LockBit Analysis

2024-08-31 3003 words 15 minutes

Contents

In this post we’re going to talk about LockBit, one of the most notorious ransomware families that has emerged in recent years. We’ll dive into how LockBit operates, its evolution, analyse how LockBit 3.0 code works and talk about a new leaked code version.

Who is LockBit

LockBit is a notorious ransomware group that first appeared in 2019 and rapidly became a significant force. Initially known as “ABCD” ransomware, due to the extension it added to encrypted files, LockBit evolved into a highly sophisticated operation, using a “Ransomware-as-a-Service” (RaaS) model to provide their ransomware to other cybercriminals who carry out the attacks. This approach allows affiliates to deploy the ransomware in exchange for a share of the profits, spreading its reach across a wide range of industries and geographies. Over the years, LockBit has consistently targeted high-value entities, including corporations, healthcare institutions, and government agencies, using aggressive tactics such as double extortion, where victims face the threat of their data being published if they do not pay the ransom.

In 2021, the group introduced LockBit 2.0, which featured enhanced capabilities, making it even more difficult to defend against. Building on this success, LockBit 3.0 was launched in 2022, setting a new standard in ransomware evolution by incorporating a bug bounty program. The introduction of LockBit 3.0 demonstrated the group’s commitment to maintaining its edge in the increasingly competitive and complex landscape of cybercrime. Shortly after the announcement of LockBit 3.0 in 2022, their ransomware builder was leaked and later confirmed to be used by external actors. In 2023, LockBit achieved successful attacks on approximately 1,030 victims, with an estimated revenue of about 91 million US dollars.

However, in 2024, a campaign against LockBit 3.0 was launched by an alliance of cybersecurity firms, law enforcement agencies, and government bodies. This global effort aimed to dismantle the group’s infrastructure, disrupt its operations, and bring its key affiliates to justice. The campaign led to significant breakthroughs, including the identification of critical infrastructure, the arrest of several high-ranking members, and a temporary disruption in LockBit’s activities. It also led to the development of decryption tools designed to recover files encrypted by the LockBit ransomware, which were made available for free on the ‘No More Ransom’ portal together with other 150 different types of ransomware, used by more than 6 million victims in total. Despite these successes, numerous LockBit attacks have been registered in the past months.

When the LockBit server was closed down by law enforcement in February 2024, it was found that a new version, LockBit-NG-Dev, was likely to be released as LockBit 4.0, had been under advanced development. Trend Micro published a detailed report on it, which we’re going to analyse later.

Attack Methods

Following the MITRE ATT&CK® model we can define a partial scheme containing only the most common attack methods for each phase:

Initial Access LockBit actors typically gain initial access to victim networks through a variety of methods, here the most used:
- Phishing [T1566]: Sending malicious content to trick users into revealing credentials or downloading infected files.
- Exploiting Public-Facing Applications[T1190]: Attacker exploit vulnerabilities in internet-facing applications to gain unauthorized access.
- Valid Accounts[T1078]: Compromised or stolen credentials are used to access the network as a legitimate user.
Execution Once inside the network, LockBit uses several techniques to execute the ransomware:
- Command and Scripting Interpreter [T1059]: Execution of malicious scripts or commands through interpreters like PowerShell or Bash.
- User Execution [T1204]: Persuading users to run malicious files or scripts, often through social engineering.
- Schedule Task/Job [T1053]: Creating scheduled tasks to execute the ransomware payload at a specified time.
Persistence LockBit ensures its continued access to compromised systems through:
- Valid Accounts [T1078]: Use of stolen credentials to maintain access across sessions and reboots.
- Schedule Task/Jobs [T1053]: Re-establishing malicious scheduled tasks to ensure persistence.
Privilege Escalation To escalate privileges, LockBit utilizes:
- Process Injection [T1055]: Injecting malicious code into legitimate processes to elevate privileges and evade detection.
- Valid Accounts [T1078]: Using accounts with higher privileges to escalate control.
- Schedule Task/Job [T1053]: Using scheduled tasks with elevated privileges to execute malicious payloads.
Defence Evasion LockBit is adept at evading detection by:
- Obfuscate Files or Information [T1027]: Hiding malicious code through obfuscation techniques to avoid detection.
- Deobfuscate/Decode File or Information [T1140]: Decoding or deobfuscating data to execute malware without triggering security alerts.
Credential Access LockBit actors focus on acquiring credentials to expand their access:
- OS Credential Dumping [T1003]: Extracting credential information from the operating system’s memory, registry, or other storage.
- Brute Force [T1110]: Attempting to gain access by systematically guessing passwords.
- Password Stores [T1555]: Accessing password managers or stored credential repositories to harvest credentials.
Discovery To map out the victim network, LockBit conducts extensive discovery activities:
- System Information Discovery [T1082]: Gathering information about the victim’s system configurations and settings.
- File and Directory Discovery [T1083]: Enumerating files and directories on local and remote systems.
- Process Discovery [T1057]: Identifying running processes and applications on the victim’s system.
Lateral Movement LockBit spreads across networks using:
- Remote Services [T1021] and [T1210]: Utilizing legitimate network services to move laterally within the network.
- Lateral Tool Transfer [T1570]: Transferring malicious tools and scripts to other systems within the network.
Collection The group gathers sensitive information before encryption:
- Screen Capture [T1113]: Taking screenshots or video recordings of the victim’s display to capture sensitive information.
- Archive Collected Data [T1560]: Compressing and archiving data files for easier exfiltration or encryption.
Command and Control Techniques used from to communicate with compromised systems to control them:
- Ingress Tool Transfer [T1105]: Transferring additional malicious tools or payloads into the compromised environment.
- Application Layer Protocol [T1071]: Using standard application protocols like HTTP or HTTPS to communicate with command and control servers.
Exfiltration Before encrypting files, LockBit exfiltrates data:
- Over C2 Channel [T1041]: Sending stolen data back to the attackers through established command and control channels.
- Automated Exfiltration [T1020]: Using automated tools to steal data from the victim’s network.
Impact The final stage involves the primary goal of LockBit’s operations:
- Data Encrypted for impact [T1471]: Encrypting critical files and data to render them inaccessible to the victim.
- Inhibit System Recovery [T1490]: Disabling or deleting system recovery options to prevent restoration of compromised systems.

Code Analysis

As mentioned in the last section, Lockbit, like the majority of the ransomware, is going to exploit and use different vulnerabilities and techniques depending on the system is attacking. The sample that we’re going to analyse is one of the first 3.0 sample published by vxunderground with the following SHA256:
80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce

Firstly, we are going to talk about some elements used by the ransomware, such as the configuration system and API obfuscation process. After that, we will discuss the preliminary phase, execution, and encryption process.
I found it surprising to see how many different techniques have been implemented to prevent code analysis and detection.

Configuration

The configuration file contains all the flags to dictate the ransomware behaviour, It includes numerous parameters (more than 20) that control various aspects of the ransomware’s operation, such as encryption settings, network communication protocols, target exclusions, and self-propagation mechanisms. This configuration file, unlike other ransomware, is stored in an encrypted format to prevent easy analysis and to avoid detection by antivirus software; once decrypted it is structured in a JSON-like format. Let’s discuss some flags, more of them will be discussed later:

EXCLUDE_HIDDEN_FLAG: avoid encrypting files that are marked as hidden, likely to minimize detection and maintain a low profile during the initial stages of the attack.
ENC_SHARED_FLAG: whether shared network resources or drives should be included in the encryption process.
CHECK_UI_LANGUAGE_FLAG: This flag checks the system’s user interface language before executing the payload, potentially to avoid attacking systems in certain regions or languages that the attacker wants to exclude. Considering the analysed sample this flag was enabled with the following languages: Arabic, Armenian, Belarusian, Romanian, Russian, Ukrainian, Uzbek.
ATTEMPT_LOGON_FLAG: This flag configures the ransomware to attempt logging on to other network systems using stolen or default credentials, aiding in lateral movement within an infected network.
CONNECT_TO_CNC_FLAG: directs the ransomware to establish a connection to a Command and Control (C2) server, facilitating remote control, data exfiltration, or receipt of additional commands from the attacker
DELETE_SELF_FLAG: instructs the ransomware to delete itself from the infected system after completing its tasks, minimizing the risk of discovery and forensic analysis.
DELETE_GPO_FLAG: used to delete or disable Group Policy Objects (GPOs) on a Windows network, which can hinder administrative controls and responses, further entrenching the ransomware in the network.

API

LockBit employs the same API hashing algorithm as BlackMatter to obscure its function names. By hashing the API names of a DLL and then comparing them to the list of APIs that the ransomware needs, the threat actor is able to complicate the analysis of the ransomware. Moreover, it employs threading when using an API instead of directly calling an API, which is likely an additional attempt to make it more difficult to analyse. The algorithm works as follows:

Character Addition and Binary Rotation: For each character in a function name, the character’s value is added to an accumulating hash. Simultaneously, a binary right rotation (ROR) by 13 bits is performed in each iteration h = (h >> 0xd) | (h << 0x13). This process transforms the function names into a hash that the ransomware uses internally to reference API calls.
Hash Seed Value: The hash of the module name (e.g., kernel32.dll) is calculated in a similar manner and is used as a seed value for hashing its function names. This ensures that the same function name in different modules results in different hashes.

LockBit does not store the resolved function addresses in a straightforward manner. Instead, it utilizes an array of “trampoline pointers,” which are dynamically allocated blocks of assembly code. These pointers perform XOR-decoding of the encoded function addresses. This method obfuscates the actual function addresses, making analysis more challenging:

Trampoline Pointers: Each pointer in the array references a 12-byte assembly block that decodes and calls the actual function address dynamically.
Encoding: the heap memory contains disassembly code that uses a combination of the following operations to make it harder to predict or analyse the code flow:
- ROR (rotate right) by a random number.
- ROL (rotate left) by a random number.
- XOR with a key.
- ROR followed by XOR with a key.
- ROL followed by XOR with a key.

Preliminary Phase

During the preliminary phase, the goal is to try to remove all the elements that could cause a detection or block of the attack:

According to the report available in the reference section, the thread actor executes the ransomware with the following command, providing a parameter -pass to decrypt the source and allow the execution: _{04830965-76E6-6A9A-8EE1-6AF7499C1D08}.exe -k LocalServiceNetworkRestricted -pass db66023ab2abcb9957fb01ed50cdfa6a_
Before initiating any ransomware activity, LockBit first checks if the current computer’s name hash is included in its configuration list of excluded systems. This step ensures that the ransomware does not infect devices that are meant to be excluded, often targeting specific machines based on their identifiers.
The ransomware then tries to disable the default security product of the device by disabling all Windows Event Log messages, targeting the following registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\<Log Name> By changing the registry key, the ransomware sets the “Enabled” value to 0, effectively disabling the event logging for that specific channel. Additionally, it alters the Security Descriptor to O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA). This modification restricts permissions, further tampering with the Windows Event Log to prevent security alerts from being generated or recorded.
If activated from the configuration through the DELETE_SERVICE_FLAG flag, before the encryptions starts the Ransomware tries to kill a specific named Service from the Windows Service blacklist, depending on the services in use different processes could be killed, for example, those related to the vendor.
An ‘.ico’ file and a wallpaper are dropped in the %PROGRAMDATA% folder
The ransomware then attempts to log in using credentials from its configuration list to determine if the compromised system is part of the domain admin group, which it will use for later routines.

Execution and Encryption

The decompiled code reveals a substantial amount of unused GUI-related functions positioned after a kernel32.ExitProcess() call, which serves to disguise the ransomware’s core functionality and lends an air of legitimacy to the malware. The ransomware’s primary functionality is concentrated in three key functions that precede the ExitProcess call, with the main function handling most of the ransomware’s operations.

just_return_00e39000(); 
prepare_address_table_lookups(); 
check_priv_elevate_if_needed(); 
main(unaff_retaddr,param_1,param_2); 
hLibModule = 0x0; 
(*kernel32.ExitProcess)(); //here
GetTickCount(); 
GetCommandLineW(); 
FreeLibrary(hLibModule); 
GetLastError(); 
FreeLibrary(unaff_retaddr); 
FreeLibrary(param_1); 
GetCommandLineA(); 
SetLastError(param_2);
LoadLibraryW(param_3);
IsDlgButtonChecked(param_4,param_5); 
EndDialog(param_6,param_7);

Moreover, LockBit 3.0 performs privilege escalation by duplicating access tokens from system processes like explorer.exe, allowing it to elevate its privileges beyond what would typically be available to user processes. It checks for membership in privileged groups and attempts to acquire additional privileges, if necessary.

status = (*ntdll.NtOpenProcess) (&ProcessHandle,MAXIMUM_ALLOWED,&security_descriptor.Sacl,&ClientId); 
if (status == 0) { 
	/* get token handle for process */ 
	status = (*ntdll.ZwOpenProcessToken)(ProcessHandle, MAXIMUM_ALLOWED, &TokenHandle);
	if (status == 0) { 
	security_descriptor._0_4_ = 0xc; 
	security_descriptor.Owner = param_2; 
	security_descriptor.Group._0_1_ = 0; 
	security_descriptor.Group._1_1_ = 0; 
	security_descriptor.Sacl = FILE_READ_EA | FILE_WRITE_EA;
	security_descriptor.Dacl = 0x0; 
	(*ntdll.NtDuplicateToken)
		(TokenHandle,MAXIMUM_ALLOWED,&security_descriptor.Sacl,0,token_type, &NewTokenHandle);

LockBit encrypts files using the AES algorithm and encrypts the AES key with an embedded RSA public key saved in the configuration file. There are three encryption modes:

Fast: Encrypts the first 0x1000 bytes of the file. This mode is usually used to reduce the time required for the attack.
Intermittent: Encrypts only a percentage of the file, based on a value set in the configuration.
Full: Encrypts the entire file. By default, LockBit avoids encrypting certain directories and files with specific file extensions, but these settings can be changed in the configuration file.

Another feature available in the config file, through the RANDOM_FILE_NAME_FLAG value, allows encrypted files to be renamed with random file names. This is achieved by generating a random filename using a randomizer function, with the original file name then placed within the content of the file after the encrypted data.

LockBit also includes a dedicated threat that wipes the recycle bin folder of every drive, replacing the contents with randomly generated bytes in 0x10000 byte blocks to prevent recovery, and then deletes them. For this reason, all the files in the recycle bin are not recoverable, even after payment and decryption.

If configured, LockBit can also encrypt network shares and Exchange Mailboxes to maximize damage by targeting shared resources and email data, which are often critical for businesses.

Another interesting technique involves the encryption of “.lnk” files, which are usually used for shortcuts. Instead of merely encrypting the shortcuts themselves, which would be ineffective, LockBit has developed a dedicated function that uses the information contained within these files to identify and target the actual files or directories they point to.

Moreover, during the encryption phase, the ransomware drops its note in every directory not marked for exclusion, containing Onion links and detailed instructions on what to do. The file name is composed of nine alphanumeric characters followed by “.README.txt”; for example, ‘4gH7pR2xL.README.txt’.

After the encryption process, the ransomware appends the extension of the icon file mentioned in the preliminary phase to the encrypted files and changes the wallpaper of the machine to inform the victim of the attack and provide instructions.

One notable behavior of this third version of LockBit is its file deletion technique: instead of using cmd.exe to execute a batch file or command for deletion, it drops and executes a .tmp file decrypted from the binary. However, it retains some of LockBit 2.0’s features, such as the ability for lateral movement through a group policy update, as long as a -gspd parameter is provided. The executed .tmp file overwrites the contents of the ransomware binary and then renames the binary multiple times, with the new file names based on the length of the original file name. For example, a file named 1.exe, which has five characters (including the file extension), is renamed to AAAAA, then BBBBB, up to ZZZZZ. After renaming the file, LockBit 3.0 finally deletes it. This routine is likely an attempt by the LockBit ransomware group to avoid recovery by forensic tools and cover their tracks by completely removing any trace of the ransomware.

new_filename = (off_405220->wcscpy_402128)(ransomware_fullpath, 0); 
if (new_filename) 
{ old_filename = (off_405220->wcscpy_402128)(ransomware_fullpath, 0); 
 if (old_filename) 
	{ 
		v2 = 26; 
		v3 = 'A'; 
		do 
		{ 
			v4 = ((ntdll_405208->wcsrchr)(old_filename, '\\') + 2); // length of filename 
			do 
				*v4++ = v3; // replace filename 
			while (*v4); 
			if (!(kernel32_40520C->MoveFileExW)(new_filename, old_filename, 8)) 
				break; 
			(ntdll_405208->wcscpy)(new_filename, old_filename); 
			++v3; 
			--v2; 
			} 
			while (v2);
		} 
	}

(off_405228->multiple_rename_402E10)(ransomware_fullpath, &new_path); 
if ((kernel32_40520C->DeleteFileW)(new_path))

New Code Version Leak Analysis

This new version is written in .NET and possibly compiled using CoreRT, which differs from the usual C/C++ languages used in past versions.

Like the 3.0 version mentioned above, this new version still has an embedded configuration, that is decrypted at runtime and it includes RSA public keys, unique ID of the ransomware, note filename and content and other flags and lists. A new information included in the configuration is the date range used to check if the current date is within the date range set in the configuration, to prevent it from being re-used both from analysis purpose or third parties that bought for malicious intents.

if (SDWORD2(Date) < MinDate || SDWORD2(Date) > MaxDate) 
{ 
	if (qword_1402771A8[-1]) 
		sub_140001105(); 
	LODWORD(qword_1402771A8[0]) = 0; 
	sub_1400E0130(); 
	v7 = qword_1402771A8[0]; 
	sub_140006400(&v6); 
	ExitProcess(v7); 
}

If the relative config values DeleteVolumeShadowCopies and DeleteWindowsSystemBackups are true, this new version also is able to inhibits recovery from shadow copies (snapshot) and Windows backups by executing the following commands:

powershell.exe vssadmin Delete Shadows /All /Quite

powershell.exe wbadmin DELETE BACKUP –keepVersions:0 -quiet

In this new version there is a config Self-delete that if it is true, it will remove traces of the ransomware by zeroing out its contents using the following command

powershell.exe -Stop-Process -Id {process id} -Force; fsutil.exe file setZeroData offset=0 length=9999999999 “{Ransomware path}”

There are also other minor changes, such as the deletion of the PRINT_RANSOM_NOTE_FLAG, which previously printed the ransomware note on any available printers, while retaining the feature that changes the desktop wallpaper.

References: