
⮚ When the Actual malware was run the malware was starting to encrypt files in .2uaphkEDl extensions.
⮚We already capture network traffic while running “lockbit Ransomware”. Using Wireshark we found suspicious IP.
⮚ After the Check in VirusTotal it shows malicious Domain.
⮚ In the Display Background the following some text was display for Lockbit Black Ransomware.
⮚ Any Run Sandbox Results for this Sample.
⮚ Virus Total Score 62 vendors suggested it is Highly malicious Lockbit version.
Indicators of Compromise
MD5: 6d94d664f9ba75013dddf5cefbc9a4f5
SHA-1: a9c58e2be33854f91cb6eb19701b71b2ad0c8db0
SHA-256: a88e9c57e89817701d2651b556f76641e10a7fb54eb29cf9a466648b25fe6716
IP : 116.203.6.169
MITRE ATT&CK Technique ID For observed IOCs:
MITRE ATT&CK Technique ID: T1047-Windows Management Instrumentation
IOC: WMIC.exe shadowcopy delete
Description: used the WMIC.exe for accessing the shadowscopy
MITRE ATT&CK Technique ID: T1547- Boot or Logon Autostart Execution
IOC: Changes the autorun value in the registry/ Writes to the Start menu file
Description: Malware used the persistence method using autorun metod & startup folder
MITRE ATT&CK Technique ID: T1518- Security Software Discovery
IOC: WMIC.exe
Description: Used the WMIC.exe to change the shadowcopy information.
MITRE ATT&CK Technique ID [T1562.001] : Defense Evasion: Impair Defenses::Disable or Modify Tools
IOC: regkey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\DeleteFlag
Description: Attempts to disable Windows Defender
MITRE ATT&CK Technique ID: T1486- Data Encrypted for Impact
IOC: Renames files like .2uaphkEDl.
Description: rename system files with .decrypt extension.